feat: proper interactive sudo support

art049 · art049 · commit b9a0aa2bc905 · 2025-10-18T02:32:26.000+02:00
diff --git a/src/local_logger.rs b/src/local_logger.rs
@@ -27,7 +27,8 @@ lazy_static! {
 pub fn suspend_progress_bar<F: FnOnce() -> R, R>(f: F) -> R {
     // If the output is a TTY, and there is a spinner, suspend it
     if *IS_TTY {
-        if let Ok(mut spinner) = SPINNER.lock() {
+        // Use try_lock to avoid deadlock on reentrant calls
+        if let Ok(mut spinner) = SPINNER.try_lock() {
             if let Some(spinner) = spinner.as_mut() {
                 return spinner.suspend(f);
             }
diff --git a/src/run/runner/helpers/run_with_sudo.rs b/src/run/runner/helpers/run_with_sudo.rs
@@ -1,30 +1,68 @@
-use crate::prelude::*;
-use std::process::{Command, Stdio};
+use crate::{local_logger::suspend_progress_bar, prelude::*};
+use std::{
+    io::IsTerminal,
+    process::{Command, Stdio},
+};
 
-/// Run a command with sudo if available
-pub fn run_with_sudo(command_args: &[&str]) -> Result<()> {
-    let use_sudo = Command::new("sudo")
-        // `sudo true` will fail if sudo does not exist or the current user does not have sudo privileges
-        .arg("true")
-        .stdout(Stdio::null())
-        .status()
-        .is_ok_and(|status| status.success());
-    let mut command_args: Vec<&str> = command_args.into();
-    if use_sudo {
-        command_args.insert(0, "sudo");
+/// Validate sudo access, prompting the user for their password if necessary
+fn validate_sudo_access() -> Result<()> {
+    let needs_password = IsTerminal::is_terminal(&std::io::stdout())
+        && Command::new("sudo")
+            .arg("--non-interactive") // Fail if password is required
+            .arg("true")
+            .stdout(Stdio::null())
+            .stderr(Stdio::null())
+            .status()
+            .map(|status| !status.success())
+            .unwrap_or(true);
+
+    if needs_password {
+        suspend_progress_bar(|| {
+            info!(
+                "Sudo privileges are required to continue. Please enter your password if prompted."
+            );
+
+            // Validate and cache sudo credentials
+            let auth_status = Command::new("sudo")
+                .arg("--validate") // Validate and extend the timeout
+                .stdin(Stdio::inherit())
+                .stdout(Stdio::inherit())
+                .stderr(Stdio::inherit())
+                .status()
+                .map_err(|_| anyhow!("Failed to authenticate with sudo"))?;
+
+            if !auth_status.success() {
+                bail!("Failed to authenticate with sudo");
+            }
+            Ok(())
+        })?;
     }
+    Ok(())
+}
+
+/// Creates the base sudo command after validating sudo access
+pub fn validated_sudo_command() -> Result<Command> {
+    validate_sudo_access()?;
+    let mut cmd = Command::new("sudo");
+    // Password prompt should not appear here since it has already been validated
+    cmd.arg("--non-interactive");
+    Ok(cmd)
+}
 
-    debug!("Running command: {}", command_args.join(" "));
-    let output = Command::new(command_args[0])
-        .args(&command_args[1..])
+/// Run a command with sudo after validating sudo access
+pub fn run_with_sudo(command_args: &[&str]) -> Result<()> {
+    let command_str = command_args.join(" ");
+    debug!("Running command with sudo: {command_str}");
+    let output = validated_sudo_command()?
+        .args(command_args)
         .stdout(Stdio::piped())
         .output()
-        .map_err(|_| anyhow!("Failed to execute command: {}", command_args.join(" ")))?;
+        .map_err(|_| anyhow!("Failed to execute command with sudo: {command_str}"))?;
 
     if !output.status.success() {
         info!("stdout: {}", String::from_utf8_lossy(&output.stdout));
         error!("stderr: {}", String::from_utf8_lossy(&output.stderr));
-        bail!("Failed to execute command: {}", command_args.join(" "));
+        bail!("Failed to execute command with sudo: {command_str}");
     }
 
     Ok(())
diff --git a/src/run/runner/wall_time/executor.rs b/src/run/runner/wall_time/executor.rs
@@ -8,6 +8,7 @@ use crate::run::runner::helpers::get_bench_command::get_bench_command;
 use crate::run::runner::helpers::introspected_golang;
 use crate::run::runner::helpers::introspected_nodejs;
 use crate::run::runner::helpers::run_command_with_log_pipe::run_command_with_log_pipe;
+use crate::run::runner::helpers::run_with_sudo::validated_sudo_command;
 use crate::run::runner::{ExecutorName, RunData};
 use crate::run::{check_system::SystemInfo, config::Config};
 use async_trait::async_trait;
@@ -178,7 +179,7 @@ impl Executor for WallTimeExecutor {
         run_data: &RunData,
         _mongo_tracer: &Option<MongoTracer>,
     ) -> Result<()> {
-        let mut cmd = Command::new("sudo");
+        let mut cmd = validated_sudo_command()?;
 
         if let Some(cwd) = &config.working_directory {
             let abs_cwd = canonicalize(cwd)?;
