"ghost update" asks for sudo password to run "systemctl is-active"

[preparationh67]

Welcome to Ghost-CLI's GitHub repo! 👋🎉

Do you need help or have a question? Please come chat in our forum: https://forum.ghost.org 👫.

Docs: https://docs.ghost.org 📖.

Please be aware that the team behind the Ghost CLI only supports the recommended stack: https://github.com/TryGhost/Ghost-cli#recommended-stack.

Summary

Search GitHub for existing issues & check the docs: https://docs.ghost.org/faq/errors/. If you're still stuck, please provide a quick summary of the problem, steps to reproduce, and full tech details including logs.

Steps to Reproduce

1. This is the first step
   Switch to ghost service user and navigate to the ghost installation directory
2. This is the second step, etc.
   Attempt to upgrade ghost with "ghost upgrade"

Technical details

Script attempts to ask for a sudo password to run "systemctl is-active". "systemctl is-active" does not require elevated privileges to run. Ghost is not making proper usage of file/user permissions and the service account.

• OS:
• Node Version:
• Ghost-CLI Version:
• Environment:
• Command: ghost update

Bug submission checklist

Please fill out this checklist to acknowledge that you followed the requirements to submit a bug report.

• Tried to find help in the forum & docs
• Checked for existing issues
• Attached log file
• Provided technical details incl. operating system

[kirrg001]

@acburdine It's not 100% clear to me why sudo is required in this case. Refs #672.

[acburdine]

Hmm...I'll look into it some and see if I can figure out why people were seeing issues before without sudo being used.

[kirrg001]

Thanks @acburdine 👍

[awbacker]

I'm having this as well. Attempts to do a ghost update trigger this.

I've updated ghost-cli as root, and update still asks for root access, so its in the latest. As usual though, no user on this server has a password, and ghostuser isn't in the sudoers!

For now I've modified the ghostuser to have a password and added to sudoers. Ouch.

[sirredbeard]

The change that prompted this issue also prevented me from automatically updating ghost using systemd.

I created /etc/systemd/system/update_ghost.service:

[Unit]
Description=Update ghost instance automatically with systemd

[Service]
Type=oneshot
User=999
WorkingDirectory=/var/www/ghost
ExecStart=/usr/bin/ghost update 

This resulted in the following in the systemd log:

- Inspecting operating system
  [23:18:07] Checking for Ghost-CLI updates [started]
  [23:18:07] Checking for Ghost-CLI updates [completed]
  [23:18:07] Ensuring correct ~/.config folder ownership [started]
  [23:18:07] Ensuring correct ~/.config folder ownership [completed]
  + sudo systemctl is-active ghost_boxofcables-dev
  /usr/lib/node_modules/ghost-cli/lib/ui/index.js:148
              throw new errors.SystemError('Prompts have been disabled, all o
              ^
  Error: Prompts have been disabled, all options must be provided via command
      at UI.prompt (/usr/lib/node_modules/ghost-cli/lib/ui/index.js:148:19)
      at Socket.cp.stderr.on (/usr/lib/node_modules/ghost-cli/lib/ui/index.js
      at Socket.emit (events.js:203:15)
      at addChunk (_stream_readable.js:288:12)
      at readableAddChunk (_stream_readable.js:269:11)
      at Socket.Readable.push (_stream_readable.js:224:10)
      at Pipe.onStreamRead [as onread] (internal/stream_base_commons.js:94:17
 pam_unix(sudo:auth): conversation failed
 pam_unix(sudo:auth): auth could not identify password for [ghostuser]

I found this issue on the top of the results.

What I tried:

• adding --no-prompt --auto --force
• running as user 999 (ghost)
• adding ghost to sudo as suggested above (undid that for security reasons)

What I finally realized would solve this:

I went with:

[Unit]
Description=Update ghost instance automatically with systemd

[Service]
Type=oneshot
User=1000
WorkingDirectory=/var/www/ghost
ExecStart=/usr/bin/ghost update --no-prompt --auto 

Note: User refers to the UID of your ghostuser, which may differ from 1000. The location of your ghost blog may vary as well.

Then I added the following lines to my sudoers file using visudo:

ghostuser ALL=(ALL) NOPASSWD: /bin/systemctl is-active ghost_website                                                           ghostuser ALL=(ALL) NOPASSWD: /bin/systemctl stop ghost_website                                                                ghostuser ALL=(ALL) NOPASSWD: /bin/systemctl start ghost_website 

Note: ghostuser and ghost_website will differ based on your settings.

And was able to automate the updates just fine.

[sirredbeard]

I wrote a blog about it here https://boxofcables.dev/automate-ghost-updates-with-systemd/

[github-actions]

Our bot has automatically marked this issue as stale because there has not been any activity here in some time. The issue will be closed soon if there are no further updates, however we ask that you do not post comments to keep the issue open if you are not actively working on a PR. We keep the issue list minimal so we can keep focus on the most pressing issues. Closed issues can always be reopened if a new contributor is found. Thank you for understanding 🙂