bc1bb/certbotManager
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

--helper-path override documented in config.py comment but CLI flag is not implemented #4

New issue
Open
opened 2026-05-14 21:19:56 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 21:19:56 +02:00
Copy link

Problem

The comment above HELPER_DEFAULT_PATH in config.py states the path is "Overridable per-deployment via --helper-path on the main CLI (see cli.py)", but cli.py has no --helper-path argument. Additionally, SUDO_HELPER_PREFIX is built once at module load time from HELPER_DEFAULT_PATH, so even if NginxOps is constructed with a custom helper_path=, the is_sudo_allowed() check in NginxOps._invoke() will always fail for any path other than the hardcoded default.

Location

  • src/certbot_manager/config.py, lines 83–85 (the misleading comment and SUDO_HELPER_PREFIX definition)
  • src/certbot_manager/cli.py (the missing --helper-path argument)
  • src/certbot_manager/infra/nginx_ops.py, lines 128–130 (_invoke builds argv from self._helper_path but checks against SUDO_ALLOWLIST which only contains the default path)

Risk

An operator following the comment to deploy the helper at a non-default location would find:

  1. There is no --helper-path flag to pass.
  2. Even if they construct NginxOps(helper_path=...) programmatically, all helper invocations raise OperationError("argv not in sudo allowlist") at runtime.

This leaves no supported way to relocate the helper binary without modifying source code, contrary to what the documentation implies.

Suggested fix direction

Either add the --helper-path argument to cli.py and plumb it through to NginxOps, or remove the misleading comment and make the docs clear that the path is fixed. If the flag is added, SUDO_HELPER_PREFIX must be built dynamically (or the allowlist check must compare only the non-path portions of the argv) to avoid the false-failure in is_sudo_allowed().

Severity

minor

Found by

Automated audit by Claude Code

## Problem The comment above `HELPER_DEFAULT_PATH` in `config.py` states the path is *"Overridable per-deployment via `--helper-path` on the main CLI (see cli.py)"*, but `cli.py` has no `--helper-path` argument. Additionally, `SUDO_HELPER_PREFIX` is built once at module load time from `HELPER_DEFAULT_PATH`, so even if `NginxOps` is constructed with a custom `helper_path=`, the `is_sudo_allowed()` check in `NginxOps._invoke()` will always fail for any path other than the hardcoded default. ## Location - `src/certbot_manager/config.py`, lines 83–85 (the misleading comment and `SUDO_HELPER_PREFIX` definition) - `src/certbot_manager/cli.py` (the missing `--helper-path` argument) - `src/certbot_manager/infra/nginx_ops.py`, lines 128–130 (`_invoke` builds argv from `self._helper_path` but checks against `SUDO_ALLOWLIST` which only contains the default path) ## Risk An operator following the comment to deploy the helper at a non-default location would find: 1. There is no `--helper-path` flag to pass. 2. Even if they construct `NginxOps(helper_path=...)` programmatically, all helper invocations raise `OperationError("argv not in sudo allowlist")` at runtime. This leaves no supported way to relocate the helper binary without modifying source code, contrary to what the documentation implies. ## Suggested fix direction Either add the `--helper-path` argument to `cli.py` and plumb it through to `NginxOps`, or remove the misleading comment and make the docs clear that the path is fixed. If the flag is added, `SUDO_HELPER_PREFIX` must be built dynamically (or the allowlist check must compare only the non-path portions of the argv) to avoid the false-failure in `is_sudo_allowed()`. ## Severity minor ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/certbotManager#4
No description provided.