sudo option

Advertisement

aminorex
Guest

sudo option

It would be nice to have a way to indicate that a given operation should be performed as root, using sudo – such as a modifier key.

Incredibly useful piece of work, BTW. I hope it earns you the blessings it deserves.

Reply with quote

Advertisement

Sergeant
Joined:
Posts:
2

SU FAQ doesn't work with Ubuntu.

Was curious if you had a remedy for this. Running Ubuntu Server 8.04, using the su and sudo options for the SFTP and/or SCP from the FAQ you've given doesn't seem to work at all. I still can't modify or upload files to directories with the normal account and I'm honestly not sure if there's a difference I need to know about or what.

Reply with quote

Advertisement

Sergeant

Re: SU FAQ doesn't work with Ubuntu.

Well, for one I followed the directions in the FAQ, however adding the information to the sudoers file appears to have no effect at all and performing sudo keeps asking me for a password. I even attempted a reboot and it still does this. At this point I am assuming this to be a problem with Ubuntu I'd need to research more than anything, though if you have any suggestions feel free to say something.

Reply with quote

Clint
Guest

Solved

I fought with this today and came up with the following solution:

Add a line to your sudoers file:
username ALL=NOPASSWD: /usr/lib/openssh/sftp-server
Then in the SFTP setup section of WinSCP edit the session SFTP server:
sudo /usr/lib/openssh/sftp-server
Boom, root access to file system via WinSCP.
HTH,
Clint

Reply with quote

jlightner
Guest

How to do sudo su to a non-root user

Thought this might be of interest. I'd seen various post requesting this but none that had it resolved. There may be a better way to do it that I didn't discover however, the method below works.

1) Copy the sftp-server binary to another name e.g.
cd /root
cp /usr/libexec/openssh/sftp-server admin1-sftp-server
2) Make the admin user the owner e.g.
chown admin1 admin1-sftp-server
3) Make the admin user's primary group the group of file e.g.
If admin1's GID in /etc/passwd is 100 and 100 is "users" group in /etc/group then:
chgrp users admin1-sftp-server
4) Set suid and sgid bit on the file and make it readable/executable by user and group. e.g.
chmod 6550 admin1-sftp-server
Don't make it writable by any of these users so they can't replace the binary itself – also as noted in step 1 this binary should be in a secure location such as /root to which no one but root has access normally.)
5) As discussed in https://winscp.net/eng/docs/faq_su you set up sudoers file (use visudo) to allow the new script to be run by user as root. e.g.
ralph        ALL=NOPASSWD: /root/admin1-sftp-server
billybob        ALL=NOPASSWD: /root/admin1-sftp-server
Note that you don't have to do individual lines like that – User_Alias and Cmnd_Alias would work.
6) As discussed in same link edit the SFTP tab (Advanced options) sftp-server box in WinSCP for the session to have sudo to the sftp-server copy you made instead of "Default". e.g.
sudo /root/admin1-sftp-server
7) Save the session in WinSCP.

Select the saved session and "login" from WinSCP after doing above. It will open the copied sftp-server (e.g. /root/admin1-sftp-server) running as the user that owns this (admin1-)sftp-server instead of root. Any files created by this session will be owned by the user that owns (admin1-)sftp-server and grouped to the group of (admin1-)sftp-server.

Additional Note:
The downside to above approach is if you later patch your system sftp-server for some reason it won't automatically patch copies like admin1-sftp-server. If the reason for patching is a security concern it is important you repeat the process above after the patching to insure you have the same security fix in all copies.

Reply with quote

Advertisement

martin
Site Admin
martin avatar

Re: How to do sudo su to a non-root user

@jlightner: Thanks for sharing this. I've seen your post on LinuxQuetions.org already. Though I was not sure why you need to run sftp-server as non-root user. Can you explain?

Reply with quote

jlightner
Guest

The reason is more political than technical.
We have non-technical users that previously all logged in using a single shared account (the administrative account for a specific application). They would use WinSCP and that single account to transfer in a file. They would then login to the account in a PuTTY window and run a command against the transferred file which would create a processed file. They would then go into WinSCP again and transfer the processed file back to their desktops.

For security reasons we didn't want them all using the same account directly as there is no way to tell who did what. Accordingly, we setup individual account and sudo to allow them to "sudo su - <account>" after they had logged in with those individual accounts. That was OK for PuTTY but it meant the WinSCP transfer was being done as the individual account instead of the administrative account. This added steps (e.g. transfer to your home directory as WinSCP then login via PuTTY and copy the file, do the processing etc...). Additionally the processed file is always owned by the administrative user due to the need to run the application command as that user.

If however, we could allow them to sudo with both PuTTY and WinSCP then the only change that is occurring is the need to login as themselves. In PuTTY we add the step sudo su - <admin> but that is only addition to procedure since the WinSCP sudo solution I posted puts them in as admin user for the transfers. Since it does the sudo we still have an audit trail of who did what.

Obviously other solutions could be done e.g. putting all the users in same group as admin user, modifying environment variables etc... for the individual users and working out how to let them use the application under their IDs. However, it was clear on my initial steps down those roads that I would encounter heavy resistance that would likely result in removing sudo altogether and allowing them direct access to the admin account again.

During my search for using sudo this way I'd run across other posts making it clear I wasn't the only person that had wanted such a solution so I posted here and on LQ where I'd asked my question before figuring it out.

My counter question is why would one want to allow sudo to root on WinSCP transfer? Hopefully anyone setting that up is restricting it to System Administrators.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,442
Location:
Prague, Czechia

jlightner wrote:

My counter question is why would one want to allow sudo to root on WinSCP transfer? Hopefully anyone setting that up is restricting it to System Administrators.
Sorry, I'm possibly not patient enough to try to understand all details. Though my question was not why you do sudo adminaccount. I was asking why you need to run sftp-server as non-root user to do that. So I do not see a point of your counter question.

Reply with quote

jlightner
Guest

Do sudo adminaccount where?

Maybe I misunderstood something but it seemed you can't just do sudo adminaccount from within WinSCP because it starts sftp-server on connection. I thought the point of the thread was that due to this you have to do the sudo setup using root.

I did try modifying sudoers to su to adminaccount and then run sftp-server but none of the syntax I tried seemed to work. It was at that point that I posted my question on LQ.
Later I gave up trying to do it via sudoers (except for the grant to allow start of adminaccount-sftp-server after creating it as detailed) and came up with the workaround I posted on LQ and here.

Are you suggesting I could have them login via PuTTY, run sudo adminaccount then start sftp-server and somehow connect to that running sftp-server with WinSCP? If so I'd be interested in hearing how its done – I tried it and didn't get very far.

I do NOT want these users to do sftp-server as root as they would then be able to use WinSCP to accidentally do all sorts of things such as deleting critical files.

Reply with quote

Advertisement

jlightner
Guest

Sorry – just reread your last response and realized I'd misread it first time.

The final sentence of my last response explains why I can't run sftp-server as root. When I do it allows them to delete anything on the system via WinSCP instead of just deleting files owned by the specific adminaccount. That is to say the user the sftp-server that is running has the power of the user that is running it and I don't want to grant them root power. My counter question was why would anyone want to grant root power to users other than System Administrators?

Reply with quote

testbot
Guest

Re: Solved

Clint wrote:

I fought with this today and came up with the following solution:

Add a line to your sudoers file:
username ALL=NOPASSWD: /usr/lib/openssh/sftp-server
Then in the SFTP setup section of WinSCP edit the session SFTP server:
sudo /usr/lib/openssh/sftp-server
Boom, root access to file system via WinSCP.
HTH,
Clint
I keep getting this when I try that:
winscp sudo Cannot initialize SFTP protocol. Is the host running a SFTP server?
I've checked the path to sftp-server in sshd_config and made sure it was the same in sudoers and WinSCP. still no luck.

I'm on centos.

Any help would be great.

Reply with quote

testbot
Guest

It seems I had to visudo the /etc/sudoers file and comment out #Default requiretty

I'm not sure how that affects the security of things but i'll be looking into it.

Reply with quote

Advertisement

You can post new topics in this forum