LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 05-22-2009, 11:40 AM   #1
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,028
Blog Entries: 5

Rep: Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790
Running WinSCP with sudo su to non-root user


The title summarizes.

Scenario:
System has an administrative account for one of its applications which I'll call admin1. Various people used to login directly to admin1 using the same password in WinSCP to transfer and delete files from admin1's directory structure.

Since the above has no accountability for who logged in as admin1 we setup individual user accounts. There were 10 but for scenario let's say there were 2: ralph and billybob.

The sudoers file was modified so that ralph and billybob can do "sudo su - admin1" so that after they login as themselves (e.g. in PuTTY) they can switch user to become admin1. This works fine in PuTTY.

The issue is these users are non-technical and are used to WinSCP (GUI) rather than PuTTY (CLI) also of course file transfers must be done via WinSCP since PuTTY doesn't do that.

Surprisingly I found the following link:
http://winscp.net/eng/docs/faq_su
It shows that I can setup users to do this using capabilities of WinSCP (I'm using 4.1.9). The good news is this actually works. The bad news is it works only for running the sftp-server as root rather than admin1.

I'm thinking there must be a way combining the command used in the window with sudo's Runas specification to make this work so ralph and billybob can run the sftp-server as admin1 instead of root.

Has anyone done something similar?

P.S. Please don't tell me:
1) sudo, WinSCP and PuTTY are 3 separate programs. I've seen that comment in searches and it implies the questioner is retarded but instead indicates the responder is.
2) That this can be accomplished using permissions or acls. I know that it can be but want to avoid changing anything in admin1 directory structure if I can avoid it. I think what I'm asking would be a nice technical solution for many people (based on searches).
 
Old 05-22-2009, 02:16 PM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,028
Blog Entries: 5

Original Poster
Rep: Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790
One way to do WinSCP with sudo to non-root user

Well I worked out the following procedure that works.

1) Copy the sftp-server binary to another name e.g.
cd /root
cp /usr/libexec/openssh/sftp-server admin1-sftp-server


2) Make the admin user the owner e.g.
chown admin1 admin1-sftp-server

3) Make the admin user's primary group the group of file e.g.
If admin1's GID in /etc/passwd is 100 and 100 is "users" group in /etc/group then:
chgrp users admin1-sftp-server

4) Set suid and sgid bit on the file and make it readable/executable by user and group. e.g.
chmod 6550 admin1-sftp-server
Don't make it writable by any of these users so they can't replace the binary itself - also as noted in step 1 this binary should be in a secure location such as /root to which no one but root has access normally.)

5) As discussed in http://winscp.net/eng/docs/faq_su you setup sudoers file (use visudo) to allow the new script to be run by user as root. e.g.
Code:
ralph        ALL=NOPASSWD: /root/admin1-sftp-server
billybob        ALL=NOPASSWD: /root/admin1-sftp-server
Note that you don't have to do indivdual lines like that - User_Alias and Cmnd_Alias would work.

6) As discussed in same link edit the sftp tab (advanced options) sftt-server box in WinSCP for the session to have sudo to the sftp-server copy you made instead of "Default". e.g.
Code:
sudo /root/admin1-sftp-server
7) Save the session in WinSCP.

Select the saved session and "login" from WinSCP after doing above. It will open the copied sftp-server (e.g. /root/admin1-sftp-server) running as the user that owns this (admin1-)sftp-server instead of root. Any files created by this session will be owned by the user that owns (admin1-)sftp-server and grouped to the group of (admin1-)sftp-server.

Additional Note:
The downside to above approach is if you later patch your system sftp-server for some reason it won't automatically patch copies like admin1-sftp-server. If the reason for patching is a security concern it is important you repeat the process above after the patching to insure you have the same security fix in all copies.
 
Old 02-12-2010, 10:08 AM   #3
DiogoAbdalla
LQ Newbie
 
Registered: Feb 2010
Posts: 3

Rep: Reputation: 0
Hi. I found your topic while searching for a way to do exactly this (login in WinSCP with a root enabled user).

I followed all your procedure, but when I try to connect in WinSCP, I get this:

"Cannot initialize SFTP protocol. Is the host running a SFTP server?"

However, if I login using the same user in putty, and type:

"sudo /root/admuser-sftp-server" (where admuser is the user name)

it works, which makes me think I did it right.

So why cant WinSCP connect?

EDIT: got it working by commenting "Defaults requiretty" in the sudoers file. But not really: now I can connect, but I still dont have root permissions

Last edited by DiogoAbdalla; 02-12-2010 at 10:16 AM.
 
Old 02-12-2010, 11:14 AM   #4
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,028
Blog Entries: 5

Original Poster
Rep: Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790
My solution was specifically for non-root user based on:
http://winscp.net/eng/docs/faq_su which seemed to default to root user.
I'm assuming mine would work for root user as well but never tested it.

You might want to look at /var/log/secure to see if it tells you anything. I recently ran into an issue because a jailed sftp user's parent directory had write permissions for group and saw that in the secure log mentioned.
 
Old 06-25-2010, 12:08 PM   #5
titi69
LQ Newbie
 
Registered: Jun 2010
Posts: 1

Rep: Reputation: 0
hello all,

I tried your howto and in my log :

Code:
Jun 25 17:59:04 dss sshd[9769]: Accepted password for jojo from 126.1.1.168 port 4452 ssh2
Jun 25 17:59:04 dss sshd[9769]: pam_unix(sshd:session): session opened for user jojo by (uid=0)
Jun 25 17:59:05 dss sudo:     jojo : sorry, you must have a tty to run sudo ; TTY=unknown ; PWD=/home/jojo ; USER=root ; COMMAND=/root/jojo-sftp-server
Jun 25 17:59:05 dss sshd[9769]: pam_unix(sshd:session): session closed for user jojo
and it doesn't work

any idea ?

thanks in advance and good week !
 
Old 06-28-2010, 02:03 PM   #6
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,028
Blog Entries: 5

Original Poster
Rep: Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790
Quote:
Originally Posted by DiogoAbdalla View Post
EDIT: got it working by commenting "Defaults requiretty" in the sudoers file. But not really: now I can connect, but I still dont have root permissions
Quote:
Jun 25 17:59:05 dss sudo: jojo : sorry, you must have a tty to run sudo ; TTY=unknown ; PWD=/home/jojo ; USER=root ; COMMAND=/root/jojo-sftp-server
Did you try what Diogo wrote? Your message suggests you're erroring out because of the "Defaults requiretty" setting.

Last edited by MensaWater; 06-28-2010 at 02:05 PM.
 
Old 12-13-2010, 08:49 PM   #7
__PJ
LQ Newbie
 
Registered: Dec 2009
Posts: 10

Rep: Reputation: 0
My way:

1. On the target host, modify the target users ~/.ssh/authorized_keys file to include:
command="/usr/libexec/openssh/sftp-server" <client public key info here>
2. Ensure permissions are correct for ~/.ssh and ~/.ssh/authorized_keys (eg: 0700 and 0600)


Provided keys are setup correctly, this allows the client to ssh directly as the target user to the target host, but only run sftp-server. From an ssh session, they'll effectively have a dud session, but when connecting via sftp/scp they have a functioning connection as the required user.

The downside is that if as per the OP setup they also have sudo access to that account, they can modify the authorized_keys file and remove the command entry, permitting direct access to everything...
 
Old 10-15-2012, 05:23 AM   #8
seighalani
Member
 
Registered: Aug 2007
Posts: 102

Rep: Reputation: 15
thanks a lot MensaWater

but what should i do for multiuser? i couldnt run for multiuser.
 
Old 10-16-2012, 09:22 AM   #9
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,028
Blog Entries: 5

Original Poster
Rep: Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790
I don't know what you mean by multiuser in this context.

Multiuser has a specific meaning in UNIX/Linux - that is it is a run level other than single user (which is run level 1) in which more than one user is allowed to login.

The setup I discussed allows you to create multiple users and give each access to the single sftp account by adding those users then adding them to sudo.
 
Old 10-17-2012, 05:51 AM   #10
seighalani
Member
 
Registered: Aug 2007
Posts: 102

Rep: Reputation: 15
hi again

youre right i want to i want to give delegation to each user and i want to monitor them.
 
Old 10-17-2012, 04:27 PM   #11
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,028
Blog Entries: 5

Original Poster
Rep: Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790
The solution in this thread regards use of sudo. Since sudo access is logged you should see which real user did the sudo to the admin user in your system log (e.g. /var/log/messages or /var/log/secure on Linux).

If you are instead asking how to setup multiple users NOT sharing a single account to which they all sudo to then you should open a new thread asking about that. You should not piggy back new unrelated questions on old threads like this one.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Gconf-editor settings not sticking for root, sudo user, or user when run sandaili Fedora 1 07-19-2008 09:31 AM
ambiguous redirect when running a script in /root/bin with sudo as normal user chadwick Linux - General 2 06-01-2007 10:57 AM
alsa work with root or sudo but not user walterbyrd Linux - Hardware 5 10-24-2005 02:53 PM
Running a script as root with sudo without entering the user password kloss Linux - General 8 10-10-2005 12:39 PM
SUDO as *non-root* user spratty Linux - Newbie 3 05-19-2004 04:35 AM


All times are GMT -5. The time now is 12:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration