[SOLVED] Running WinSCP with sudo su to non-root user
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
System has an administrative account for one of its applications which I'll call admin1. Various people used to login directly to admin1 using the same password in WinSCP to transfer and delete files from admin1's directory structure.
Since the above has no accountability for who logged in as admin1 we setup individual user accounts. There were 10 but for scenario let's say there were 2: ralph and billybob.
The sudoers file was modified so that ralph and billybob can do "sudo su - admin1" so that after they login as themselves (e.g. in PuTTY) they can switch user to become admin1. This works fine in PuTTY.
The issue is these users are non-technical and are used to WinSCP (GUI) rather than PuTTY (CLI) also of course file transfers must be done via WinSCP since PuTTY doesn't do that.
Surprisingly I found the following link: http://winscp.net/eng/docs/faq_su
It shows that I can setup users to do this using capabilities of WinSCP (I'm using 4.1.9). The good news is this actually works. The bad news is it works only for running the sftp-server as root rather than admin1.
I'm thinking there must be a way combining the command used in the window with sudo's Runas specification to make this work so ralph and billybob can run the sftp-server as admin1 instead of root.
Has anyone done something similar?
P.S. Please don't tell me:
1) sudo, WinSCP and PuTTY are 3 separate programs. I've seen that comment in searches and it implies the questioner is retarded but instead indicates the responder is.
2) That this can be accomplished using permissions or acls. I know that it can be but want to avoid changing anything in admin1 directory structure if I can avoid it. I think what I'm asking would be a nice technical solution for many people (based on searches).
Well I worked out the following procedure that works.
1) Copy the sftp-server binary to another name e.g. cd /root
cp /usr/libexec/openssh/sftp-server admin1-sftp-server
2) Make the admin user the owner e.g. chown admin1 admin1-sftp-server
3) Make the admin user's primary group the group of file e.g.
If admin1's GID in /etc/passwd is 100 and 100 is "users" group in /etc/group then: chgrp users admin1-sftp-server
4) Set suid and sgid bit on the file and make it readable/executable by user and group. e.g. chmod 6550 admin1-sftp-server
Don't make it writable by any of these users so they can't replace the binary itself - also as noted in step 1 this binary should be in a secure location such as /root to which no one but root has access normally.)
ralph ALL=NOPASSWD: /root/admin1-sftp-server
billybob ALL=NOPASSWD: /root/admin1-sftp-server
Note that you don't have to do indivdual lines like that - User_Alias and Cmnd_Alias would work.
6) As discussed in same link edit the sftp tab (advanced options) sftt-server box in WinSCP for the session to have sudo to the sftp-server copy you made instead of "Default". e.g.
7) Save the session in WinSCP.
Select the saved session and "login" from WinSCP after doing above. It will open the copied sftp-server (e.g. /root/admin1-sftp-server) running as the user that owns this (admin1-)sftp-server instead of root. Any files created by this session will be owned by the user that owns (admin1-)sftp-server and grouped to the group of (admin1-)sftp-server.
The downside to above approach is if you later patch your system sftp-server for some reason it won't automatically patch copies like admin1-sftp-server. If the reason for patching is a security concern it is important you repeat the process above after the patching to insure you have the same security fix in all copies.
My solution was specifically for non-root user based on: http://winscp.net/eng/docs/faq_su which seemed to default to root user.
I'm assuming mine would work for root user as well but never tested it.
You might want to look at /var/log/secure to see if it tells you anything. I recently ran into an issue because a jailed sftp user's parent directory had write permissions for group and saw that in the secure log mentioned.
Jun 25 17:59:04 dss sshd: Accepted password for jojo from 22.214.171.124 port 4452 ssh2
Jun 25 17:59:04 dss sshd: pam_unix(sshd:session): session opened for user jojo by (uid=0)
Jun 25 17:59:05 dss sudo: jojo : sorry, you must have a tty to run sudo ; TTY=unknown ; PWD=/home/jojo ; USER=root ; COMMAND=/root/jojo-sftp-server
Jun 25 17:59:05 dss sshd: pam_unix(sshd:session): session closed for user jojo
1. On the target host, modify the target users ~/.ssh/authorized_keys file to include:
command="/usr/libexec/openssh/sftp-server" <client public key info here>
2. Ensure permissions are correct for ~/.ssh and ~/.ssh/authorized_keys (eg: 0700 and 0600)
Provided keys are setup correctly, this allows the client to ssh directly as the target user to the target host, but only run sftp-server. From an ssh session, they'll effectively have a dud session, but when connecting via sftp/scp they have a functioning connection as the required user.
The downside is that if as per the OP setup they also have sudo access to that account, they can modify the authorized_keys file and remove the command entry, permitting direct access to everything...
The solution in this thread regards use of sudo. Since sudo access is logged you should see which real user did the sudo to the admin user in your system log (e.g. /var/log/messages or /var/log/secure on Linux).
If you are instead asking how to setup multiple users NOT sharing a single account to which they all sudo to then you should open a new thread asking about that. You should not piggy back new unrelated questions on old threads like this one.