Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This is a kind of insecure way of doing things. To get sudo to work (if you are trying to script this) you would need to have sudo set up to allow password-less execution of the command. Alternatively, you would have to write a script with setuid - which basically means whatever user executes the script it runs as the owner of the file (which in this case would be root).
In either case, you've got a glaring security hole, but depends on your network setup. Definitely wouldn't recommend restarting a service from a remote machine over an insecure network (such as the internet) even using ssh, as it still means you need to use one of the methods above, which aren't recommended, or allow root logins, which again is not recommended...
Webmin will allow you to restart services via a web browser. Again, not the most secure solution in the world, but maybe worth a look...
Frankly, I can't see a difference between an arbitrary user
logging in via ssh and logging into webmin (of course webmin
doesn't use SSL by default, so is even less secure).
The fact that *a* user can do something password-less via
ssh login & sudoers is no more insecure than someone
gaining access to the webmin account, on the contrary.
He will have EXACTLY that one capability, namely re-
starting the dhcp-daemon.
But again, I just answered his question, as soon as he
explains the reason for this need he'll more likely be
getting more suitable solutions.
Hi
First create a public/private key so that your user can logging via SSH without password.
Then on the remote machine create a script, restartdhcp.sh, that you call (ssh user@host restartdhcp.sh).
Let the script (restartdhcp.sh) take care of being root and performing your task.
Now I created a script in target server like this:
/etc/init.d/dhcpd restart
and tried to run it from another server like this:
ssh sysauto@target_server scriptname
But FAILED with following messages:
Shutting down dhcpd: ./dhcpd: line 196: kill: (927) - Operation not permitted
./dhcpd: line 201: kill: (927) - Operation not permitted
rm: cannot remove `/var/run/dhcpd.pid': Permission denied
If I run this script as root on the target server, it works.
Now I have following questions:
1. how to run this script from another machine as root? I added "setuid 0" into the script but it didn't work.
2. how to make sysauto user not need a password from another server?
2. set up an ssh key as a few of us suggested,
and also try the "command=" variant I described above.
It works very smoothly - you won't even have to type in a program name.
Originally posted by niallb 1. ssh root@target_server scriptname
2. set up an ssh key as a few of us suggested,
and also try the "command=" variant I described above.
It works very smoothly - you won't even have to type in a program name.
NiallB
Thanks!
Why I cannot do that using sysauto user? In the target server, I read the authorized_keys2 under ../sysauto/.ssh, it's root@server. Does it mean sysauto
will also log in as root?
If you have done all correct with the private/public keys AND your sysauto has the privilage to start/stop dhcpd then it works.
Try first something simple.
ssh sysauto@host
And your are on the remote macine.
Then AS sysauto run dhcop manually, if it works it works with scripta too. If not, sysauot doesn't have the rights!
Why I cannot do that using sysauto user? In the target server, I read the authorized_keys2 under ../sysauto/.ssh, it's root@server. Does it mean sysauto
will also log in as root?
Henry
Hi Henry,
the entry in the authorized_keys2 file saying root@server is really just a note.
It will not affect privileges.
It suggests that the key was generated by root on server, and suggests
also that root@server can probably log in as 'sysauto' without a password.
Is it possible that you have things set up correctly but in reverse?
Originally posted by Tinkster And again the question: why do you need to restart
the dhcp server remotely?
Cheers,
Tink
Well, we have two DHCP A and B, they share a same dhcpd.conf. Every night server A will update the dhcpd.conf and put it into both servers and then restart dhcpd services on both machines.
Hmmm ... in that case (assuming they're time-synced, too) why
don't you run the restart of dhcpd on server B from a cron-job
with a 1 minute delay rather than setting up a complicated remote
execution scenario?
Originally posted by Tinkster Hmmm ... in that case (assuming they're time-synced, too) why
don't you run the restart of dhcpd on server B from a cron-job
with a 1 minute delay rather than setting up a complicated remote
execution scenario?
Cheers,
Tink
Thanks for ur suggestion. It's one solution.
But I cannot understand that why setuid doesn't work! I wrote a script updatedhcpd.sh in which:
/etc/init.d/dhcpd restart
and I set this script setuid attribute like this:
-rwsr-xr-x 1 root root 38 Nov 23 11:44 updatedhcpd.sh
When I run this script as other user, it still fails with the following information:
Shutting down dhcpd: ./dhcpd: line 196: kill: (927) - Operation not permitted
./dhcpd: line 201: kill: (927) - Operation not permitted
rm: cannot remove `/var/run/dhcpd.pid': Permission denied
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.