LinuxQuestions.org - [SOLVED] Running WinSCP with sudo su to non-root user

- Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)

- - Running WinSCP with sudo su to non-root user (https://www.linuxquestions.org/questions/linux-general-1/running-winscp-with-sudo-su-to-non-root-user-727813/)

Running WinSCP with sudo su to non-root user

The title summarizes.

Scenario:
System has an administrative account for one of its applications which I'll call admin1. Various people used to login directly to admin1 using the same password in WinSCP to transfer and delete files from admin1's directory structure.

Since the above has no accountability for who logged in as admin1 we setup individual user accounts. There were 10 but for scenario let's say there were 2: ralph and billybob.

The sudoers file was modified so that ralph and billybob can do "sudo su - admin1" so that after they login as themselves (e.g. in PuTTY) they can switch user to become admin1. This works fine in PuTTY.

The issue is these users are non-technical and are used to WinSCP (GUI) rather than PuTTY (CLI) also of course file transfers must be done via WinSCP since PuTTY doesn't do that.

Surprisingly I found the following link:
http://winscp.net/eng/docs/faq_su
It shows that I can setup users to do this using capabilities of WinSCP (I'm using 4.1.9). The good news is this actually works. The bad news is it works only for running the sftp-server as root rather than admin1.

I'm thinking there must be a way combining the command used in the window with sudo's Runas specification to make this work so ralph and billybob can run the sftp-server as admin1 instead of root.

Has anyone done something similar?

P.S. Please don't tell me:
1) sudo, WinSCP and PuTTY are 3 separate programs. I've seen that comment in searches and it implies the questioner is retarded but instead indicates the responder is.
2) That this can be accomplished using permissions or acls. I know that it can be but want to avoid changing anything in admin1 directory structure if I can avoid it. I think what I'm asking would be a nice technical solution for many people (based on searches).

One way to do WinSCP with sudo to non-root user

Well I worked out the following procedure that works.

1) Copy the sftp-server binary to another name e.g.
cd /root
cp /usr/libexec/openssh/sftp-server admin1-sftp-server

2) Make the admin user the owner e.g.
chown admin1 admin1-sftp-server

3) Make the admin user's primary group the group of file e.g.
If admin1's GID in /etc/passwd is 100 and 100 is "users" group in /etc/group then:
chgrp users admin1-sftp-server

4) Set suid and sgid bit on the file and make it readable/executable by user and group. e.g.
chmod 6550 admin1-sftp-server
Don't make it writable by any of these users so they can't replace the binary itself - also as noted in step 1 this binary should be in a secure location such as /root to which no one but root has access normally.)

5) As discussed in http://winscp.net/eng/docs/faq_su you setup sudoers file (use visudo) to allow the new script to be run by user as root. e.g.

Code:

ralph        ALL=NOPASSWD: /root/admin1-sftp-server

billybob        ALL=NOPASSWD: /root/admin1-sftp-server

Note that you don't have to do indivdual lines like that - User_Alias and Cmnd_Alias would work.

6) As discussed in same link edit the sftp tab (advanced options) sftt-server box in WinSCP for the session to have sudo to the sftp-server copy you made instead of "Default". e.g.

Code:

sudo /root/admin1-sftp-server

7) Save the session in WinSCP.

Select the saved session and "login" from WinSCP after doing above. It will open the copied sftp-server (e.g. /root/admin1-sftp-server) running as the user that owns this (admin1-)sftp-server instead of root. Any files created by this session will be owned by the user that owns (admin1-)sftp-server and grouped to the group of (admin1-)sftp-server.

Additional Note:
The downside to above approach is if you later patch your system sftp-server for some reason it won't automatically patch copies like admin1-sftp-server. If the reason for patching is a security concern it is important you repeat the process above after the patching to insure you have the same security fix in all copies.

Hi. I found your topic while searching for a way to do exactly this (login in WinSCP with a root enabled user).

I followed all your procedure, but when I try to connect in WinSCP, I get this:

"Cannot initialize SFTP protocol. Is the host running a SFTP server?"

However, if I login using the same user in putty, and type:

"sudo /root/admuser-sftp-server" (where admuser is the user name)

it works, which makes me think I did it right.

So why cant WinSCP connect?

EDIT: got it working by commenting "Defaults requiretty" in the sudoers file. But not really: now I can connect, but I still dont have root permissions

My solution was specifically for non-root user based on:
http://winscp.net/eng/docs/faq_su which seemed to default to root user.
I'm assuming mine would work for root user as well but never tested it.

You might want to look at /var/log/secure to see if it tells you anything. I recently ran into an issue because a jailed sftp user's parent directory had write permissions for group and saw that in the secure log mentioned.

hello all,

I tried your howto and in my log :

Code:

Jun 25 17:59:04 dss sshd[9769]: Accepted password for jojo from 126.1.1.168 port 4452 ssh2

Jun 25 17:59:04 dss sshd[9769]: pam_unix(sshd:session): session opened for user jojo by (uid=0)

Jun 25 17:59:05 dss sudo:    jojo : sorry, you must have a tty to run sudo ; TTY=unknown ; PWD=/home/jojo ; USER=root ; COMMAND=/root/jojo-sftp-server

Jun 25 17:59:05 dss sshd[9769]: pam_unix(sshd:session): session closed for user jojo

and it doesn't work

any idea ?

thanks in advance and good week !

Quote:

Originally Posted by DiogoAbdalla (Post 3861512)

EDIT: got it working by commenting "Defaults requiretty" in the sudoers file. But not really: now I can connect, but I still dont have root permissions

Quote:

Jun 25 17:59:05 dss sudo: jojo : sorry, you must have a tty to run sudo ; TTY=unknown ; PWD=/home/jojo ; USER=root ; COMMAND=/root/jojo-sftp-server

Did you try what Diogo wrote? Your message suggests you're erroring out because of the "Defaults requiretty" setting.

My way:

1. On the target host, modify the target users ~/.ssh/authorized_keys file to include:
command="/usr/libexec/openssh/sftp-server" <client public key info here>
2. Ensure permissions are correct for ~/.ssh and ~/.ssh/authorized_keys (eg: 0700 and 0600)

Provided keys are setup correctly, this allows the client to ssh directly as the target user to the target host, but only run sftp-server. From an ssh session, they'll effectively have a dud session, but when connecting via sftp/scp they have a functioning connection as the required user.

The downside is that if as per the OP setup they also have sudo access to that account, they can modify the authorized_keys file and remove the command entry, permitting direct access to everything...

thanks a lot MensaWater

but what should i do for multiuser? i couldnt run for multiuser.

I don't know what you mean by multiuser in this context.

Multiuser has a specific meaning in UNIX/Linux - that is it is a run level other than single user (which is run level 1) in which more than one user is allowed to login.

The setup I discussed allows you to create multiple users and give each access to the single sftp account by adding those users then adding them to sudo.

hi again

youre right i want to i want to give delegation to each user and i want to monitor them.

The solution in this thread regards use of sudo. Since sudo access is logged you should see which real user did the sudo to the admin user in your system log (e.g. /var/log/messages or /var/log/secure on Linux).

If you are instead asking how to setup multiple users NOT sharing a single account to which they all sudo to then you should open a new thread asking about that. You should not piggy back new unrelated questions on old threads like this one.