SHH Users and Root Commands
 

I dont know if this really is the right forum to post in but i really would like to know if anyone knows how to help me out here.

So, We are working on some php stuff and need to be able to give an SSH account acsess to the SSH Service command, we dont want to directly conncect root because -su does not work in the php ssh2() module. If that makes sense...

Well if anyone knows how to do this, or another way to do this, it would be greatly apreciated.

(Sorry if i posted in the wrong forum.)

- DarkD45

I'm not exactly sure what you mean by "SSH Service command". Could you give an explanation of what it is you want to do? It is possible that sudo could work, but I know I need a touch better idea of what you want to accomplish before I would know.

well, we are using ssh2 (search ssh2 on php.net if you dont know what it is) it makes a connection to SSH in php. we use Red Hat Enterprise 3, what we want to do is be able to login as a normal SSH user (in this case the user "staff") and we want to give them permission to some root commands, such as the service command (like: service bind stop; service bind start)

hope that explains it.

Thanks, that clears things up. I do think you want to use sudo in this case. Essentially you would be giving the user staff permission to run certain commands with root privileges on the RHE box. So instead of su ing to root, staff would issue the command sudo service bind stop and then service bind stop would be run as root. The trick is to set up your sudoers file so that the user staff does not have to enter a password in order to use sudo. You can modify your sudoers file with the visudocommand, but be aware that it uses the vi editor, which can be mroe than a little painful if you're not familiar with it. You do want to use the visudo command however as it checks for syntax errors when you exit. That can save a LOT of frustration.

thanks, i'll try that.

edit: ok so it works, but is there a way to allow staff to be able to have permission to execute files in the /etc/init.d/ directory? becasue thats all thats left and then it will work.

I don't know if it would work, but have you tried putting /etc/init.d/* in visudo. So something like
Or mayne try just putting /etc/init.d/ in without the * if it doesn't work with the *

I guess it really comes down to how much system-wide access do you want to allow this user to have. You could put the needed /etc/init.d files into sudoers and use sudo. An alternatve would be to put the staff user into the group that owns the /etc/init.d files and make sure that those files can be executed by that group. However, that may also allow staff to run other commands. Yet another alternative would be to change the group ownership of /etc/init.d to something new, like staffgroup. If you use chown to have the ownership root:staffgroup then root could still execute at boot time, and anyone in staffgroup could also execute.