topic Re: Sudoers help needed. in Operating System - HP-UX

Sudoers help needed.

Ralph Grothe — Mon, 17 Sep 2001 17:32:30 GMT

Hi paranoics,

without having to write an own server (with little help from Perl's IO::Socket) I would like to enable a webserver process on another box to execute some non-perilious commands via a ssh connection through CGI.
Being aware about the security implications of CGI (for sure the Perl's taint check wouldn't pass remote commands on even another system without dying in the compile phase) I want to reduce them to a bearable minimum.
To this end I installed sudo on the remote box, and could hapilly have sudo watch after commands of normally unprivileged users. This works fine as long as the whole thing takes place on this box alone.
But I'm almost dispairing in making this work (without password) checking from the webserver's box.
Seems this EBNF stuff in sudoers manpage is too oblique to my mind?

What I sort of want to achieve is such:

on the webserver box execute as user webuser (i.e. httpd account on AIX, unprivileged)

$cmd="/usr/local/bin/ssh -l $account_on_hp_box $hostname_of_hp_box /usr/local/bin/sudo /usr/bin/cat /stand/system";
open PIPE, "$cmd |" or die "blabla:$!\n";
while () {
# parse output here into HTML
}
close PIPE;

I definitely don't want to put user webuser from the AIX box into $account_on_hp_box's .shosts file.

But of course then I'm always aked for a password, whoch the webserver cannot and should not supply.

I thought to put kind of these alii in /etc/sudoers

Host_Alias WWWSERV = IP_of_webserver

User_Alias WWWUSER = webuser

Cmd_Alias WWWCMD = /usr/bin/cat /stand/system

WWWUSER WWWSERV = NOPASSWD: WWWCMD

This doesn't work.
What is the correct syntax for commands executed by users on remote hosts?

Re: Sudoers help needed.

Ovidiu D. Raita — Mon, 17 Sep 2001 17:56:37 GMT

I hope I got it right (enough): you don't want the web server to know the passwd but you want it to be able to run a sudo command without providing a passwd.

I'm sure that the sudo gurus have the answer ... but ... why don't you just vi a script on the system you run sudo on and call it remotely using ssh.

The script might look like:
sudo $cmd < password.

The password is still readable but:
- you can make the sctipt readable only by the user
- the webserver doesn't have to know the passwd

Regards,
Ovidiu

Re: Sudoers help needed.

Kevin Wright — Mon, 17 Sep 2001 18:10:29 GMT

from the sudoers man page..

By default, sudo requires that a user authenticate him or herself before running a command. This behavior can be modified via the NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used to reverse things. For example:

ray rushmore =
NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm

would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm
as root on the machine rushmore as root without authenticating
himself. If we only want ray to be able to run /bin/kill without a
password the entry would be:

ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm