HPE Community
Operating System - HP-UX
1836739 Members
2985 Online
110109 Solutions
New Discussion

Re: Sudoers help needed.

 
Ralph Grothe
Honored Contributor

‎09-17-2001 10:32 AM

‎09-17-2001 10:32 AM

Sudoers help needed.

Hi paranoics,

without having to write an own server (with little help from Perl's IO::Socket) I would like to enable a webserver process on another box to execute some non-perilious commands via a ssh connection through CGI.
Being aware about the security implications of CGI (for sure the Perl's taint check wouldn't pass remote commands on even another system without dying in the compile phase) I want to reduce them to a bearable minimum.
To this end I installed sudo on the remote box, and could hapilly have sudo watch after commands of normally unprivileged users. This works fine as long as the whole thing takes place on this box alone.
But I'm almost dispairing in making this work (without password) checking from the webserver's box.
Seems this EBNF stuff in sudoers manpage is too oblique to my mind?

What I sort of want to achieve is such:

on the webserver box execute as user webuser (i.e. httpd account on AIX, unprivileged)

$cmd="/usr/local/bin/ssh -l $account_on_hp_box $hostname_of_hp_box /usr/local/bin/sudo /usr/bin/cat /stand/system";
open PIPE, "$cmd |" or die "blabla:$!\n";
while () {
# parse output here into HTML
}
close PIPE;

I definitely don't want to put user webuser from the AIX box into $account_on_hp_box's .shosts file.

But of course then I'm always aked for a password, whoch the webserver cannot and should not supply.

I thought to put kind of these alii in /etc/sudoers

Host_Alias WWWSERV = IP_of_webserver

User_Alias WWWUSER = webuser

Cmd_Alias WWWCMD = /usr/bin/cat /stand/system

WWWUSER WWWSERV = NOPASSWD: WWWCMD

This doesn't work.
What is the correct syntax for commands executed by users on remote hosts?
Madness, thy name is system administration
0 Kudos
Reply
2 REPLIES 2
Ovidiu D. Raita
Valued Contributor

‎09-17-2001 10:56 AM

‎09-17-2001 10:56 AM

Re: Sudoers help needed.

I hope I got it right (enough): you don't want the web server to know the passwd but you want it to be able to run a sudo command without providing a passwd.

I'm sure that the sudo gurus have the answer ... but ... why don't you just vi a script on the system you run sudo on and call it remotely using ssh.

The script might look like:
sudo $cmd < password.

The password is still readable but:
- you can make the sctipt readable only by the user
- the webserver doesn't have to know the passwd


Regards,
Ovidiu
Simple solutions to complex problems
0 Kudos
Reply
Kevin Wright
Honored Contributor

‎09-17-2001 11:10 AM

‎09-17-2001 11:10 AM

Re: Sudoers help needed.

from the sudoers man page..

By default, sudo requires that a user authenticate him or herself before running a command. This behavior can be modified via the NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used to reverse things. For example:

ray rushmore =
NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm

would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm
as root on the machine rushmore as root without authenticating
himself. If we only want ray to be able to run /bin/kill without a
password the entry would be:

ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.