Execute a SSH command
Hi to all, I need to execute a command in a remote machine throw ssh, but that command only can be executed by one user, for example xpto. This and all other users (except root) cannot execute commands in the remote machine with ssh except this particular user for this particular command. Resuming, only the user xpto can execute only this command with ssh. All others cannot execute any command. Any help ? Any reference ? Thanks to all in advance Joao Reis
Hi Joao, Am 24.06.2004 um 12:07 schrieb Joao Reis:
Hi to all,
I need to execute a command in a remote machine throw ssh, but that command only can be executed by one user, for example xpto. This and all other users (except root) cannot execute commands in the remote machine with ssh except this particular user for this particular command. Resuming, only the user xpto can execute only this command with ssh. All others cannot execute any command.
You should use sudo for this. man sudo
Any help ? Any reference ?
Thanks to all in advance
Joao Reis -- Ingo Börnig <ingo at boernig.de>
pls ask for phone or snail address
Hi Ingo, But sudo isn't to be used just in the local machine? I want to remotely execute a command, and the user should not have permissions to execute any other command, even if he has permissions on the remote to do so. On Thu, 24 Jun 2004 15:09:47 +0200, Ingo Börnig <ingo@boernig.de> wrote:
Hi Joao,
Am 24.06.2004 um 12:07 schrieb Joao Reis:
Hi to all,
I need to execute a command in a remote machine throw ssh, but that command only can be executed by one user, for example xpto. This and all other users (except root) cannot execute commands in the remote machine with ssh except this particular user for this particular command. Resuming, only the user xpto can execute only this command with ssh. All others cannot execute any command.
You should use sudo for this.
man sudo
Any help ? Any reference ?
Thanks to all in advance
Joao Reis -- Ingo Börnig <ingo at boernig.de>
pls ask for phone or snail address
-- \|/ "Do or do not. There is no try" - Yoda \|/ |==============================================| | 2000Comp - Consultoria e Informática, Lda | | Tel: +351 22 941 99 32 | \|/ | Fax: +351 22 941 99 34 | \|/ O | www: http://www.2000comp.pt | O -|--| |--|- \| | João Reis | |/ / \ |==============================================| / \ ==========================================================
I`ll answer in Detail soon. Dirk Joao Reis schrieb:
Hi Ingo,
But sudo isn't to be used just in the local machine? I want to remotely execute a command, and the user should not have permissions to execute any other command, even if he has permissions on the remote to do so.
On Thu, 24 Jun 2004 15:09:47 +0200, Ingo Börnig <ingo@boernig.de> wrote:
Hi Joao,
Am 24.06.2004 um 12:07 schrieb Joao Reis:
Hi to all,
I need to execute a command in a remote machine throw ssh, but that command only can be executed by one user, for example xpto. This and all other users (except root) cannot execute commands in the remote machine with ssh except this particular user for this particular command. Resuming, only the user xpto can execute only this command with ssh. All others cannot execute any command.
You should use sudo for this.
man sudo
Any help ? Any reference ?
Thanks to all in advance
Joao Reis
-- Ingo Börnig <ingo at boernig.de>
pls ask for phone or snail address
TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Hubertus Wagenhäuser -------------------------------------------------------- Nachricht von: dirk.schreiner@tria.de Nachricht an: suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
Hi Ingo,
But sudo isn't to be used just in the local machine? I want to remotely execute a command, and the user should not have permissions to execute any other command, even if he has permissions on the remote to do so.
1) export public key to remote's machine (unsecure without password, but easier to use) 2) add remotes public key to the machine 3) write a script as described on the list ... ssh -l xpto servername 'mycommand here | myothercommand' 4) if you desire root access for user xy then setup /etc/sudoers with correct syntax 5) run the script e.g. as cron-job or whatever you desire. I use this for remotely shutdown pc's connected to an usv (cheaper than buying the apc-extension for two serial connectors). It works fine to me, even if it's kind a insecure (look at 1) ... ). Reguards Philippe
Hi Joao, you have to do the following: First generate a Public-Private-Key Pair for xpto _and root_. (You do this on the Client machines.) Don`t forget to encrypt the private Key with a passphrase. Then copy the public key`s to the Server. Target: root: ~root/.ssh/authorized_keys xpto: ~xpto/.ssh/authorized_keys find / -name authorized_keys | xargs chmod 600 Warning !!! Don`t overwrite an existing authorized_keys!! Now!! Test the root login. and !!! Stay logged in. !!! Then disable Passwword authentication on Server. Kill the Master-SSHD. Start sshd new. Test the root login again. Now you`re save. Edit ~xpto/.ssh/authorized_keys Add command="[command]"[space] at the beginning of the line containing the public key. Test the login as xpto, and [command] should be executed. Be aware [command] does not allow Shell escape. That means "vi /etc/config" would be a bad idea due to :sh[enter] Greetings Dirk Joao Reis schrieb:
Hi Ingo,
But sudo isn't to be used just in the local machine? I want to remotely execute a command, and the user should not have permissions to execute any other command, even if he has permissions on the remote to do so.
On Thu, 24 Jun 2004 15:09:47 +0200, Ingo Börnig <ingo@boernig.de> wrote:
Hi Joao,
Am 24.06.2004 um 12:07 schrieb Joao Reis:
Hi to all,
I need to execute a command in a remote machine throw ssh, but that command only can be executed by one user, for example xpto. This and all other users (except root) cannot execute commands in the remote machine with ssh except this particular user for this particular command. Resuming, only the user xpto can execute only this command with ssh. All others cannot execute any command.
You should use sudo for this.
man sudo
Any help ? Any reference ?
Thanks to all in advance
Joao Reis
-- Ingo Börnig <ingo at boernig.de>
pls ask for phone or snail address
TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Hubertus Wagenhäuser -------------------------------------------------------- Nachricht von: dirk.schreiner@tria.de Nachricht an: suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
Joao Reis wrote:
Hi Ingo,
But sudo isn't to be used just in the local machine? I want to remotely execute a command, and the user should not have permissions to execute any other command, even if he has permissions on the remote to do so.
ssh fred@foobar 'sudo ......' -- Until later, Geoffrey Registered Linux User #108567 Building secure systems in spite of Microsoft
Noo, not sudo (not in this case though i like it ;-) IMHO best bet is: Using Public-Private-Key Authentication only. And Including the Command in the key ;-) command="/bin/bash ...." [Public-Key] in authorized_keys Greetings Dirk Ingo Börnig schrieb:
Hi Joao,
Am 24.06.2004 um 12:07 schrieb Joao Reis:
Hi to all,
I need to execute a command in a remote machine throw ssh, but that command only can be executed by one user, for example xpto. This and all other users (except root) cannot execute commands in the remote machine with ssh except this particular user for this particular command. Resuming, only the user xpto can execute only this command with ssh. All others cannot execute any command.
You should use sudo for this.
man sudo
Any help ? Any reference ?
Thanks to all in advance
Joao Reis
-- Ingo Börnig <ingo at boernig.de>
pls ask for phone or snail address
TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Hubertus Wagenhäuser -------------------------------------------------------- Nachricht von: dirk.schreiner@tria.de Nachricht an: suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
Hm, Am 24.06.2004 um 17:10 schrieb Dirk Schreiner:
Noo, not sudo (not in this case though i like it ;-)
IMHO best bet is: Using Public-Private-Key Authentication only. And Including the Command in the key ;-)
command="/bin/bash ...." [Public-Key] in authorized_keys
How do take care that the command cannot be executed by another user? I thought that was the main problem. Executing commands remotely using ssh and Public/Private keys have to be used too, of course! I assumed that the other users are allowed to login to the remote machine using ssh. But reading more carefully, that assumption makes no sense, since if they "cannot execute any command", they cannot login at all! Well then its simply enough to put the users (and roots) private key into authorized_keys and disable password login in /etc/ssh/sshd_conf. wkr, Ingo
Greetings Dirk
Ingo Börnig schrieb:
Hi Joao, Am 24.06.2004 um 12:07 schrieb Joao Reis:
Hi to all,
I need to execute a command in a remote machine throw ssh, but that command only can be executed by one user, for example xpto. This and all other users (except root) cannot execute commands in the remote machine with ssh except this particular user for this particular command. Resuming, only the user xpto can execute only this command with ssh. All others cannot execute any command.
Any help ? Any reference ?
Thanks to all in advance
Joao Reis -- Ingo Börnig <ingo at boernig.de>
You should use sudo for this. man sudo pls ask for phone or snail address
TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Hubertus Wagenhäuser -------------------------------------------------------- Nachricht von: dirk.schreiner@tria.de Nachricht an: suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Ingo Börnig <ingo at boernig.de> pls ask for phone or snail address
The Thursday 2004-06-24 at 17:33 +0200, Ingo Börnig wrote:
How do take care that the command cannot be executed by another user?
By chowning it to that user, for example, and giving it exec permision to owner only (u,x,g-x,o-x). Of course, root would still be able to run it. You could install it in /home/user/bin, for example, so that root would not accidentally run it. He could still run it intentionally, though. Perhaps with acl - dunno about that. -- Cheers, Carlos Robinson
Carlos, Carlos E. R. wrote:
The Thursday 2004-06-24 at 17:33 +0200, Ingo Börnig wrote:
How do take care that the command cannot be executed by another user?
By chowning it to that user, for example, and giving it exec permision to owner only (u,x,g-x,o-x). Of course, root would still be able to run it.
That will not be sufficient, you have also to remove read permission for all other users from that file, too: iboernig@sauron:~/bin> ls -l ./pwd -rw-r--r-- 1 iboernig users 12436 2004-06-30 14:10 ./pwd iboernig@sauron:~/bin> ./pwd bash: ./pwd: Permission denied iboernig@sauron:~/bin> /lib/ld-linux.so.2 ./pwd /home/iboernig/bin Better use a chroot environment for this!
You could install it in /home/user/bin, for example, so that root would not accidentally run it. He could still run it intentionally, though.
Perhaps with acl - dunno about that.
Posix ACLs only give additional permissions, root is still allmighty! There will be no way to prevent root to execute ana command. Cheers, -- Ingo Börnig <ingo at boernig.de> /"\ \ / ASCII Ribbon Campaign ask for phone or snail mail X against HTML email / \ GPG-Fingerprint: 2F8B DDFB F2A8 155A 206D 2969 F8FB 3C63 2033 BF32
On Wednesday 30 June 2004 14:20, Ingo Boernig wrote:
Carlos,
Carlos E. R. wrote:
The Thursday 2004-06-24 at 17:33 +0200, Ingo B�rnig wrote:
How do take care that the command cannot be executed by another user?
By chowning it to that user, for example, and giving it exec permision to owner only (u,x,g-x,o-x). Of course, root would still be able to run it.
That will not be sufficient, you have also to remove read permission for all other users from that file, too:
iboernig@sauron:~/bin> ls -l ./pwd -rw-r--r-- 1 iboernig users 12436 2004-06-30 14:10 ./pwd iboernig@sauron:~/bin> ./pwd bash: ./pwd: Permission denied iboernig@sauron:~/bin> /lib/ld-linux.so.2 ./pwd /home/iboernig/bin
Better use a chroot environment for this!
You could install it in /home/user/bin, for example, so that root would not accidentally run it. He could still run it intentionally, though.
Perhaps with acl - dunno about that.
Posix ACLs only give additional permissions, root is still allmighty! There will be no way to prevent root to execute ana command.
There is. You might want to have a look at RSBAC (www.rsbac.org). With RSBAC, even root can be restricted in many ways.
participants (8)
-
Andreas Baetz -
Carlos E. R. -
Dirk Schreiner -
Geoffrey -
Ingo Boernig -
Ingo Börnig
-
Joao Reis -
Philippe Vogel