|
|
Sponsored Content
Special Forums
Cybersecurity
Running Scripts With Parameters with sudo
Post 302588479 by cyphex on Monday 9th of January 2012 05:13:19 AM
01-09-2012
Running Scripts With Parameters with sudo
Hello everyone,
I'm new to the community so please bear with me if my terminology is not correct...
I'm trying to configure /etc/sudoers so a specific user can run a script as root.
My problem is I want to lock down what parameters the user can run the script against. The script in question accepts another file as its parameter
e.g. /scripts/myscript.ksh /root/config-files/fileA.cfg
I want userA to be able to run the above script as root but only run it using a specific file/parameter.
e.g. $ sudo '/scripts/myscript.ksh <parameter_1>'
Is this possible? Everything i've tried thus far I get syntax errors in the sudoers file.
I've managed to find a workaround which is using a wrapper script that specifies the scirpt and parameter in question.
This is not ideal though as I will need to create a wrapper script for every possible parameter.
Infact i'd like to go one step further. Ideally, i'd like sudoers to only allow userA to run this script with files/parameters that are located within /root/config-files/*
Just allowing the user to run the script and use any config file would be a security hole. i.e. user could create config file in /tmp then execute script with that file to cause damage.
Any help/advice would be much appreciated.
thanks
I'm new to the community so please bear with me if my terminology is not correct...
I'm trying to configure /etc/sudoers so a specific user can run a script as root.
My problem is I want to lock down what parameters the user can run the script against. The script in question accepts another file as its parameter
e.g. /scripts/myscript.ksh /root/config-files/fileA.cfg
I want userA to be able to run the above script as root but only run it using a specific file/parameter.
e.g. $ sudo '/scripts/myscript.ksh <parameter_1>'
Is this possible? Everything i've tried thus far I get syntax errors in the sudoers file.
I've managed to find a workaround which is using a wrapper script that specifies the scirpt and parameter in question.
This is not ideal though as I will need to create a wrapper script for every possible parameter.
Infact i'd like to go one step further. Ideally, i'd like sudoers to only allow userA to run this script with files/parameters that are located within /root/config-files/*
Just allowing the user to run the script and use any config file would be a security hole. i.e. user could create config file in /tmp then execute script with that file to cause damage.
Any help/advice would be much appreciated.
thanks
|
|
10 More Discussions You Might Find Interesting
1. Shell Programming and Scripting
Hi,
I have a first shell script (/bin/sh) that receives some paremeters. This is only an example (there are more parameters in fact and this one is among them):
-header "This is a test"
This script calls a secund shell script (/bin/sh) with the same parameters. But, quotes disappear as I would... (0 Replies)
Discussion started by: velo_love
0 Replies
2. Shell Programming and Scripting
hi,
I have a script abc in a machine xyz. which i can access by sudo su - user. that is i can login to xyz using my id and then switch to user and run the script.
Now what i need to do is run the script from another script in machine xyz1. From xyz1 i can ssh to xyz using my id. Some one... (1 Reply)
Discussion started by: rvz
1 Replies
3. Shell Programming and Scripting
Hi all,
I have set up a cron job which calls another shell script shell script which in turn calls a Java process. The cron tab looks so.
0,30 7-18 * * 1-5 /u01/home/weblogic/brp/bin/checkstatus.sh >> /u01/home/weblogic/logs/checkstatus.log
The checkstatus.sh scripts looks like this.
... (4 Replies)
Discussion started by: sirbrian
4 Replies
4. Solaris
Hi,
I am logging into sun solaris unix box as asood user.Then sudo su_appssu
and scheduled my cron jobs.The user appssu is there In the /etc/cron.d/cron.allow . I do not understand why the jobs are not kicking by cron. Do I need to enter directly as appssu ?
Regards
Megh (10 Replies)
Discussion started by: megh
10 Replies
5. UNIX for Dummies Questions & Answers
I am learning how to write shell scripts and have come across an issue. I'm trying to write a script that looks for a directory called public_html, and if it finds one, to print the number of lines that contain applet tags (containing '<applet') in all files that end in either .html or .htm that... (7 Replies)
Discussion started by: feverdream
7 Replies
6. Shell Programming and Scripting
I use csh a lot but I don't really write csh scripts. Now I have a need to implement a security check (written in perl; verify an user input security code) into a csh script. Here is the senario:
#csh
1. call the perl script
2. if the perl script returns 'true', pass on;
if the perl... (1 Reply)
Discussion started by: Julian16
1 Replies
7. Shell Programming and Scripting
hello; Got a problem running monitoring scripts using sudo ssh.. Mgmt decided to take away root sudoers access.. so most of the scripts ran as:
sudo ssh $BOX ...
Now I need to run them as:
echo $my_pw | sudo -S -l my_user_id $BOX ...
I tried this but not working..
Any wisdom/tricks... (3 Replies)
Discussion started by: delphys
3 Replies
8. Shell Programming and Scripting
Problem connect to a different server then do sudo login and finally run some scripts and get result
I have to write a shell script in my current linux server and I have to connect to a different server then do sudo login and finally run some scripts residing in a particular directory and get results back. I am starting to write my shell script as below but after I do ssh login it prompts for... (2 Replies)
Discussion started by: Devesh5683
2 Replies
9. UNIX for Dummies Questions & Answers
I am trying to run a command. This is one of my attempts:
for i in fileservera; do ssh -t $i 'sudo ls /';doneThis works, and I see the directories. However, what I want to do now is start a process on the remote server such as /usr/bin/connectproc -standalonesudo /usr/bin/connectproc... (1 Reply)
Discussion started by: newbie2010
1 Replies
10. Shell Programming and Scripting
I have 2 scripts. test.sh, which calls submit2.sh. One of the parameters contains space and is quoted.
((((./submit2.sh Group_1_2_AMS_DAILY_CORE_GRP03 AMS AMS_D 'DAILY REPORT PROCEDURES'; echo $?>&3) | tee 1.log >&4)3>&1) | (read xs; exit $xs)) 4>&1
echo parm 1 = $1
echo parm 2 = $2... (1 Reply)
Discussion started by: andyclam
1 Replies
LEARN ABOUT CENTOS
pam_ssh_agent_auth
pam_ssh_agent_auth(8) PAM pam_ssh_agent_auth(8) PAM_SSH_AGENT_AUTH This module provides authentication via ssh-agent. If an ssh-agent listening at SSH_AUTH_SOCK can successfully authenticate that it has the secret key for a public key in the specified file, authentication is granted, otherwise authentication fails. SUMMARY
/etc/pam.d/sudo: auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys /etc/sudoers: Defaults env_keep += "SSH_AUTH_SOCK" This configuration would permit anyone who has an SSH_AUTH_SOCK that manages the private key matching a public key in /etc/security/authorized_keys to execute sudo without having to enter a password. Note that the ssh-agent listening to SSH_AUTH_SOCK can either be local, or forwarded. Unlike NOPASSWD, this still requires an authentication, it's just that the authentication is provided by ssh-agent, and not password entry. ARGUMENTS
file=<path to authorized_keys> Specify the path to the authorized_keys file(s) you would like to use for authentication. Subject to tilde and % EXPANSIONS (below) allow_user_owned_authorized_keys_file A flag which enables authorized_keys files to be owned by the invoking user, instead of root. This flag is enabled automatically whenever the expansions %h or ~ are used. debug A flag which enables verbose logging sudo_service_name=<service name you compiled sudo to use> (when compiled with --enable-sudo-hack) Specify the service name to use to identify the service "sudo". When the PAM_SERVICE identifier matches this string, and if PAM_RUSER is not set, pam_ssh_agent_auth will attempt to identify the calling user from the environment variable SUDO_USER. This defaults to "sudo". EXPANSIONS
~ -- same as in shells, a user's Home directory Automatically enables allow_user_owned_authorized_keys_file if used in the context of ~/. If used as ~user/, it would expect the file to be owned by 'user', unless you explicitely set allow_user_owned_authorized_keys_file %h -- User's Home directory Automatically enables allow_user_owned_authorized_keys_file %H -- The short-hostname %u -- Username %f -- FQDN EXAMPLES
in /etc/pam.d/sudo "auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys" The default .ssh/authorized_keys file in a user's home-directory "auth sufficient pam_ssh_agent_auth.so file=%h/.ssh/authorized_keys" Same as above. "auth sufficient pam_ssh_agent_auth.so file=~fred/.ssh/authorized_keys" If the home-directory of user 'fred' was /home/fred, this would expand to /home/fred/.ssh/authorized_keys. In this case, we have not specified allow_user_owned_authorized_keys_file, so this file must be owned by 'fred'. "auth sufficient pam_ssh_agent_auth.so file=/secure/%H/%u/authorized_keys allow_user_owned_authorized_keys_file" On a host named foobar.baz.com, and a user named fred, would expand to /secure/foobar/fred/authorized_keys. In this case, we specified allow_user_owned_authorized_keys_file, so fred would be able to manage that authorized_keys file himself. "auth sufficient pam_ssh_agent_auth.so file=/secure/%f/%u/authorized_keys" On a host named foobar.baz.com, and a user named fred, would expand to /secure/foobar.baz.com/fred/authorized_keys. In this case, we have not specified allow_user_owned_authorized_keys_file, so this file must be owned by root. v0.8 2009-08-09 pam_ssh_agent_auth(8)