Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"

running setuid for ssh ?

by convenientstore (Pilgrim)
on Jan 18, 2008 at 21:57 UTC ( #663150=perlquestion: print w/replies, xml ) Need Help??

convenientstore has asked for the wisdom of the Perl Monks concerning the following question:

my perl at work is too old to use EXPECT modules and I need to write a script for users(for example user Joe) so that they can run it as userX(who has authrozied key in remote serverX who can auto ssh into the box(meaning no need to enter passwd) and run a simple script).

This then might be little more than perl question(but then perl is choice of people who use unix/linux so), will setting my script to setuid as userX will allow user joe to run the program to do what the script is intended to do(including auto login) or will i need something else? setting user environment or something or is this not possible

sub dosomething{ $yo = `ssh "$_[0]" grep XX /etc/hosts`; print "$yo\n"; } dosomething();

Replies are listed 'Best First'.
Re: running setuid for ssh ?
by hipowls (Curate) on Jan 18, 2008 at 22:37 UTC

    If you are prepared to let them run ssh using sudo or by setting the suid bit then why not just give them the key? You won't be letting them do anything they couldn't through the other methods.

    ssh -l userX machine

    You will also need to consider security, I would set up an account for this single purpose, write a script with menu options for the permitted functions. Ensure that no command gives a command shell or that control-C doesn't drop you there. Set that script as the shell in /etc/passwd.

    sshd will also have to be configured to only permit the script. Look for ForceCommand in the ssh docs

      one other question,

      Still considering using at work if possible but when I look at the expect module code, it says

      use 5.006; # 4 won't cut it.
      At my work perl is  This is perl, version 5.005_03.

      Does this mean it will work since it's less than 5.006 but it only states that 4 won't cut it??? which means 5.005 is ok????

      # -*-cperl-*- # Please see the .pod files for documentation. This module is copyrigh +ted # as per the usual perl legalese: # Copyright (c) 1997 Austin Schutz. # expect() interface & functionality enhancements (c) 1999 Roland Gier +sig. # # All rights reserved. This program is free software; you can # redistribute it and/or modify it under the same terms as Perl # itself. # # Don't blame/flame me if you bust your stuff. # Austin Schutz <> # # This module now is maintained by # Roland Giersig <> # use 5.006; # 4 won't cut it.
        Does anyone know the answer to this? I thought computer programming is all about giving precise instructions..:-P or am I misinterpreting ?

        use 5.006 ; # 4 won't cut it
Re: running setuid for ssh ?
by Joost (Canon) on Jan 18, 2008 at 22:01 UTC
    Well... you can probably get a suid script to do almost anything, but since ssh already has its own, more fine-grained, user controls (including auto login facilities on a per-user, per-remote account basis) I'm not sure why you'd want to use suid at all.

    update: if you want to go the quick (and arguably insecure) route, you could just share the relevant ssh key with each user that needs to use the script. In the real world, you will probably want a separate key for each user. Also note that there are issues with suid (perl)scripts on some systems.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://663150]
Approved by Joost
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (3)
As of 2022-06-29 03:13 GMT
Find Nodes?
    Voting Booth?
    My most frequent journeys are powered by:

    Results (94 votes). Check out past polls.