running setuid for ssh ?

convenientstore has asked for the wisdom of the Perl Monks concerning the following question:

my perl at work is too old to use EXPECT modules and I need to write a script for users(for example user Joe) so that they can run it as userX(who has authrozied key in remote serverX who can auto ssh into the box(meaning no need to enter passwd) and run a simple script).

This then might be little more than perl question(but then perl is choice of people who use unix/linux so), will setting my script to setuid as userX will allow user joe to run the program to do what the script is intended to do(including auto login) or will i need something else? setting user environment or something or is this not possible

example:

sub dosomething{
     $yo = `ssh "$_[0]" grep XX /etc/hosts`;
     print "$yo\n";
}

dosomething();
[download]

Comment on running setuid for ssh ? Download Code

Replies are listed 'Best First'.
Re: running setuid for ssh ? by hipowls (Curate) on Jan 18, 2008 at 22:37 UTC
If you are prepared to let them run ssh using sudo or by setting the suid bit then why not just give them the key? You won't be letting them do anything they couldn't through the other methods. `ssh -l userX machine` You will also need to consider security, I would set up an account for this single purpose, write a script with menu options for the permitted functions. Ensure that no command gives a command shell or that control-C doesn't drop you there. Set that script as the shell in /etc/passwd. sshd will also have to be configured to only permit the script. Look for ForceCommand in the ssh docs	[reply] [d/l]
Re^2: running setuid for ssh ? by convenientstore (Pilgrim) on Jan 21, 2008 at 04:41 UTC
one other question, Still considering using expect.pm at work if possible but when I look at the expect module code, it says use 5.006; # 4 won't cut it. At my work perl is `This is perl, version 5.005_03.` Does this mean it will work since it's less than 5.006 but it only states that 4 won't cut it??? which means 5.005 is ok???? # --cperl-- # Please see the .pod files for documentation. This module is copyrigh +ted # as per the usual perl legalese: # Copyright (c) 1997 Austin Schutz. # expect() interface & functionality enhancements (c) 1999 Roland Gier +sig. # # All rights reserved. This program is free software; you can # redistribute it and/or modify it under the same terms as Perl # itself. # # Don't blame/flame me if you bust your stuff. # Austin Schutz <ASchutz@users.sourceforge.net> # # This module now is maintained by # Roland Giersig <RGiersig@cpan.org> # use 5.006; # 4 won't cut it. [download]	[reply] [d/l] [select]
Re^3: running setuid for ssh ? by Anonymous Monk on Jan 21, 2008 at 22:01 UTC
Does anyone know the answer to this? I thought computer programming is all about giving precise instructions..:-P or am I misinterpreting ? `use 5.006 ; # 4 won't cut it` [download]	[reply] [d/l]
Re^4: running setuid for ssh ? by andyford (Curate) on Jan 22, 2008 at 18:48 UTC
Re: running setuid for ssh ? by Joost (Canon) on Jan 18, 2008 at 22:01 UTC
Well... you can probably get a suid script to do almost anything, but since ssh already has its own, more fine-grained, user controls (including auto login facilities on a per-user, per-remote account basis) I'm not sure why you'd want to use suid at all. update: if you want to go the quick (and arguably insecure) route, you could just share the relevant ssh key with each user that needs to use the script. In the real world, you will probably want a separate key for each user. Also note that there are issues with suid (perl)scripts on some systems. "What should it profit a man, if he should win a flame war, yet lose his cool?"	[reply]


"be consistent"
	PerlMonks