FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 09-11-2010, 09:15 PM
Hal Vaughan
 
Default Updating files in /etc Remotely (and automated)

I will be working with a server on the Internet that uses rsync and is running Debian. I will be setting up initial /etc/rsyncd.conf and /etc/rsyncd.secrets files on it. But along the way, whenever a new user is added, they'll need to be updated. I can use ssh on this system, but, of course, I don't want to allow root access.

I'd like to be able to have these files updated automatically when I add a new user to another system. I could create new copies of the files locally, where the users are added and use scp to copy them to a directory on the server. But that's where there are problems. How can I chown the files to root, copy them to /etc, and chmod as needed for rsync to use them automatically?

I don't see a way to do that without security issues. I need to somehow ssh in and do an su or run three commands as sudo (I need to mv the file, chown it, and chmod it).

I am far from an expert in security, but I can see that if I have anything in place to make this easy, then anyone hacking my user account could easily mess up anything in the system.

Is there some way I can set this up so I can update rsyncd.conf and rsyncd.secrets only automatically when I have the newer versions on my local system to be uploaded?


Thanks for any ideas!



Hal

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: EF953506-5924-409C-B345-B43C694DD3B6@halblog.com">http://lists.debian.org/EF953506-5924-409C-B345-B43C694DD3B6@halblog.com
 
Old 09-12-2010, 02:51 PM
Rob Owens
 
Default Updating files in /etc Remotely (and automated)

On Sat, Sep 11, 2010 at 05:15:50PM -0400, Hal Vaughan wrote:
> I will be working with a server on the Internet that uses rsync and is running Debian. I will be setting up initial /etc/rsyncd.conf and /etc/rsyncd.secrets files on it. But along the way, whenever a new user is added, they'll need to be updated. I can use ssh on this system, but, of course, I don't want to allow root access.
>
> I'd like to be able to have these files updated automatically when I add a new user to another system. I could create new copies of the files locally, where the users are added and use scp to copy them to a directory on the server. But that's where there are problems. How can I chown the files to root, copy them to /etc, and chmod as needed for rsync to use them automatically?
>
> I don't see a way to do that without security issues. I need to somehow ssh in and do an su or run three commands as sudo (I need to mv the file, chown it, and chmod it).
>
> I am far from an expert in security, but I can see that if I have anything in place to make this easy, then anyone hacking my user account could easily mess up anything in the system.
>
> Is there some way I can set this up so I can update rsyncd.conf and rsyncd.secrets only automatically when I have the newer versions on my local system to be uploaded?
>
>
When using ssh keys to log in, you can specify (in
~/.ssh/authorized_keys) a command which will automatically run when that
key is used to log in. And that key will be useless to do anything
else. Simply using that key to conenct to the remote server will run
that command.

The authorized_keys file would look something like this:

command="/path/to/my/script" ssh-rsa AAAAB3NzaC1yc2EAAA.... me@myhost

You could use this to ssh into the remote server as root, or as a user
with very specify sudo privileges that will allow your script to run.
(The script would perform the file changes you need done, or simply
rsync them from your local machine).

-Rob


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100912145107.GA29195@aurora.owens.net">http://lists.debian.org/20100912145107.GA29195@aurora.owens.net
 
Old 09-12-2010, 04:01 PM
Hal Vaughan
 
Default Updating files in /etc Remotely (and automated)

On Sep 12, 2010, at 10:51 AM, Rob Owens wrote:

> On Sat, Sep 11, 2010 at 05:15:50PM -0400, Hal Vaughan wrote:
>> I will be working with a server on the Internet that uses rsync and is running Debian. I will be setting up initial /etc/rsyncd.conf and /etc/rsyncd.secrets files on it. But along the way, whenever a new user is added, they'll need to be updated. I can use ssh on this system, but, of course, I don't want to allow root access.
>>
>> I'd like to be able to have these files updated automatically when I add a new user to another system. I could create new copies of the files locally, where the users are added and use scp to copy them to a directory on the server. But that's where there are problems. How can I chown the files to root, copy them to /etc, and chmod as needed for rsync to use them automatically?
>>
>> I don't see a way to do that without security issues. I need to somehow ssh in and do an su or run three commands as sudo (I need to mv the file, chown it, and chmod it).
>>
>> I am far from an expert in security, but I can see that if I have anything in place to make this easy, then anyone hacking my user account could easily mess up anything in the system.
>>
>> Is there some way I can set this up so I can update rsyncd.conf and rsyncd.secrets only automatically when I have the newer versions on my local system to be uploaded?
>>
>>
> When using ssh keys to log in, you can specify (in
> ~/.ssh/authorized_keys) a command which will automatically run when that
> key is used to log in. And that key will be useless to do anything
> else. Simply using that key to conenct to the remote server will run
> that command.
>
> The authorized_keys file would look something like this:
>
> command="/path/to/my/script" ssh-rsa AAAAB3NzaC1yc2EAAA.... me@myhost

I see. That would make perfect sense and I see I can use -i to specify which key to use, so for normal situations, I just use "ssh host," and when I want this done, I do "ssh -i .ssh/special_key host" instead.

I thought I knew about authorized keys, but didn't know you could specify a command to be run in that file.

> You could use this to ssh into the remote server as root, or as a user
> with very specify sudo privileges that will allow your script to run.
> (The script would perform the file changes you need done, or simply
> rsync them from your local machine).

But if I'm not running as root, from what I can see, no matter what I do with sudo, I still have to type in a password, don't I? using the authorized_keys file and specifying what can be done at login does a lot to help with security, but if I don't log in as root, no matter what I do, I'll still have to type in a password to use either "su" or "sudo," right? Or is there a way around it? I was going through man pages, but it seems both require a password to be typed in no matter what.



Hal

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 9229C387-BB4B-4004-834A-3BEA7FA77E0D@halblog.com">http://lists.debian.org/9229C387-BB4B-4004-834A-3BEA7FA77E0D@halblog.com
 
Old 09-12-2010, 04:37 PM
Rob Owens
 
Default Updating files in /etc Remotely (and automated)

On Sun, Sep 12, 2010 at 12:01:26PM -0400, Hal Vaughan wrote:
>
> On Sep 12, 2010, at 10:51 AM, Rob Owens wrote:
>
> > On Sat, Sep 11, 2010 at 05:15:50PM -0400, Hal Vaughan wrote:
> >> I will be working with a server on the Internet that uses rsync and is running Debian. I will be setting up initial /etc/rsyncd.conf and /etc/rsyncd.secrets files on it. But along the way, whenever a new user is added, they'll need to be updated. I can use ssh on this system, but, of course, I don't want to allow root access.
> >>
> >> I'd like to be able to have these files updated automatically when I add a new user to another system. I could create new copies of the files locally, where the users are added and use scp to copy them to a directory on the server. But that's where there are problems. How can I chown the files to root, copy them to /etc, and chmod as needed for rsync to use them automatically?
> >>
> >> I don't see a way to do that without security issues. I need to somehow ssh in and do an su or run three commands as sudo (I need to mv the file, chown it, and chmod it).
> >>
> >> I am far from an expert in security, but I can see that if I have anything in place to make this easy, then anyone hacking my user account could easily mess up anything in the system.
> >>
> >> Is there some way I can set this up so I can update rsyncd.conf and rsyncd.secrets only automatically when I have the newer versions on my local system to be uploaded?
> >>
> >>
> > When using ssh keys to log in, you can specify (in
> > ~/.ssh/authorized_keys) a command which will automatically run when that
> > key is used to log in. And that key will be useless to do anything
> > else. Simply using that key to conenct to the remote server will run
> > that command.
> >
> > The authorized_keys file would look something like this:
> >
> > command="/path/to/my/script" ssh-rsa AAAAB3NzaC1yc2EAAA.... me@myhost
>
> I see. That would make perfect sense and I see I can use -i to specify which key to use, so for normal situations, I just use "ssh host," and when I want this done, I do "ssh -i .ssh/special_key host" instead.
>
> I thought I knew about authorized keys, but didn't know you could specify a command to be run in that file.
>
> > You could use this to ssh into the remote server as root, or as a user
> > with very specify sudo privileges that will allow your script to run.
> > (The script would perform the file changes you need done, or simply
> > rsync them from your local machine).
>
> But if I'm not running as root, from what I can see, no matter what I do with sudo, I still have to type in a password, don't I? using the authorized_keys file and specifying what can be done at login does a lot to help with security, but if I don't log in as root, no matter what I do, I'll still have to type in a password to use either "su" or "sudo," right? Or is there a way around it? I was going through man pages, but it seems both require a password to be typed in no matter what.
>
In /etc/sudoers, you can specify "NOPASSWD", like this:

someuser ALL=NOPASSWD: /path/to/some/command

Then "someuser" can run the specified command as root without typing a
password.

-Rob


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100912163733.GB29852@aurora.owens.net">http://lists.debian.org/20100912163733.GB29852@aurora.owens.net
 
Old 09-12-2010, 04:52 PM
Hal Vaughan
 
Default Updating files in /etc Remotely (and automated)

On Sep 12, 2010, at 12:37 PM, Rob Owens wrote:

> On Sun, Sep 12, 2010 at 12:01:26PM -0400, Hal Vaughan wrote:
>>
>> On Sep 12, 2010, at 10:51 AM, Rob Owens wrote:
>>
>>> On Sat, Sep 11, 2010 at 05:15:50PM -0400, Hal Vaughan wrote:
>>>> I will be working with a server on the Internet that uses rsync and is running Debian. I will be setting up initial /etc/rsyncd.conf and /etc/rsyncd.secrets files on it. But along the way, whenever a new user is added, they'll need to be updated. I can use ssh on this system, but, of course, I don't want to allow root access.
>>>>
>>>> I'd like to be able to have these files updated automatically when I add a new user to another system. I could create new copies of the files locally, where the users are added and use scp to copy them to a directory on the server. But that's where there are problems. How can I chown the files to root, copy them to /etc, and chmod as needed for rsync to use them automatically?
>>>>
>>>> I don't see a way to do that without security issues. I need to somehow ssh in and do an su or run three commands as sudo (I need to mv the file, chown it, and chmod it).
>>>>
>>>> I am far from an expert in security, but I can see that if I have anything in place to make this easy, then anyone hacking my user account could easily mess up anything in the system.
>>>>
>>>> Is there some way I can set this up so I can update rsyncd.conf and rsyncd.secrets only automatically when I have the newer versions on my local system to be uploaded?
>>>>
>>>>
>>> When using ssh keys to log in, you can specify (in
>>> ~/.ssh/authorized_keys) a command which will automatically run when that
>>> key is used to log in. And that key will be useless to do anything
>>> else. Simply using that key to conenct to the remote server will run
>>> that command.
>>>
>>> The authorized_keys file would look something like this:
>>>
>>> command="/path/to/my/script" ssh-rsa AAAAB3NzaC1yc2EAAA.... me@myhost
>>
>> I see. That would make perfect sense and I see I can use -i to specify which key to use, so for normal situations, I just use "ssh host," and when I want this done, I do "ssh -i .ssh/special_key host" instead.
>>
>> I thought I knew about authorized keys, but didn't know you could specify a command to be run in that file.
>>
>>> You could use this to ssh into the remote server as root, or as a user
>>> with very specify sudo privileges that will allow your script to run.
>>> (The script would perform the file changes you need done, or simply
>>> rsync them from your local machine).
>>
>> But if I'm not running as root, from what I can see, no matter what I do with sudo, I still have to type in a password, don't I? using the authorized_keys file and specifying what can be done at login does a lot to help with security, but if I don't log in as root, no matter what I do, I'll still have to type in a password to use either "su" or "sudo," right? Or is there a way around it? I was going through man pages, but it seems both require a password to be typed in no matter what.
>>
> In /etc/sudoers, you can specify "NOPASSWD", like this:
>
> someuser ALL=NOPASSWD: /path/to/some/command
>
> Then "someuser" can run the specified command as root without typing a
> password.

My bad, in this case. I read the SUDO man page over a few times, but forgot to read SUDOERS man page. Thanks!



Hal

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: DD0542FE-3B19-4D26-A129-B03D831B006E@halblog.com">http://lists.debian.org/DD0542FE-3B19-4D26-A129-B03D831B006E@halblog.com
 
Old 09-12-2010, 05:45 PM
Joe
 
Default Updating files in /etc Remotely (and automated)

On 11/09/10 22:15, Hal Vaughan wrote:

I will be working with a server on the Internet that uses rsync and is running Debian. I will be setting up initial /etc/rsyncd.conf and /etc/rsyncd.secrets files on it. But along the way, whenever a new user is added, they'll need to be updated. I can use ssh on this system, but, of course, I don't want to allow root access.

I'd like to be able to have these files updated automatically when I add a new user to another system. I could create new copies of the files locally, where the users are added and use scp to copy them to a directory on the server. But that's where there are problems. How can I chown the files to root, copy them to /etc, and chmod as needed for rsync to use them automatically?

I don't see a way to do that without security issues. I need to somehow ssh in and do an su or run three commands as sudo (I need to mv the file, chown it, and chmod it).

I am far from an expert in security, but I can see that if I have anything in place to make this easy, then anyone hacking my user account could easily mess up anything in the system.

Is there some way I can set this up so I can update rsyncd.conf and rsyncd.secrets only automatically when I have the newer versions on my local system to be uploaded?


Thanks for any ideas!



Hal

How quickly do you need the updates? Cron will run scripts as root, and
can run your script as often as you can stand the overhead. You just
need to get the files there in a safe way.


--
Joe


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4C8D11B6.5000704@jretrading.com">http://lists.debian.org/4C8D11B6.5000704@jretrading.com
 
Old 09-12-2010, 06:31 PM
Hal Vaughan
 
Default Updating files in /etc Remotely (and automated)

On Sep 12, 2010, at 1:45 PM, Joe wrote:

> On 11/09/10 22:15, Hal Vaughan wrote:
>> I will be working with a server on the Internet that uses rsync and is running Debian. I will be setting up initial /etc/rsyncd.conf and /etc/rsyncd.secrets files on it. But along the way, whenever a new user is added, they'll need to be updated. I can use ssh on this system, but, of course, I don't want to allow root access.
>>
>> I'd like to be able to have these files updated automatically when I add a new user to another system. I could create new copies of the files locally, where the users are added and use scp to copy them to a directory on the server. But that's where there are problems. How can I chown the files to root, copy them to /etc, and chmod as needed for rsync to use them automatically?
>>
>> I don't see a way to do that without security issues. I need to somehow ssh in and do an su or run three commands as sudo (I need to mv the file, chown it, and chmod it).
>>
>> I am far from an expert in security, but I can see that if I have anything in place to make this easy, then anyone hacking my user account could easily mess up anything in the system.
>>
>> Is there some way I can set this up so I can update rsyncd.conf and rsyncd.secrets only automatically when I have the newer versions on my local system to be uploaded?
>>
>>
>> Thanks for any ideas!
>>
>>
>>
>> Hal
>>
> How quickly do you need the updates? Cron will run scripts as root, and can run your script as often as you can stand the overhead. You just need to get the files there in a safe way.

I had completely overlooked that idea and someone sent it to me privately a little while ago. While I like what Rob Owens suggested, I'm leaning toward this. I think it's possible that I could send up the minimum information in a file and have the cron job be a Perl script that takes that info and builds the rsyncd.conf and rsyncd.secrets files from there, which reduces the possibility of a rogue file being copied over somehow. Still, none of the ideas is perfect, but putting together the conf files on the site, as opposed to sending them directly, has certain merits.


Thanks!


Hal

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: C04810B6-F31E-45A7-AD91-C8D5FE13FBC6@halblog.com">http://lists.debian.org/C04810B6-F31E-45A7-AD91-C8D5FE13FBC6@halblog.com
 
Old 09-12-2010, 06:35 PM
Hal Vaughan
 
Default Updating files in /etc Remotely (and automated)

On Sep 12, 2010, at 12:37 PM, Rob Owens wrote:
>>>> ...
>>> When using ssh keys to log in, you can specify (in
>>> ~/.ssh/authorized_keys) a command which will automatically run when that
>>> key is used to log in. And that key will be useless to do anything
>>> else. Simply using that key to conenct to the remote server will run
>>> that command.
>>>
>>> The authorized_keys file would look something like this:
>>>
>>> command="/path/to/my/script" ssh-rsa AAAAB3NzaC1yc2EAAA.... me@myhost
>>
>> I see. That would make perfect sense and I see I can use -i to specify which key to use, so for normal situations, I just use "ssh host," and when I want this done, I do "ssh -i .ssh/special_key host" instead.
>>
>> I thought I knew about authorized keys, but didn't know you could specify a command to be run in that file.
>>
>>> You could use this to ssh into the remote server as root, or as a user
>>> with very specify sudo privileges that will allow your script to run.
>>> (The script would perform the file changes you need done, or simply
>>> rsync them from your local machine).
>>
>> But if I'm not running as root, from what I can see, no matter what I do with sudo, I still have to type in a password, don't I? using the authorized_keys file and specifying what can be done at login does a lot to help with security, but if I don't log in as root, no matter what I do, I'll still have to type in a password to use either "su" or "sudo," right? Or is there a way around it? I was going through man pages, but it seems both require a password to be typed in no matter what.
>>
> In /etc/sudoers, you can specify "NOPASSWD", like this:
>
> someuser ALL=NOPASSWD: /path/to/some/command
>
> Then "someuser" can run the specified command as root without typing a
> password.

When I tested this with some simple scripts, I find if I create a batch file that runs a few commands, like "chown root:root filename" that those commands, which would normally need the sudo command don't need it.

Is this because of the (usually) 5 minute time limit sudo uses? Can I trust this on all systems, or is there anything that could prevent this behavior? In other words, if I include, in the script, commands that also need sudo, am I right that I can count on them executing without further need of verification?

Thanks for anyone who can include more info on this!




Hal

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 0EA47E68-49ED-4F32-A91B-4379E27E45DC@halblog.com">http://lists.debian.org/0EA47E68-49ED-4F32-A91B-4379E27E45DC@halblog.com
 
Old 09-12-2010, 08:24 PM
Rob Owens
 
Default Updating files in /etc Remotely (and automated)

On Sun, Sep 12, 2010 at 02:35:00PM -0400, Hal Vaughan wrote:
>
> On Sep 12, 2010, at 12:37 PM, Rob Owens wrote:
> >>>> ...
> >>> When using ssh keys to log in, you can specify (in
> >>> ~/.ssh/authorized_keys) a command which will automatically run when that
> >>> key is used to log in. And that key will be useless to do anything
> >>> else. Simply using that key to conenct to the remote server will run
> >>> that command.
> >>>
> >>> The authorized_keys file would look something like this:
> >>>
> >>> command="/path/to/my/script" ssh-rsa AAAAB3NzaC1yc2EAAA.... me@myhost
> >>
> >> I see. That would make perfect sense and I see I can use -i to specify which key to use, so for normal situations, I just use "ssh host," and when I want this done, I do "ssh -i .ssh/special_key host" instead.
> >>
> >> I thought I knew about authorized keys, but didn't know you could specify a command to be run in that file.
> >>
> >>> You could use this to ssh into the remote server as root, or as a user
> >>> with very specify sudo privileges that will allow your script to run.
> >>> (The script would perform the file changes you need done, or simply
> >>> rsync them from your local machine).
> >>
> >> But if I'm not running as root, from what I can see, no matter what I do with sudo, I still have to type in a password, don't I? using the authorized_keys file and specifying what can be done at login does a lot to help with security, but if I don't log in as root, no matter what I do, I'll still have to type in a password to use either "su" or "sudo," right? Or is there a way around it? I was going through man pages, but it seems both require a password to be typed in no matter what.
> >>
> > In /etc/sudoers, you can specify "NOPASSWD", like this:
> >
> > someuser ALL=NOPASSWD: /path/to/some/command
> >
> > Then "someuser" can run the specified command as root without typing a
> > password.
>
> When I tested this with some simple scripts, I find if I create a batch file that runs a few commands, like "chown root:root filename" that those commands, which would normally need the sudo command don't need it.
>
> Is this because of the (usually) 5 minute time limit sudo uses? Can I trust this on all systems, or is there anything that could prevent this behavior? In other words, if I include, in the script, commands that also need sudo, am I right that I can count on them executing without further need of verification?
>

If you run "sudo somescript", then the script runs as root, so every
command inside it will run as root. I think it is generally considered
smarter, security-wise, to run "somescript" and then include "sudo"
inside the script as necessary. For instance, your script might look
like this:

#!/bin/bash
#
# myscript.sh
#
sudo ls /root/*
ls /home/* #doesn't need root privileges
sudo touch /usr/local/somefile

This script could be run as a regular user, but it would only run
properly if the user had the appropriate sudo rights.

-Rob


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100912202459.GA32270@aurora.owens.net">http://lists.debian.org/20100912202459.GA32270@aurora.owens.net
 
Old 09-12-2010, 09:58 PM
Steve Kemp
 
Default Updating files in /etc Remotely (and automated)

On Sun Sep 12, 2010 at 16:24:59 -0400, Rob Owens wrote:

> If you run "sudo somescript", then the script runs as root, so every
> command inside it will run as root.
> I think it is generally considered smarter, security-wise, to
> run "somescript" and then include "sudo" inside the script as
> necessary.

I believe that makes sense in an objective way, but I've never
seen that defined as a "best practise", and your example fails
in a way that suggests you've not done it that way yourself.


> sudo ls /root/*

Fails. Why? Because _your_ shell does the expansion, before
passing to sudo.

For example compare these two command and outputs:

skx@birthday:~$ sudo ls /root/*
skx@birthday:~$
skx@birthday:~$ sudo ls /root/
Desktop
skx@birthday:~$

Steve
--
Let me steal your soul?
http://stolen-souls.com


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100912215822.GA26896@steve.org.uk">http://lists.debian.org/20100912215822.GA26896@steve.org.uk
 

Thread Tools




All times are GMT. The time now is 06:46 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org