ssh sudo pipe command - linux

this command works
ssh -t www.foo.com 'sudo ls -l'
I immediately get asked for my password, once entered I get the directory contents
if I try to pipe this command it fails - I never get asked my password so I never get any contents.
ssh -t www.foo.com 'sudo ls -l' | grep 'foo'
This is a basic example, I know I could pipe/grep the output in my "ls" command. for my application I need to pipe the output through a program on my host.

In order to not be asked for a password to issue sudo commands, you need to have an entry in /etc/sudoers (or better, a file in /etc/sudoers.d) that lets you do it. There is a nice question on using sudoers here.
A sudoers config to allow you to run ls as root could be:
<yourusername> ALL = (root) NOPASSWD: /bin/ls
One thing to look out for is that ls is quite likely to be a shell built-in, so you may have trouble allowing it. You should be able to set your shell to defer to the system binary instead.
Trying to push your real password through it is not a secure solution.

ssh -t www.foo.com 'echo your_pass | sudo -S ls -l' | grep 'foo'

Also possible:
ssh -t www.foo.com 'sudo -S ls -l <~/passwd.txt' | grep 'foo'

The reason you are not getting prompt for password is because you are feeding the output of "ssh -t www.foo.com 'sudo ls -l'" to the pipe where you are grepping for 'foo'. So in this case the password prompt won't be shown, but actually the process is waiting for your input.
Try giving the password on the blank new line you get after running the command.
I tried this and it worked. Just for example,
$ ssh -t user#host 'sudo ls -l /' | grep 'root'
user#host's password: <===== After this, it waits for user input to feed the password for sudo user.
Connection to host closed.
drwxr-xr-x 2 root root 4096 2011-08-31 15:33 bin
dr-xr-xr-x 24 root root 4096 2014-07-14 00:52 bldmnt
dr-xr-xr-x 2 root root 4096 2011-03-23 15:51 blr
drwxr-xr-x 3 root root 4096 2011-08-31 15:36 boot
.
.
.
Try it and see if it works for you.

Related

How to set specific user can run certain root command in redhat

i want to ask for a specific user to use certain root commands in redhat?
my server run redhat OS 7.6. i dont have any idea how to set a user that can run certain commands from root.
let say i have one user id name MY_CIT, so MY_CIT can run certain commands for example to create print queue #lpadmin -p printer -v socket://printer:9100 -E
so MY_CIT no need root access to trigger the command.
Anyone experience on this? kindly help. thanks
You'll be able to use file ACLs. As a test I removed execute permissions from the nano command, just to show how this will work.
You won't need to do this, however, you will need root permissions to the machine. Instead of nano, use 'lpadmin' as per your requirements
[root#server bin]# chmod o-x /bin/nano
[root#server bin]# ls -lah /bin/nano
-rwxr-xr-- 1 root root 202K Jun 10 2014 nano
To test, we change to user1 and try use nano to edit a file:
[user1#server ~]$ nano file1
-bash: /bin/nano: Permission denied
Now, as root again, we add an ACL to the nano program. This allows only user1 to execute the program.
[root#server bin]# setfacl -m u:user1:x /bin/nano
Display ACL with getfacl:
[root#server bin]# getfacl /bin/nano
getfacl: Removing leading '/' from absolute path names
# file: bin/nano
# owner: root
# group: root
user::rwx
user:user1:--x <<-- Note this
group::r-x
mask::r-x
other::r--
As user1, we are able to use the nano program, but not as user2:
[user1#server ~]$ nano file1
[user1#server ~]$ ls
file1
[user1#server ~]$ exit
logout
[root#server bin]# su - user2
[user2#server ~]$ nano file1
-bash: /bin/nano: Permission denied
ACLs allow admins to extend permissions past just user/group/other. You're able to set permissions for specific users on the system.
Run command with a root privilege:
sudo visudo
It opens file /etc/sudoers for edit.
Add this line at the end of the file (and after keep one blank line):
MY_CIT ALL = NOPASSWD: /usr/sbin/lpadmin
where:
MY_CIT - name of your user
/usr/sbin/lpadmin - path to executible file. Note please that in your distro path can be different. You can check this with command whereis lpadmin.
After user can run command lpadmin with arguments with sudo without password:
sudo lpadmin ...

SSH doesn't run commands following sudo

I'm trying to execute multiple commands on a remote server. The issue I'm having is that after the sudo command is ran, the ssh connection gets closed automatically.
The main test that is failing:
ssh -i "/path/to/key/id_rsa" user#server << EOF
sudo ls -la "/etc/redhat-release"
cat "/etc/redhat-release"
EOF
Returns only the ls result
-rw-r--r-- 1 root root 55 Jan 29 2013 /etc/redhat-release
While if I put both commands on the same line, i.e.
ssh -i "/path/to/key/id_rsa" user#server << EOF
sudo ls -la "/etc/redhat-release"; cat "/etc/redhat-release"
EOF
I will get the result of both commands
-rw-r--r-- 1 root root 55 Jan 29 2013 /etc/redhat-release
Red Hat Enterprise Linux Server release 6.4 (Santiago)
Now for the weirdest part:
the main test does work on an other server with identical configuration. There are sets of servers where it works, and other sets where it doesn't.
if I remove the sudo from the test, I will get the result from both commands, so it's not an ssh limitation
e.g.
ssh -i "/path/to/key/id_rsa" user#server << EOF
ls -la "/etc/redhat-release"
cat "/etc/redhat-release"
EOF
-rw-r--r-- 1 root root 55 Jan 29 2013 /etc/redhat-release
Red Hat Enterprise Linux Server release 6.4 (Santiago)
Additional information:
Both commands have the NOPASSWD flag in the sudoers file so no password is asked.
requiretty is commented out.
ssh version: OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
SELinux is disabled
the ssh -vvv option doesn't show any significant difference in the logs between a working and non-working server
sshd_config are the same between a working and non-working server
I'm assuming here that there must be some configuration difference between the sets of servers because they are consistent with each-other, but I can't figure out what.
One possible workaround:
ssh -i "/path/to/key/id_rsa" user#server sudo bash << EOF
ls -la "/etc/redhat-release"
cat "/etc/redhat-release"
EOF
Check your sudo version (sudo -V).
Turns out one server was running Sudo version 1.8.6p3 while the other was on Sudo version 1.8.21p2 and a was running in a bug which was fixed in sudo 1.8.20:
Fixed an issue where sudo would consume stdin if it was not connected to a tty even if log_input is not enabled in sudoers. Bug #786.
Updating the sudo version fixed the issue.

ssh from Linux to Windows - why need so many slashes in path?

I am trying to run commands over ssh from Linux machine to Windows machine.
Windows machine have OpenSSHx64 installed
Following command with double quotes fails:
ssh user#win8-pc "ls -l \\\\172.21.15.120\\vol0slash"
ls: cannot access 172.21.15.120vol0slash: No such file or directory
The same command with single quotes still fails, but at least display single slash:
ssh user#win8-pc 'ls -l \\\\172.21.15.120\\vol0slash'
ls: cannot access \172.21.15.120vol0slash: No such file or directory
Surrounding path with single quotes almost works, but still one root slash is missing:
ssh user#win8-pc "ls -l '\\\\172.21.15.120\\vol0slash'"
ls: cannot access \172.21.15.120\vol0slash: No such file or directory
Now finally adding fifth slash to UNC path root, did the trick:
ssh user#win8-pc "ls -l '\\\\\172.21.15.120\\vol0slash'"
total 536
drwxr-xr-x 1 Admin Domain Users 0 Jan 23 08:33 GeneralSystemDiagnostic
drwxr-xr-x 1 Admin Domain Users 0 Jan 22 08:10 cifs
-rw-r--r-- 1 Admin Domain Users 336 Jan 23 12:00 linux.txt
drwxr-xr-x 1 Admin Domain Users 0 Jan 19 14:11 nfs
Can anyone explain the logic behind this behavior?
Backslash is special symbol in bash and quite much in all Linux shells, therefore if you need to use it, it has to be escaped using another \ (backslash). The command is passed through the remote bash such as
bash -c "ls -l '\\\\\172.21.15.120\\vol0slash'"
which transfers evaluates the special characters and makes it look like
ls -l '\\\172.21.15.120\vol0slash'
when it is supposed to run.
The problem with using odd number of backslashes will end up evaluating as a special character, so you should go with even number, if you want to see a backslash in the end.
The other thing is how the arguments are interpreted by ls on Windows (which I have no idea about). See the tests with simple echo:
$ ssh f25 "echo '\1'"
\1
$ ssh f25 "echo '\\1'"
\1
$ ssh f25 "echo '\\\1'"
\\1
$ ssh f25 "echo '\\\\1'"
\\1
Similarly you can explain the original command without ':
ssh user#win8-pc "ls -l \\\\172.21.15.120\\vol0slash"
gets already in local shell (because it is not in ')
ssh user#win8-pc "ls -l \\172.21.15.120\vol0slash"
and remote shell gets already
bash -c "ls -l \\172.21.15.120\vol0slash"
which evaluates to
bash -c "ls -l \172.21.15.120vol0slash"
and to
ls -l 172.21.15.120vol0slash
which is obviously not existing.

Handle permissions with groups in linux

I can't understand how exactly this works in Linux.
For example, I want only users in some group have access to execute some file (I hope this is possible without visudo).
I create a system user and system group like:
useradd -K UID_MIN=100 -K UID_MAX=499 -K GID_MIN=100 -K GID_MAX=499 -p \* -s /sbin/nologin -c "testusr daemon,,," -d "/var/testusr" testusr
I add my current user user to the group testusr (may be not cross platform):
adduser user testusr
I create some test shell file and set permissions:
touch test.sh
chmod ug+x test.sh
sudo chown testusr:testusr test.sh
But I still can't start test.sh as user:
./test.sh
-> Error
Now I look for some system groups like cdrom to check how they work. My user is in cdrom group and can use the cd rom on my computer:
$ ls -al /dev/cdrom
lrwxrwxrwx 1 root root 3 апр. 17 12:55 /dev/cdrom -> sr0
$ ls -al /dev/sr0
brw-rw----+ 1 root cdrom 11, 0 апр. 17 12:55 /dev/sr0
Addition:
./test.sh command starts to work as I want after system reboot. Strange...
I'm on Ubuntu Studio 15.10
The group changes are reflected only upon re-login.

Permission denied writing in directories with g+w mode on ubuntu

On ubuntu 10.04.4 server, I did this:
sudo mkdir -p /data/somedir
sudo chown -R www-data.www-data /data/somedir
sudo chmod -R g+w /data/somedir
sudo usermod -a -G www-data john ##john is current login user.
. With these operations done, I suppose to have write permission in /data/somedir. But when I did this:
echo "123" > /data/somedir/123
, I got:
-bash: /data/somedir/123: Permission denied
The ls -l output:
$ ls -l /data/
total 4
drwxrwxr-x 2 www-data www-data 4096 2012-04-24 22:30 somedir
Question is: why? Is there something I still need to do after that?
Changes made with usermod only take effect on following logins; your existing login session does not yet have the www-data group, as you can verify with id. It is not easy to alter the identity of running processes (newgrp might work); the easiest way to deal is to log out and back in.

Resources