Post a reply

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

testbot

It seems I had to visudo the /etc/sudoers file and comment out #Default requiretty

I'm not sure how that affects the security of things but i'll be looking into it.
testbot

Re: Solved

Clint wrote:

I fought with this today and came up with the following solution:

Add a line to your sudoers file:
username ALL=NOPASSWD: /usr/lib/openssh/sftp-server

Then in the SFTP setup section of WinSCP edit the session SFTP server:
sudo /usr/lib/openssh/sftp-server

Boom, root access to file system via WinSCP.
HTH,
Clint

I keep getting this when I try that:
winscp sudo Cannot initialize SFTP protocol. Is the host running a SFTP server?

I've checked the path to sftp-server in sshd_config and made sure it was the same in sudoers and WinSCP. still no luck.

I'm on centos.

Any help would be great.
jlightner

Sorry – just reread your last response and realized I'd misread it first time.

The final sentence of my last response explains why I can't run sftp-server as root. When I do it allows them to delete anything on the system via WinSCP instead of just deleting files owned by the specific adminaccount. That is to say the user the sftp-server that is running has the power of the user that is running it and I don't want to grant them root power. My counter question was why would anyone want to grant root power to users other than System Administrators?
jlightner

Do sudo adminaccount where?

Maybe I misunderstood something but it seemed you can't just do sudo adminaccount from within WinSCP because it starts sftp-server on connection. I thought the point of the thread was that due to this you have to do the sudo setup using root.

I did try modifying sudoers to su to adminaccount and then run sftp-server but none of the syntax I tried seemed to work. It was at that point that I posted my question on LQ.
Later I gave up trying to do it via sudoers (except for the grant to allow start of adminaccount-sftp-server after creating it as detailed) and came up with the workaround I posted on LQ and here.

Are you suggesting I could have them login via PuTTY, run sudo adminaccount then start sftp-server and somehow connect to that running sftp-server with WinSCP? If so I'd be interested in hearing how its done – I tried it and didn't get very far.

I do NOT want these users to do sftp-server as root as they would then be able to use WinSCP to accidentally do all sorts of things such as deleting critical files.
martin

jlightner wrote:

My counter question is why would one want to allow sudo to root on WinSCP transfer? Hopefully anyone setting that up is restricting it to System Administrators.

Sorry, I'm possibly not patient enough to try to understand all details. Though my question was not why you do sudo adminaccount. I was asking why you need to run sftp-server as non-root user to do that. So I do not see a point of your counter question.
jlightner

The reason is more political than technical.
We have non-technical users that previously all logged in using a single shared account (the administrative account for a specific application). They would use WinSCP and that single account to transfer in a file. They would then login to the account in a PuTTY window and run a command against the transferred file which would create a processed file. They would then go into WinSCP again and transfer the processed file back to their desktops.

For security reasons we didn't want them all using the same account directly as there is no way to tell who did what. Accordingly, we setup individual account and sudo to allow them to "sudo su - <account>" after they had logged in with those individual accounts. That was OK for PuTTY but it meant the WinSCP transfer was being done as the individual account instead of the administrative account. This added steps (e.g. transfer to your home directory as WinSCP then login via PuTTY and copy the file, do the processing etc...). Additionally the processed file is always owned by the administrative user due to the need to run the application command as that user.

If however, we could allow them to sudo with both PuTTY and WinSCP then the only change that is occurring is the need to login as themselves. In PuTTY we add the step sudo su - <admin> but that is only addition to procedure since the WinSCP sudo solution I posted puts them in as admin user for the transfers. Since it does the sudo we still have an audit trail of who did what.

Obviously other solutions could be done e.g. putting all the users in same group as admin user, modifying environment variables etc... for the individual users and working out how to let them use the application under their IDs. However, it was clear on my initial steps down those roads that I would encounter heavy resistance that would likely result in removing sudo altogether and allowing them direct access to the admin account again.

During my search for using sudo this way I'd run across other posts making it clear I wasn't the only person that had wanted such a solution so I posted here and on LQ where I'd asked my question before figuring it out.

My counter question is why would one want to allow sudo to root on WinSCP transfer? Hopefully anyone setting that up is restricting it to System Administrators.
martin

Re: How to do sudo su to a non-root user

@jlightner: Thanks for sharing this. I've seen your post on LinuxQuetions.org already. Though I was not sure why you need to run sftp-server as non-root user. Can you explain?
jlightner

How to do sudo su to a non-root user

Thought this might be of interest. I'd seen various post requesting this but none that had it resolved. There may be a better way to do it that I didn't discover however, the method below works.

1) Copy the sftp-server binary to another name e.g.
cd /root
cp /usr/libexec/openssh/sftp-server admin1-sftp-server

2) Make the admin user the owner e.g.
chown admin1 admin1-sftp-server

3) Make the admin user's primary group the group of file e.g.
If admin1's GID in /etc/passwd is 100 and 100 is "users" group in /etc/group then:
chgrp users admin1-sftp-server

4) Set suid and sgid bit on the file and make it readable/executable by user and group. e.g.
chmod 6550 admin1-sftp-server

Don't make it writable by any of these users so they can't replace the binary itself – also as noted in step 1 this binary should be in a secure location such as /root to which no one but root has access normally.)
5) As discussed in https://winscp.net/eng/docs/faq_su you set up sudoers file (use visudo) to allow the new script to be run by user as root. e.g.
ralph        ALL=NOPASSWD: /root/admin1-sftp-server

billybob        ALL=NOPASSWD: /root/admin1-sftp-server

Note that you don't have to do individual lines like that – User_Alias and Cmnd_Alias would work.
6) As discussed in same link edit the SFTP tab (Advanced options) sftp-server box in WinSCP for the session to have sudo to the sftp-server copy you made instead of "Default". e.g.
sudo /root/admin1-sftp-server

7) Save the session in WinSCP.

Select the saved session and "login" from WinSCP after doing above. It will open the copied sftp-server (e.g. /root/admin1-sftp-server) running as the user that owns this (admin1-)sftp-server instead of root. Any files created by this session will be owned by the user that owns (admin1-)sftp-server and grouped to the group of (admin1-)sftp-server.

Additional Note:
The downside to above approach is if you later patch your system sftp-server for some reason it won't automatically patch copies like admin1-sftp-server. If the reason for patching is a security concern it is important you repeat the process above after the patching to insure you have the same security fix in all copies.
martin

Re: Solved

@Clint: Thanks for sharing this!
I have updated the FAQ accordingly. If you find a time, please check it.
Clint

Solved

I fought with this today and came up with the following solution:

Add a line to your sudoers file:
username ALL=NOPASSWD: /usr/lib/openssh/sftp-server

Then in the SFTP setup section of WinSCP edit the session SFTP server:
sudo /usr/lib/openssh/sftp-server

Boom, root access to file system via WinSCP.
HTH,
Clint
Sergeant

Re: SU FAQ doesn't work with Ubuntu.

Well, for one I followed the directions in the FAQ, however adding the information to the sudoers file appears to have no effect at all and performing sudo keeps asking me for a password. I even attempted a reboot and it still does this. At this point I am assuming this to be a problem with Ubuntu I'd need to research more than anything, though if you have any suggestions feel free to say something.
martin

Re: SU FAQ doesn't work with Ubuntu.

@Sergeant: What have you done?
Sergeant

SU FAQ doesn't work with Ubuntu.

Was curious if you had a remedy for this. Running Ubuntu Server 8.04, using the su and sudo options for the SFTP and/or SCP from the FAQ you've given doesn't seem to work at all. I still can't modify or upload files to directories with the normal account and I'm honestly not sure if there's a difference I need to know about or what.
martin

Re: sudo option

However with some restrictions, you can do sudo on login. See FAQ.
martin

Re: sudo option

It is not possible to execute certain command under different account.
aminorex

sudo option

It would be nice to have a way to indicate that a given operation should be performed as root, using sudo – such as a modifier key.

Incredibly useful piece of work, BTW. I hope it earns you the blessings it deserves.