[YLUG] Help please: running scripts remotely / ssh and suid
Robert Hulme
rob at robhulme.com
Fri Jul 13 14:38:50 BST 2007
Where I work we have an Oracle server which a DBA has a login on but
the developers do not have a login on.
The DBA is not allowed to give the developers a login to that machine,
but he wants the developers to be able to run certain commands that
affect the database that for various reasons can only be run from that
machine.
So imagine that on the Oracle server machine there are scripts A, B,
C, D that do various things that the developers want to run.
As they can't login to the machine I thought it would be a good idea
to have a script on the DBAs desktop (which the developers are allowed
to login to) which is owned by the dba and suid that when run sshes in
to the Oracle server and runs the scripts.
Unfortunately if you make a script that is suid and try to run it as
another user it seems to ignore the suid bit and run it as you, for
instance if the DBA makes a suid script of the following:
ssh oracleserver "mkdir foo"
If the developer runs it he gets prompted for his password (i.e. it's
not using the DBAs public key).
If you do:
ssh -i /home/dba/.ssh/id_dsa oracleserver "mkdir foo"
You get:
Warning: Identity file /home/dba/.ssh/id_dsa not accessible: Permission denied.
AFAICT either scripts don't really run as the user they claim to at
all, or ssh is checking the real uid rather than the effective uid (or
something) and not doing what you want.
Is there a way to force things to work?
What I can't do is alter the configuration of the Oracle server
(anything that would require root), do anything that allows a
developer a login to the Oracle server, or give the developer read
access to the DBAs private key (then the developers could impersonate
the user anywhere on the network which is not allowed).
Any ideas?
-Rob
--
http://www.robhulme.com/
http://robhu.livejournal.com/
A system [is] empirical or scientific only if it is capable of being
tested by experience. These considerations suggest that not the
verifiability but the falsifiability of a system is to be taken as a
criterion of demarcation.... It must be possible for an empirical or
scientific system to be refuted by experience.
-- Karl Popper
More information about the York
mailing list