Saturday, January 29, 2011

Sudo as different user and running screen

Found out today that running screen as a different user that I sudo into won't work!

i.e.

ssh into server as "bob"

sudo su "monitor" -

screen (fails)

I have a script that runs as the "monitor" user. We run it in a screen session in order to see output on the screen. The problem is, we have a number of user who logs in with their own account (i.e. bob, james, susie, etc...) and then they sudo into the "monitor" user. Giving them access to the "monitor" user is out of the question.

From serverfault luckytaxi

  • Probably would have to change permissions on the device in question or add monitor to a group that has permission to read that device, that would be my first inclination. But you'd have to weigh the security implications of doing so.

    From Bart Silverstrim

  • Try running script /dev/null before launching screen - its a ghetto little hack, but it should make screen happy.

    luckytaxi : so um ... any security implications with this one? I think I can add the user to the tty group but that wouldn't be ideal. :-P
    voretaq7 : Re: security implications, none I'm aware of (but that doesn't mean there aren't any :) - IIRC this relies on a side-effect of "script" opening a new terminal device (as the user invoking it), and since you're sending script's output to /dev/null there's nothing to capture. It's also definitely safer than adding users to the tty group (IMHO)
    From voretaq7

  • Assuming they are SSHing into the host anyway, you could add the public ssh keys for each user that needs access to the monitor account in the ~monitor/.ssh/authorized_keys file. Then on each user's remote machine they can run

    ssh -t monitor@remote.machine screen -RD

    voretaq7 : This is another good approach -- You would have to specify forced commands in the authorized keys file though (per luckytaxi's "giving them access to the 'monitor' user is out of the question" note above -- forced commands could limit them to just attaching the screen session)
    Alex : I wasn't sure how to address that in my answer, because he said "giving them access...is out of the question", but also said "...they sudo into the 'monitor' user". But I agree, forcing command restriction in the authorized_keys should take care of that.
    From Alex

  • You say you do:

    sudo su "monitor" -

    I'm wondering about the trailing dash. I usually do:

    sudo su - username

    The dash (per the su man page) tells su to "make the shell a login shell". This means it will source all the usual shell startup scripts and set things like PATH and HOME properly.

    From Doug Harris

  • I just hit this problem. Solved it with "chmod +rw tty" before running sudo. The problem with this solution is that anyone can connect and snoop on your terminal after that.

    From Amos Shapira
Posted by Mu Cat at 5:39 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)