Re^4: How do I allow my test script to get rsync to archive file ownership?

OK, it finally hit me, I can give NOPASSWD access to prove. My question now is, does that open up a security hole? For example, a malicious app running under my name could basically run any perl test with root privileges, right? Or, if they got access to my local account, they could also run a perl script with root privileges.

$PM = "Perl Monk's";
$MCF = "Most Clueless ~~Friar~~ ~~Abbot~~ ~~Bishop~~ ~~Pontiff~~ ~~Deacon~~ ~~Curate~~ Priest";
$nysus = $PM . ' ' . $MCF;
Click here if you love Perl Monks

Comment on Re^4: How do I allow my test script to get rsync to archive file ownership? Download Code

Replies are listed 'Best First'.
Re^5: How do I allow my test script to get rsync to archive file ownership? by salva (Canon) on Jan 23, 2018 at 08:04 UTC
A Perl process running as root that loads modules from a directory owned by a non-root user is not secure. That user may modify the modules in order to do whatever he wants as root. `sudo` can be configured to let some user run a command with fixed arguments as root. Use that feature to allow the user to run just the specific `rsync` command you need (in order to see the `rsync` command Net::OpenSSH is running under the hood you can set `$Net::OpenSSH::debug=-1`). By default, `Net::OpenSSH` uses a different name for the control socket used to communicate with the OpenSSH client every time and that means passing a different argument to rsync also every time, but you can fix that argument telling the module the control path location to use with the `ctl_path` option when the object is constructed. For instance: `my $ctl_path = '/home/user/.myapp/ssh_ctl_path'; unlink $ctl_path; # just in case it has been left behind in a previous + run of the script. my $ssh = Net::OpenSSH->new(... ctl_path => $ctl_path); $ssh->die_on_error; system('sudo', 'rsync','-e',"ssh -S $ctl_path",'--blocking-io','-q','- +-','host:/remote/directory','/local/directory') and die "rsync command failed: $?";` [download] And add an entry on the `sudoers` file allowing to run as root without password the following command: `rsync -e ssh -S /home/user/.myapp/ssh_ctl_path --blocking-io -q -- hos +t:/remote/directory /local/directory` [download] You may need to mangle it in some way as I am not sure of the way `sudo` handles arguments with spaces... in any case, don't use willcards as it is almost impossible to do so in a secure fashion.	[reply] [d/l] [select]
Re^6: How do I allow my test script to get rsync to archive file ownership? by nysus (Parson) on Jan 23, 2018 at 11:07 UTC
Thanks! Yeah, I was thinking last night that somehow restricting rsync in the sudoers file would be the only way to pull this off. This is very helpful. I'll give it a shot. $PM = "Perl Monk's"; $MCF = "Most Clueless ~~Friar~~ ~~Abbot~~ ~~Bishop~~ ~~Pontiff~~ ~~Deacon~~ ~~Curate~~ Priest"; $nysus = $PM . ' ' . $MCF; Click here if you love Perl Monks	[reply]