I have inherited a Perl program which performs a number of operations which require superuser/root privileges. The last thing it does is an ssh out to each a number of different hosts (specified by the user) and run local copies of the same program on those systems. Currently, this program is run by users via sudo, and the users are expected to set up their own ssh keys to the various hosts which the program will need to access.
sudo scriptname -a opt1 -b opt2 -w host1, host2, host3
scriptname does lots of things...then:
foreach $dest (@dests) {
system /usr/local/bin/ssh -l <user> -i <user's ssh identity> -t $de
+st sudo scriptname + opts
}
This works OK when a human is in charge. They enter their password when they start the process, then for every host that the program needs to update. But now we also need to do this automagically, via cron. One condition is that root not be used for this task, as this would require setting up ssh keys for the root user. I can think of 2 ways to accomplish this in a way that won't have a large impact on the existing code. Assume a special user is created and ssh keys set up for all the hosts ever accessed, and then:
- Use sudo -S and provide the password via stdin
This will require wrapping the invocation of the program in a script and putting a password in it. Not brilliant, but it does have the minor advantage of being congruent to the command-line usage of the program. sudo also scares people less than setuid (though it probably shouldn't).
- Use a simple, carefully-written C wrapper for the program and make it setuid
This has the disadvantage of being 'non-standard', which is annoying. Not as annoying as having to put passwords into scripts, though. It would be easy to weed out non-permitted users here.
Have I stupidly missed some better way to do this?
I like my 2nd option better, but wouldn't mind hearing your thoughts.
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.