04-03-2002, 11:42 AM
|
#1 |
|
Prospect
Join Date: Apr 2002
Posts: 8
|
Set commands so they don't need to be sudo'ed?
I run SSH all the time and forward SMTP and POP3 ports. To do that, I need to sudo SSH and enter my password. I do this many times eash day.
How can I set it so that command does not need root privledges? Thanks |
|
|
|
04-03-2002, 11:59 AM
|
#2 |
|
League Commissioner
Join Date: Jan 2002
Posts: 5,536
|
well, if it needs root privs, it needs root privs; i don't think you want to thwart that... but you might try:
$ sudo chmod u+xs /pathTo/ssh that would turn on the special mode SUID bit, so that the executable is run as root. $ ll /usr/bin/ssh -rws--x--x 1 root wheel 230k Feb 19 19:49 /usr/bin/ssh i'm not sure whether that constitutes a security breach or not. i see that the vanilla /usr/bin/ssh is not suid, but fink's /sw/bin/ssh is suid... let us know if that works for you. |
|
|
|
|
04-04-2002, 10:18 AM
|
#3 |
|
Prospect
Join Date: Apr 2002
Posts: 8
|
I take it back. It did not work. I guess sudo has some kind of time window associated with it. it worked originally, but when I tried it later in the day, it did not work.
Any other ideas? Last edited by chris_mush; 04-04-2002 at 01:58 PM. |
|
|
|
|
04-05-2002, 05:50 AM
|
#4 |
|
Major Leaguer
Join Date: Jan 2002
Location: Adelaide, South Australia
Posts: 470
|
Root privilege and port forwarding
Hi,
I don't think that port forwarding should require root privilege unless you're choosing low port numbers to forward. But maybe I'm misreading what you're trying to do. If you just want a secure tunnel for pop3 connections to a remote server (say mail.server.com) from you home machine you can throw forth any port to remote port 110 using something like ssh -L 2001:mail.server.com:110 -l username mail.server.com and then put "localhost" as your pop server and "2001" as the port number in your email client preferences panel. This is my stock standard "login" routine for the machine to which most of my mail is sent. Apologies if the above is preaching to the choir! Should you really be trying to push your local pop3 port to another machine then you will (irreducibly) need to use sudo. Cheers, Paul |
|
|
|
|
04-05-2002, 09:02 AM
|
#5 |
|
Triple-A Player
Join Date: Jan 2002
Location: Munich - Germany
Posts: 101
|
1. Yes, sudo has a 5 minute time window, after 5 minutes you have to enter your password again when you use sudo.
2. you can set up your account, so that you never have to enter you password again when you "sudo"... Some people of course may have security concerns. To do this, edit /etc/sudoers as root and add the following line: <xyz> ALL = NOPASSWD: ALL replace <xyz> with your actual user name. Andreas |
|
|
|
|
04-05-2002, 03:07 PM
|
#6 | |||||||||||||||||||
|
MVP
Join Date: Jan 2002
Location: Seattle
Posts: 1,078
|
Re: Root privilege and port forwarding
edit
ok, nevermind, I just figured it out. Could someone explain the below to me? I understand that you're using ssh to turn mail.server.com:110 into localhost:2001 through ssh. But, what is the "-l username mail.server.com" for? I ask because I want to do this with an FTP connection...
Last edited by saint.duo; 04-05-2002 at 03:14 PM. |
|||||||||||||||||||
|
|
|
|
04-05-2002, 06:13 PM
|
#7 | |||||||||||||||||||
|
Prospect
Join Date: Jan 2002
Posts: 27
|
You can't edit /etc/sudoers manually, you've got to use visudo. %<group> ALL=(ALL) NOPASSWD: ALL will allow allow passwordless su for all users in <group>, which can be handy. |
|||||||||||||||||||
|
|
|
|
04-06-2002, 06:59 PM
|
#8 | ||||||||||||||||||||||||||||||||||||||
|
Major Leaguer
Join Date: Jan 2002
Location: Adelaide, South Australia
Posts: 470
|
That's just me being careful: if your local username doesn't match your remote username then this is the way you can specify the latter. If it's the same on both machines you can just ignore this.
Two words: forget it! ftp is a really pathological case when it comes to ssh forwarding, due to the fact that it uses separate data and control ports, with the data port being negotiated "in process". It is *possible* to use port forwarding and some other tricks to do this, but it really is a horrible mess. Check out the details in SSH: The Definitive Guide (O'Reilly) if you're feeling like a chuckle. I think you're much better advised to look at using scp or sftp. (sftp offers you a secure version of the familiar ftp interface. It has a few advantages over using scp repeatedly (such as the fact that ftp commands involving multiple files use the same connection). The scp command, or even rsync if it's available on both machines, should also work fine. Cheers, Paul |
||||||||||||||||||||||||||||||||||||||
|
|
|
|
04-08-2002, 01:48 PM
|
#9 |
|
Prospect
Join Date: Apr 2002
Posts: 8
|
pmccann- You're right. I could have done that (in fact, I did do that for http), but since all POP/SMTP/IMAP is thru the tunnel, it is just easier if I leave them on their proper port. Plus this allows them to work when I'm onsite and don't have to tunnel in.
Rebug-- This didn't work. I added the following to my sudoer file (via visudo): <user> ALL=(ALL) NOPASSWD: ALL <group> ALL=(ALL) NOPASSWD: ALL But that didn't work. Also tried: <user> ALL=(ALL) ALL <group> ALL=(ALL) ALL just like root, but no luck. Any other ideas? Thanks |
|
|
|
 |
| Thread Tools | |
| Display Modes | Rate This Thread |
|
|
Linear Mode
