Need sudo for Plesk domain ssh user

Hi,

I try to make sudo available to an ssh user I created through Plesk on CentOS 5.2

So far
- I installed sudo, as it was not available
> yum sudo install
- Added the user I wanted to the wheel group
> usermod -a -G wheel theuser
- Uncommented %wheel in /etc/sudoers

But noticed sudo is not available if I log in as that user.  
I noticed /var/www/vhosts/<domain>/usr/bin did not include sudo, so I copied it from /usr/bin,
but then shared libraries started to be missing:
"sudo: error while loading shared libraries: libpam.so.0: cannot open shared object file: No such file or directory"
So I figured I could go through this and copy one missing library after the other from it's original location to the respective /var/www/vhosts/<domain> folder, but I assume there is a better way to do so.

Thank you

SWB-ConsultingAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Not sure whether you have jailed the ssh in /var/www/vhosts, but you would need to compile and install sudo in the same hierarchy.
i.e. if you have /var/www/vhosts as the "jailed /",
you need to install /var/www/vhosts/lib /var/www/vhosts/bin and /var/www/vhosts/etc.

when compiling sudo use --prefix="/var/www/vhosts"
0
SWB-ConsultingAuthor Commented:
Yes, it seems the ssh users are jailed in /var/www/vhosts/<domain>

Can I somehow
  yum install sudo
with all dependencies into the "jail"?
0
arnoldCommented:
You can use rpminfo to get the sudo package file listing.
You can use the list to copy (cpio); however, the user can not be ssh jailed in /var/www/vhost/<domain> or you would need to perform the above for each domain. You would not need to copy, but you would need to make hard links (ln) You will likely still run into missing shared librarries.  use ldd /usr/bin/sudo will give you a list of shared libraries that sudo relies on.
The issue is sudo may give them more access to the entire system not limited to the jailed environment.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

SWB-ConsultingAuthor Commented:
I spent quite some time yesterday trying to make sudo available to the jailed domain users.  This would be necessary in order to use svn from those accounts.

Installing sudo itself was not a problem (yum install sudo) but making it available to not only the root user (which is the purpose of the command sudo) seems to be a bit more tricky.

From what I figured out the domain users are "jailed" in their respective directories /var/www/vhosts/<domain> which is their root directory.  The result is that sudo, all required configuration files and dependencies (libraries) etc must be available within /var/www/vhosts/<domain>

So far I have
- created the folder /usr/bin in the jail
> mkdir /var/www/vhosts/<domain>/usr/bin

- I then copied /usr/bin/sudo to /var/www/vhosts/<domain>/usr/bin/

- To copy all dependent libraries I used the command ldd to receive a list of all dependent libraries (ldd /usr/bin/sudo)

I have used the following line to copy the dependent libraries
> ldd /usr/bin/sudo | awk '{ print $3; }' | sed 's/\(\/.*\/\(.*\)\)/\1 \/var\/www\/vhosts\/<domain>\1/g' | xargs -p -l1 --no-run-if-empty cp -i
Which prompts for every dependency to copy and not overwrite libraries that are already available with cp -i

- Then I started to copy required resources but did not get far.
-- I copied /etc/sudoers into /var/www/vhosts/<domain>/etc
-- I also copied /etc/pam.d/sudo to
/var/www/vhosts/<domain>/etc/pam.d

But then got stuck with the following error message when executing from the domain user account:
> sudo svn help
sudo: pam_authenticate: Module is unknown

I was hoping there is an easier way to install sudo (or other commands we will need) in the jail, like some sort of
> yum --jail=/var/www/vhosts/live.lesliehindman.com install sudo
Or another script that might take care of that, but was not able to find anything.
0
arrkerr1024Commented:
Can you explain why you need sudo to run svn?  Maybe there is a better approach.  And why run svn directly on the server in the first place?  Maybe we can help by taking a step back and figuring out a different approach?
0
SWB-ConsultingAuthor Commented:
Sorry for the confusion.

The (web) application will be deployed as an svn checkout on the server, so actually I just need the svn command, not an svn server for the domain user.
Also some of the configuration files require root access to be edited.
I would like to try to avoid giving the domain user root access by default.  So I figured sudo would be a good compromise.

Does that make sense?
0
arnoldCommented:
Lets see If I get what you have.
You have a server centos, with plesk where the hosted domains have jailed users.
The websites are svn managed.
What configuration files, per domain?  The configuration files should be part of the SVN repository such that they can be checked out and edited.






0
SWB-ConsultingAuthor Commented:
There was a better approach:

In Plesk > Domains > Setup > Change "Shell access to server with FTP user's credentials" from "/bin/bash (chrooted)" to "/bin/bash"

Since only the client and developers have access, I believe it is not necessary to jail the user with the domain credentials.

Thanks anyway!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arnoldCommented:
It might be useful to others if you post what the solution is to an individual facing a similar dilemma.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.