Need sudo for Plesk domain ssh user

Posted on 2008-11-18
Last Modified: 2013-12-16

I try to make sudo available to an ssh user I created through Plesk on CentOS 5.2

So far
- I installed sudo, as it was not available
> yum sudo install
- Added the user I wanted to the wheel group
> usermod -a -G wheel theuser
- Uncommented %wheel in /etc/sudoers

But noticed sudo is not available if I log in as that user.  
I noticed /var/www/vhosts/<domain>/usr/bin did not include sudo, so I copied it from /usr/bin,
but then shared libraries started to be missing:
"sudo: error while loading shared libraries: cannot open shared object file: No such file or directory"
So I figured I could go through this and copy one missing library after the other from it's original location to the respective /var/www/vhosts/<domain> folder, but I assume there is a better way to do so.

Thank you

Question by:SWB-Consulting
    LVL 76

    Expert Comment

    Not sure whether you have jailed the ssh in /var/www/vhosts, but you would need to compile and install sudo in the same hierarchy.
    i.e. if you have /var/www/vhosts as the "jailed /",
    you need to install /var/www/vhosts/lib /var/www/vhosts/bin and /var/www/vhosts/etc.

    when compiling sudo use --prefix="/var/www/vhosts"

    Author Comment

    Yes, it seems the ssh users are jailed in /var/www/vhosts/<domain>

    Can I somehow
      yum install sudo
    with all dependencies into the "jail"?
    LVL 76

    Expert Comment

    You can use rpminfo to get the sudo package file listing.
    You can use the list to copy (cpio); however, the user can not be ssh jailed in /var/www/vhost/<domain> or you would need to perform the above for each domain. You would not need to copy, but you would need to make hard links (ln) You will likely still run into missing shared librarries.  use ldd /usr/bin/sudo will give you a list of shared libraries that sudo relies on.
    The issue is sudo may give them more access to the entire system not limited to the jailed environment.

    Author Comment

    I spent quite some time yesterday trying to make sudo available to the jailed domain users.  This would be necessary in order to use svn from those accounts.

    Installing sudo itself was not a problem (yum install sudo) but making it available to not only the root user (which is the purpose of the command sudo) seems to be a bit more tricky.

    From what I figured out the domain users are "jailed" in their respective directories /var/www/vhosts/<domain> which is their root directory.  The result is that sudo, all required configuration files and dependencies (libraries) etc must be available within /var/www/vhosts/<domain>

    So far I have
    - created the folder /usr/bin in the jail
    > mkdir /var/www/vhosts/<domain>/usr/bin

    - I then copied /usr/bin/sudo to /var/www/vhosts/<domain>/usr/bin/

    - To copy all dependent libraries I used the command ldd to receive a list of all dependent libraries (ldd /usr/bin/sudo)

    I have used the following line to copy the dependent libraries
    > ldd /usr/bin/sudo | awk '{ print $3; }' | sed 's/\(\/.*\/\(.*\)\)/\1 \/var\/www\/vhosts\/<domain>\1/g' | xargs -p -l1 --no-run-if-empty cp -i
    Which prompts for every dependency to copy and not overwrite libraries that are already available with cp -i

    - Then I started to copy required resources but did not get far.
    -- I copied /etc/sudoers into /var/www/vhosts/<domain>/etc
    -- I also copied /etc/pam.d/sudo to

    But then got stuck with the following error message when executing from the domain user account:
    > sudo svn help
    sudo: pam_authenticate: Module is unknown

    I was hoping there is an easier way to install sudo (or other commands we will need) in the jail, like some sort of
    > yum --jail=/var/www/vhosts/ install sudo
    Or another script that might take care of that, but was not able to find anything.
    LVL 14

    Expert Comment

    Can you explain why you need sudo to run svn?  Maybe there is a better approach.  And why run svn directly on the server in the first place?  Maybe we can help by taking a step back and figuring out a different approach?

    Author Comment

    Sorry for the confusion.

    The (web) application will be deployed as an svn checkout on the server, so actually I just need the svn command, not an svn server for the domain user.
    Also some of the configuration files require root access to be edited.
    I would like to try to avoid giving the domain user root access by default.  So I figured sudo would be a good compromise.

    Does that make sense?
    LVL 76

    Expert Comment

    Lets see If I get what you have.
    You have a server centos, with plesk where the hosted domains have jailed users.
    The websites are svn managed.
    What configuration files, per domain?  The configuration files should be part of the SVN repository such that they can be checked out and edited.


    Accepted Solution

    There was a better approach:

    In Plesk > Domains > Setup > Change "Shell access to server with FTP user's credentials" from "/bin/bash (chrooted)" to "/bin/bash"

    Since only the client and developers have access, I believe it is not necessary to jail the user with the domain credentials.

    Thanks anyway!
    LVL 76

    Expert Comment

    It might be useful to others if you post what the solution is to an individual facing a similar dilemma.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
    If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
    Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
    Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now