Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4789
  • Last Modified:

Need sudo for Plesk domain ssh user

Hi,

I try to make sudo available to an ssh user I created through Plesk on CentOS 5.2

So far
- I installed sudo, as it was not available
> yum sudo install
- Added the user I wanted to the wheel group
> usermod -a -G wheel theuser
- Uncommented %wheel in /etc/sudoers

But noticed sudo is not available if I log in as that user.  
I noticed /var/www/vhosts/<domain>/usr/bin did not include sudo, so I copied it from /usr/bin,
but then shared libraries started to be missing:
"sudo: error while loading shared libraries: libpam.so.0: cannot open shared object file: No such file or directory"
So I figured I could go through this and copy one missing library after the other from it's original location to the respective /var/www/vhosts/<domain> folder, but I assume there is a better way to do so.

Thank you

0
SWB-Consulting
Asked:
SWB-Consulting
  • 4
  • 4
1 Solution
 
arnoldCommented:
Not sure whether you have jailed the ssh in /var/www/vhosts, but you would need to compile and install sudo in the same hierarchy.
i.e. if you have /var/www/vhosts as the "jailed /",
you need to install /var/www/vhosts/lib /var/www/vhosts/bin and /var/www/vhosts/etc.

when compiling sudo use --prefix="/var/www/vhosts"
0
 
SWB-ConsultingAuthor Commented:
Yes, it seems the ssh users are jailed in /var/www/vhosts/<domain>

Can I somehow
  yum install sudo
with all dependencies into the "jail"?
0
 
arnoldCommented:
You can use rpminfo to get the sudo package file listing.
You can use the list to copy (cpio); however, the user can not be ssh jailed in /var/www/vhost/<domain> or you would need to perform the above for each domain. You would not need to copy, but you would need to make hard links (ln) You will likely still run into missing shared librarries.  use ldd /usr/bin/sudo will give you a list of shared libraries that sudo relies on.
The issue is sudo may give them more access to the entire system not limited to the jailed environment.
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
SWB-ConsultingAuthor Commented:
I spent quite some time yesterday trying to make sudo available to the jailed domain users.  This would be necessary in order to use svn from those accounts.

Installing sudo itself was not a problem (yum install sudo) but making it available to not only the root user (which is the purpose of the command sudo) seems to be a bit more tricky.

From what I figured out the domain users are "jailed" in their respective directories /var/www/vhosts/<domain> which is their root directory.  The result is that sudo, all required configuration files and dependencies (libraries) etc must be available within /var/www/vhosts/<domain>

So far I have
- created the folder /usr/bin in the jail
> mkdir /var/www/vhosts/<domain>/usr/bin

- I then copied /usr/bin/sudo to /var/www/vhosts/<domain>/usr/bin/

- To copy all dependent libraries I used the command ldd to receive a list of all dependent libraries (ldd /usr/bin/sudo)

I have used the following line to copy the dependent libraries
> ldd /usr/bin/sudo | awk '{ print $3; }' | sed 's/\(\/.*\/\(.*\)\)/\1 \/var\/www\/vhosts\/<domain>\1/g' | xargs -p -l1 --no-run-if-empty cp -i
Which prompts for every dependency to copy and not overwrite libraries that are already available with cp -i

- Then I started to copy required resources but did not get far.
-- I copied /etc/sudoers into /var/www/vhosts/<domain>/etc
-- I also copied /etc/pam.d/sudo to
/var/www/vhosts/<domain>/etc/pam.d

But then got stuck with the following error message when executing from the domain user account:
> sudo svn help
sudo: pam_authenticate: Module is unknown

I was hoping there is an easier way to install sudo (or other commands we will need) in the jail, like some sort of
> yum --jail=/var/www/vhosts/live.lesliehindman.com install sudo
Or another script that might take care of that, but was not able to find anything.
0
 
arrkerr1024Commented:
Can you explain why you need sudo to run svn?  Maybe there is a better approach.  And why run svn directly on the server in the first place?  Maybe we can help by taking a step back and figuring out a different approach?
0
 
SWB-ConsultingAuthor Commented:
Sorry for the confusion.

The (web) application will be deployed as an svn checkout on the server, so actually I just need the svn command, not an svn server for the domain user.
Also some of the configuration files require root access to be edited.
I would like to try to avoid giving the domain user root access by default.  So I figured sudo would be a good compromise.

Does that make sense?
0
 
arnoldCommented:
Lets see If I get what you have.
You have a server centos, with plesk where the hosted domains have jailed users.
The websites are svn managed.
What configuration files, per domain?  The configuration files should be part of the SVN repository such that they can be checked out and edited.






0
 
SWB-ConsultingAuthor Commented:
There was a better approach:

In Plesk > Domains > Setup > Change "Shell access to server with FTP user's credentials" from "/bin/bash (chrooted)" to "/bin/bash"

Since only the client and developers have access, I believe it is not necessary to jail the user with the domain credentials.

Thanks anyway!
0
 
arnoldCommented:
It might be useful to others if you post what the solution is to an individual facing a similar dilemma.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now