Hi,
I am planning to automate a deployment process and the below are the steps
- Connect from windows to Unix server
- Login with user name : admin and password
- After logging in , switch user to root to get additional privileges
- Perform actions on files and directories post switching to root user.
I am now stuck at point 3, post connecting to unix and logging in with admin, I will have to switch to root which I need to automate in script.
I saw an option with sudo -S ( where the input is not taken from terminal ) echo -e 'password' | sudo -S su root
but the above did not work. I am not fine with editing the sudoers file as anyone can then login with this id without password.
Would be great if you can assist on the same.
How many servers are involved? What are their Operating Systems - Solaris, AIX, Linux? If Linux, which distribution(s)?
How often are you likely to repeat this deployment? Once per server? Monthly/annually per server?
Personally, although others may disagree with me, I would use SSH to login directly as root on the server, removing the need for step three. But the best solution for you really depends on the answers you give to the above questions.
Andrew
I agree with apmcd47's direction. You can set up ssh keys for the root user. This has some security issues. As you describe it, your ssh configuration probably does not allow root to login directly, which is definitely more secure.
Your described approach with echo is not secure. Period. root passwords do not belong in scripts.
The below stuff is a model, a suggestion. You need to change it. No sudo needed.
If you do not want to undo security consider a different model from your base proposal.
Create a directory off root: /venkidhadha , maybe with 1700 permissions, definitely 700, owned by venkidhadha user. That username (or whatever name you use) has to exist on every remote box.
Leave the directory EMPTY.
Write a simple script executed by the root user's crontab, and have run once a day, or once every hour - whatever:
crontab that runs at 1:00 am once a day:
0 1 * * * /path/to/runme.shl
# runme.shl in another admin directory must have execute
cd /venkidhadha
find . -type f user venkidhadha |
while read scriptname
do
./${scriptname} > ./${scriptname}.log_$(date "+%d%m%Y")
chown root:root scriptname
done
The above script needs some tweaking, but you need to keep track of what has been executing, maybe send email, changing the owner to root means you cannot use duplicate script names because this:
scp $myunique_filename venkidhadha@computername::/venkidhadha
is what you execute to get the script to run as root on the remote side.
Whenever you find yourself trying to do echo password | secure_tool or secure_tool 'commandline password' now is the time to rethink your strategy, as in the 21st century, no security system will accept a stored password without a fight.
There are two ways forward.
- Install insecure, third-party cracking tools which will make the path of maximum resistance just barely possible.
- Try some other way.
Only if you allow sudoers to allow anyone to login to this id without a password. You can also tell sudo to only let some or one ID do so. Or only let someone in a particular group to do so. Or both.
