How to pass root password with su and command?

Hello,
I have list of around 400 devices. I need to restart a service /etc/init.d/psap23.sh in all of them, but it should restart by root only.
Those have some other kind of light Linux. There is no sudo package in that and we can't/shouldn't install. Direct root login is not allowed. I login with user gis and do su to root and then restart that service.
All are having same password for gis and same password for root
Is there any way, I can pass command with some loop instead of login on them one by one ?
I have Mobaxterm and I can run for loop from them. Also, I have ansible, if there is any option to do it.
Please suggest.
Thanks

You'll need the expect tool to bruteforce a username and password in such an insecure manner.

That they've explicitly banned all the sensible options for automation, however, suggests to me that they really, really, really don't want automation to happen.

Could you have a cron job on each that looks for a central marker file? You could store the 'last restart' time on each device and compare it to the content of a central file to decide if you need to run the restart process, however I suppose that this is still automation.

One does wonder why do they not want system processes automated? If you are the admin, then you have the power to make your own decisions.

You could, for instance, open another port that listens for your connection and logs you on.

You say that direct root login is not permitted, then perhaps you could change it, but not allow password login. Would that help?

Kind regards,
Robin

Well, if you cannot / are forbidden to use tools at your disposal...

As Robin suggested, only half sane response is to use a root crontab on each box, with a shell script to check for file, perhaps read it for additional info (like last restart).

Then you can just login with user gis , touch a file and restart will happen or similar action required.

Be careful to sanitize the input and limit the script to root only (700 for instance).
User gis umask and permission as tight as you can, and create a directory which can only be modified by that specific user.
Consider that script and a file to be a security issue and treat the user input like cancer.

This above is all wrong and existing methods should be used rather, various much more secure tools exist today.

Using keys or passwords, direct root login is still a great security risk and should be avoided at all costs.
Folks keep those keys on personal computers, mobiles phones and such and are in general careless.

Hope that helps
Regards
Peasant.

1 Like

In general it is a good idea and a valid safety measure to forbid direct root-logins. Still, someone has to become root from time to time and nobody can be expected to do 400 systems manually. Locking the door makes sense. To block it with masonry without creating another entry is idiotic.

If you have Ansible then you have some working ssh-connection with the possibility to execute something with root-privileges because this is how Ansible contacts its clients. Write an Ansible-routine then and deploy it to all eligible systems. This is the preferred solution

If you, for some reason, can't do that, use the ssh-connection directly: use the existing ssh-keys to connect to the systems and run the command(s) with root privileges the same way Ansible does it. You can put that in a script which does that in a loop and cycles through all the systems to be deployed. I once wrote such a script for a site where no Ansible or similar tool was available, here is the core function of it. It won't run outright without the rest of the solution (~1500 lines of code, too much to post it) but you might use it to create your own solution.

The function gets a hostname and executes a list of commands stored in an array by connecting to the host using a globally defined username and executes one command each iteration of the main loop. The success/failure of each command is then logged ( f_CmdLog() and f_CmdErr() ):

# --------------------------------------------- pDeployList()
function pDeployList
{
typeset chHost="$1"
typeset -i iRetVal=0
typeset -i iCmdCnt=1

$chFullDebug

while [ $iCmdCnt -le ${#achCmd[*]} ] ; do
     if $SIMULATE ssh -nqo 'BatchMode = yes' \
                           "${chUser}@${chHost}" \
                           "${achCmd[$iCmdCnt]}" ; then
          f_CmdLog "executed ${achCmd[$iCmdCnt]} as ${chUser}@${chHost}"
     else
          f_CmdError "${chUser}@${chHost} # ${achCmd[$iCmdCnt]} ==> $?"
          iRetVal=1
     fi
     (( iCmdCnt += 1 ))
done

return $iRetVal
}

I hope this helps.

bakunin

1 Like

Hi Solaris_1977,

Just my two cents worth here, having to restart a service on 400 servers - why?

  • Does the service regularly fail?
  • Has there been an upgrade?

To give a more comprehensive answer, some more information is required. I also note that you say the service should be run as root, well running what I believe is a SAP service as root can lead to other issues. There should be a sapadm or similar user for starting these "services".

Regards

Gull04

1 Like