Perl script remote execution as another user

melias · October 19, 2011, 1:19am

Hi gurus,

I have a requirement where I need to remotely run a perl script as another user.
Running the script locally as the required user is fine, however I need to su with the script due to filesystem permission issues. I do not want to update permissions on the remote server due to security reasons.

I need this to monitor a database instance via nagios, so need to run the check on the remote server as an oracle related user. I've set up the sudo rules on the remote server so that everything works when the check is run as an oracle user, however the check doesn't work when run from the monitoring server.

How do I su/sudo within a perl script so that all subsequent lines are executed as a different user?

This is my script..

use strict;

my $debug=1;

my $NAGIOS_OK = 0;
my $NAGIOS_WARNING = 1;
my $NAGIOS_CRITICAL = 2;
my $NAGIOS_UNKNOWN = 3;

my $exit_code = $NAGIOS_OK;
my $status_line = "All services online";
my $ORA_EMCTL_HOME ="";
my $EMCTL_BINARY ="";

my $name="";
my $target="";
my $state="";
my $type="";

my $cmd = sprintf("sudo /usr/bin/su - oraprod");
info "Running cmd: $cmd";
open CMD, "$cmd |" or die "Could not execute cmd: $cmd $!";

if($#ARGV == 0) {
$ORA_EMCTL_HOME=$ARGV[0];
$EMCTL_BINARY="$ORA_EMCTL_HOME/emctl";

if( !((-e $EMCTL_BINARY) && (-r $EMCTL_BINARY) && (-x $EMCTL_BINARY)) ) {
$status_line="ERROR : cannot execute $EMCTL_BINARY";
$exit_code=$NAGIOS_CRITICAL;
}

} else {
$status_line="usage : check_oracle_emctl <ORA_EMCTL_HOME PATH> \n";
$exit_code=$NAGIOS_UNKNOWN;
}

close CMD;

eval {
if($exit_code==$NAGIOS_OK) {

open(EMCTL_STATUS,$ORA_EMCTL_HOME/emctl status oms -u |) or die "cannot access or run $ORA_EMCTL_HOME/emctl_status" ;

while(<EMCTL_STATUS>){
if(/NAME=(.*?)$/) {
$name=$1;

if(<EMCTL_STATUS> =~ /TYPE=(.*?)$/) {
$type=$1;
}
else {
$status_line="PARSE : missing type for $name";
$exit_code=$NAGIOS_UNKNOWN;
last;
}

if(<EMCTL_STATUS> =~ /TARGET=(.*?)$/) {
$target=$1;
}
else {
$status_line="PARSE : missing target for $name";
$exit_code=$NAGIOS_UNKNOWN;
last;
}

if(<EMCTL_STATUS> =~ /STATE=(\w+)/) {
$state=$1;
}
else {
$status_line="PARSE : missing state for $name";
$exit_code=$NAGIOS_UNKNOWN;
last;
}

if($debug){
print "[$name], [$type], [$target], [$state]\n";
}

# TS want alarms on all offline resources, not just ones with TARGET online
#if($target eq "ONLINE"){
if($state ne "ONLINE"){
if($debug){
print "[$name] should be [$target] but is [$state]\n";
}

if($exit_code == $NAGIOS_OK) {
$status_line="OFFLINE";
$exit_code=$NAGIOS_CRITICAL;
}

# append faulted service name
$status_line="$status_line $name";
}
#}

}

}
close(EMCTL_STATUS);
}
};
if ($@) {
$status_line="ERROR: $@";
$exit_code=$NAGIOS_CRITICAL;
}

print "$status_line\n";
exit $exit_code;

what am I doing wrong? How can I execute the entire script as another user on a remote host?

Corona688 · October 19, 2011, 1:53am

How are you running this script on the remote host?

Do you really need to su in the script? You realize that only things run by su get user permissions, it doesn't promote the process that ran su?

Ideally you'd want to login as the user then run perl. You could do:

ssh -t username@host perl < perl.pl

melias · October 19, 2011, 2:26am

I need to initially ssh as a specific user and then run the perl script as another user. This is due to the monitoring software we use.

Corona688 · October 19, 2011, 11:58am

su has to run your perl program, not vice versa. su doesn't change the login of existing programs. su creates a new login under a different user which does what you tell it to.

ssh username@host su -c "/usr/bin/perl" - othername < localfile.pl

melias · October 19, 2011, 6:59pm

I understand how su & sudo work.

My requirement is to be able to switch users from within the perl script, so that specific actions/commands are performed under the required account. I do not want to ssh as the required user. I need to make the connection to the box as a specific user and then run the script (or parts of it) as a different user.

I do not want to use a wrapper script or any other external method, surely there must be a way to switch users from within the script itself. I will have a subsequent requirement where I want to switch to different users multiple times so I want to be able to do it only from within the script itself.

Thanks

Corona688 · October 20, 2011, 12:22am

That's exactly what my suggestion does...

Only root can actually switch users. And even then, you can't do it unless you custom-compile your own nonstandard perl.

If you want your code to operate in standard perl, within sane safety bounds, and without weird convolutions, you'll have to actually use the system as designed. One process, one user.

So, creating processes inside perl like su -c perl username and feeding perl statements into the stdin of that process would be one way to go.