Wayne Davison
2022-Mar-11 20:12 UTC
Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
On Fri, Mar 11, 2022 at 4:57 AM Dr. Mark Asbach via rsync < rsync at lists.samba.org> wrote:> b) Passing the password to sudo via stdin using --rsync-path "echo > MYPASSWORD | sudo -S rsync" (see https://askubuntu.com/a/1155897).In that ask-ubuntu example they are running a client rsync via sudo, not the server side. The server requires the socket to be on stdin, so you can't use stdin earlier on the command-line for something else. One thing you could do is to create a custom askpass script that provides the password on stdout. You must put that script on each remote system because the SUDO_ASKPASS environment variable must only contain a program name, so it will not allow a one-line remote invocation (i.e. SUDO_ASKPASS="echo FOO" fails). For example, create a shell script named something like echo-askpass: #!/bin/sh echo "$SUDO_PASS" and then use this option to rsync: --rsync-path "SUDO_ASKPASS=/path/echo-askpass SUDO_PASS=MYPASS sudo -A rsync" You could simplify that by moving those environment variables into your ansible config, perhaps by grabbing the password out of the ansible vault or having ansible prompt the user. That would let you run "sudo -A rsync" and not have the password in the command. The ansible docs detail how to set remote environment variables. ..wayne.. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.samba.org/pipermail/rsync/attachments/20220311/93630659/attachment.htm>
Dr. Mark Asbach
2022-Mar-12 20:17 UTC
Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
Hi everyone, Thanks for all the ideas! Meanwhile, I?ve made some progress because there was another answer on "ask ubuntu" that got absolutely no interaction but that is a brilliant solution: https://askubuntu.com/a/1263657 :> just create a wrapper script for the ssh command. > ssh_sudo: > { > echo $PASSWORD; > cat - ; > } | ssh $* & > > At first, this passes the password to the ssh client's sudo process in order to start rsync on the remote side. Next all input coming from the local rsync is piped to ssh. > Finally call rsync e.g. with: > PASSWORD=<SUDOPASS> rsync -avzue ssh_sudo --rsync-path "sudo -S rsync" SRC DST > > I guess the security aspect here is not that bad, you'll only have to save the password locally as env var. Reading it from a file should work as well...As it doesn?t need an argpass-script on the target side, but uses a wrapper for ssh on the HOST side to inject the password from an environment variable, it?s pretty convenient for my use case. Plus, there?s the added bonus of not having the password logged anywhere. Ideally, I would now like to get rid of the helper script, so it?s a single rsync command that is left. I?m struggling with this but there?ll hopefully be some bash quoting wizards that can tell me where the issue is. My (non-working) attempt: PASSWORD=<SUDOPASS> rsync -vv --delete-after --delay-updates '/bin/sh -c "{ echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $* &"' --rsync-path='sudo -S rsync? ./SRCDIR USER at HOST:DSTDIR This get?s mangled by rsync in some non-working way, but I actually don?t understand enough of shell magic to solve this: opening connection using: /bin/sh -c "{ echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $* &" -l USER HOST "sudo -S rsync" --server -vvvlDtrze.iLsfxCIvu "--log-format=%i" --delete-after --delay-updates . DESTDIR (14 args) ssh: Could not resolve hostname USER: nodename nor servname provided, or not known rsync: connection unexpectedly closed (0 bytes received so far) [sender] rsync error: error in rsync protocol data stream (code 12) at io.c(228) [sender=3.2.3] So it seems the "-l" is dropped into the void letting ssh assume USER was the target host? I don?t actually get what I can do. Anyway, I think the original answer on "ask ubuntu" is quite helpful. Unfortunately, I don?t have enough ?reputation points? to upvote the answer nor to comment ? Happy syncing, Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4652 bytes Desc: not available URL: <http://lists.samba.org/pipermail/rsync/attachments/20220312/bef4eb1d/smime.bin>