Dan Stromberg
2022-Mar-12 22:14 UTC
Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
On Sat, Mar 12, 2022 at 12:23 PM Dr. Mark Asbach via rsync < rsync at lists.samba.org> wrote:> Hi there, hi past me, > > > My (non-working) attempt: > > [?] > > So it seems the "-l" is dropped into the void letting ssh assume USER > was the target host? I don?t actually get what I can do. > > Turns out, I have to write down the description of my issue and then send > the email before I magically understand the solution ;-) > > Here?s a working example that does not need a wrapper script: > > PASSWORD=<SUDOPASS> rsync -vv --delete-after --delay-updates '/bin/sh -c > "{ echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $0 $* &"' > --rsync-path='sudo -S rsync? ./SRCDIR USER at HOST:DSTDIR > > The trick was actually to add "$0" because $* will drop the first argument > from the list as this typically is the name of the script itself (duh!). > > Hope this is of help to anyone, >Cool, glad you found a solution you're happy with. Bear in mind, putting a password in an environment variable can be seen by other users on the same system with "ps auxwwe". -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.samba.org/pipermail/rsync/attachments/20220312/34f86f0f/attachment.htm>
Bri Hatch
2022-Mar-12 22:31 UTC
Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
The environment variables of a process when it was started are available via /proc/<pid>/environ file. So while other users on that system can't see the environ, every other process running as your target user could. Worse, however, your "echo" process puts the password in arguments, and any local user can see program name and args for all running processes. That's a no-no. On Sat, Mar 12, 2022 at 2:14 PM Dan Stromberg via rsync < rsync at lists.samba.org> wrote:> > On Sat, Mar 12, 2022 at 12:23 PM Dr. Mark Asbach via rsync < > rsync at lists.samba.org> wrote: > >> Hi there, hi past me, >> >> > My (non-working) attempt: >> > [?] >> > So it seems the "-l" is dropped into the void letting ssh assume USER >> was the target host? I don?t actually get what I can do. >> >> Turns out, I have to write down the description of my issue and then send >> the email before I magically understand the solution ;-) >> >> Here?s a working example that does not need a wrapper script: >> >> PASSWORD=<SUDOPASS> rsync -vv --delete-after --delay-updates '/bin/sh -c >> "{ echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $0 $* &"' >> --rsync-path='sudo -S rsync? ./SRCDIR USER at HOST:DSTDIR >> >> The trick was actually to add "$0" because $* will drop the first >> argument from the list as this typically is the name of the script itself >> (duh!). >> >> Hope this is of help to anyone, >> > > Cool, glad you found a solution you're happy with. > > Bear in mind, putting a password in an environment variable can be seen by > other users on the same system with "ps auxwwe". > > -- > Please use reply-all for most replies to avoid omitting the mailing list. > To unsubscribe or change options: > https://lists.samba.org/mailman/listinfo/rsync > Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html >-- Bri Hatch "Quite mad, they say. It is good that Zathras does not mind. He's even grown to like it. Oh yes." -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.samba.org/pipermail/rsync/attachments/20220312/1204b25b/attachment.htm>