http://www.perlmonks.org?node_id=876749

wanradt has asked for the wisdom of the Perl Monks concerning the following question:

Fellow devoted,

I have problem which i have not found good solution.

There is three (Linux) users A, B and C who scan images to ~/images/scan
They should upload those pics to the remote server where they don't have accounts.
Therefor is user X, who has access to remote server, but who has no access to user's home directories.

So far i had the "remote server" in my LAN and i did not worry about plain text password too much. I made perl script, which runs with setgid and get by group rights credentials to local FTP-server but run with user's permission, so it had access to home directory trees.

Now i have "remote server" far away and wanted to work out something more secure and without passwords. scp with authorized keys seemed very good way for this.

So first i tried with Net::SCP, but if runned it with setuid in user X rights, it could access server, but not users Homes. And if runned it with setgid, it has access to local homes, but can't access remote server. Main problem: i did not get Net::SCP to use user X's identity files.

So i moved to Net::SCP::Expect, which should use identity files. Made such simple test script:

#!/usr/bin/suidperl # running setgid to get access to identity file use strict; use warnings; my %c; $ENV{PATH} = ''; $c{user} = 'www'; $c{remote} = '192.168.1.3'; $c{identity} = "/etc/pass/id_rsa"; # readable root.special_group use Net::SCP::Expect; my $scpe = Net::SCP::Expect->new(host=>$c{remote}, user=>$c{user}, identity_file=>$c{identity} ); $scpe->scp("/home/eks/profiles.ini", "/home/www/");


Error i got is EXACTLY such one
 at /usr/share/perl5/Expect.pm line 759 not found

I have no power to understand, what this means. Seems like bug to me.

I just have no good ideas more. Maybe i just invent wheel here and some could suggest me something more simple?

I don't want loose presmissions to users, but they should get those pics uploaded in some secure way. Perl and CLI are prefferred

TIA!
Nġnda, WK

Replies are listed 'Best First'.
Re: Secure upload without account in remote server
by Anonymous Monk on Dec 12, 2010 at 20:38 UTC
    So first i tried with Net::SCP, but if runned it with setuid in user X rights, it could access server, but not users Homes. And if runned it with setgid, it has access to local homes, but can't access remote server. Main problem: i did not get Net::SCP to use user X's identity files.

    This should be easy to solve, divide and conquer

    $ cat wanradtXXX.pl #!/usr/bin/perl -- use autodie; ## system $^X, 'wanradtXXX.pl', '--ReadImages'; ## system $^X, 'wanradtXXX.pl', '--UploadImages'; system $^X, 'wanradtXXXReadImages.pl'; system $^X, 'wanradtXXXUploadImages.pl';

    Oh, and BTW, I hear suidperl doesn't exist anymore :)

      Thank you, i get rid of suidperl. But i have some "thinking" bug in power. So, i can't make a script which scp-s files to remote server in other user rights. Should i?

      Minimized script:

      #!/usr/bin/perl use strict; use warnings; use Net::SCP qw( scp iscp ); my $scp = Net::SCP -> new( '192.168.1.3', 'X' ); $scp->put( 'file.jpg' ) or die $scp->{errstr};

      Even showing effective user (with POSIX) and effective group as user X and needed group, scp is still runned under runner user. (This i guess, because i don't see any debugging interface in Net::SCP. And if i try make scp with "system 'scp -v ...'" i see it still does not use setuid/setgid)

      So i still have no solution to scp files to remote server without explicitly giving permissions to users.
      Nġnda, WK