comment on

Firstly let me say that embedding roots password in a script (any script) is very nasty and should be avoided at all cost!

Since you don't seem to have a requirement to capture the output of the ssh command then the best solution (security wise) is to add a crontab entry on each host to run the script. No cross network priveledges required.

If that is not a feasible option for some reason that you have not given us then read up on SSH forced commands. Basically a forced command is an SSH key pair which allows the running of only commands that you specify. It can be used with root with reasonable safety. If you use perl for your forced command (of course!) then you can switch on taint mode and basically treat it like a CGI (ie don't trust anything!). I have been meaning to write a tutorial on perl/ssh forced commands, here is some sample code for you-

Sample call of ssh forced command using open3 so we can capture STDOUT & STDERR and also talk to STDIN (if required) on the remote host:

    my $ssh = "/usr/local/bin/ssh";
    my @ssh_cmd_to_run=($ssh, "-i", $key_file, "user\@$host", "scriptn
+ame", "options");
    open3(*SSH_IN, *SSH_OUT, *ERROR, @ssh_cmd_to_run);
    print SSH_IN $parameters_you_dont_want_seen;
    close(SSH_IN);
    my $return = <SSH_OUT>;
    close(SSH_OUT);
    my @error=<ERROR>;
    close(ERROR);
[download]

Sample ssh forced command would be something like this (untested)-

#!/usr/bin/perl -wT
#

BEGIN {
    delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
    $ENV{PATH} = "";
}
use strict;

process_ssh_command($ENV{SSH_ORIGINAL_COMMAND});
exit;

sub process_ssh_command {
    my $ssh_command =  shift || '';
    if ( ! $ssh_command ){
        print "Error: You must specify the command to run\n";
        return;
    }
    if ( $ssh_command =~ /^scriptname\s+(options_regex)$/ ){
        my $options= $1 || '';
        # do something if options not set
        chomp(my $stdin = <STDIN>); # if you need it
        # untaint stdin
        system("/path/to/scriptname", $options);
        return;
    }
    print "Error: Unknown command or incorrect format \"$ssh_command\"
+\n";
    return;
}
[download]

I would tend to make the error messages terse so as not to give any information away to any-one snooping!

In roots SSH authorized keys the forced command key would look something like this- command="/path/to/forced_command.pl" ssh-dss ......

Update:If you look in the sshd(8) manpage under AUTHORIZED_KEYS FILE FORMAT the command="command" section describes this mechanism.

--
my $chainsaw = 'Perl';

In reply to Re: Running Perl program w/root privs via cron by greenFox
in thread Running Perl program w/root privs via cron by virtualsue

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or How to display code and escape characters are good places to start.


good chemistry is complicated, and a little bit messy -LW
	PerlMonks