WinSCP & changing user on login via sudo

[setsuid]

[RESOLVED] WinSCP & changing user on login via sudo

Hello everyone! So my server was recently hit with the circulating rootkit exploit. As a result, I've done an OS reload and installed some great security applications - RKHunter, ClamAV, MalDet and CSF.. All setup and working great thanks to much help of the good folks of this forum.. Thank you!

I've also done much of the system security stuff - SSH key authentication- no password, no root login and changed SSH port.

Since there is no root login, the only problem with the setup is SFTP, when I need to make changes to a file that requires root permission.

I was using FileZilla, but switched to WinSCP since it was stated solved such a problem. Per the WinSCP doc @ How do I change user after login (e.g. su root)? :: WinSCP .. By making a change to your "sudoers" file, adding a switch in the WinSCP configuration, you should be all set. For some reason, it's not working out that way.

Errors range from "permission denied", "is the tftp server running", etc

I have a user who I've added to the "wheel" and I've uncommented the lines in the sudoers config

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
%wheel  ALL=(ALL)       NOPASSWD: ALL

This still does nothing.

I know that the sudo is working just fine and as configured..

user@hostname [~]# su
Password: 
su: incorrect password
user@hostname [~]# sudo su
user@hostname [/home/user]#

The problem appears to be with WinSCP and that whole switch/change of user.. I've searched, but have not posted on the WinSCP forums. Figured I'd start here since this may be a common need and issue for folks.

So I ask - does anyone have this working? If not, but you have the same needs as I mentioned here - how do you do it? I'm open to options.

Thanks everyone!

 

[setsuid]

Resolved! Proud, but embarrassed to say - it was my mistake. I failed to read the last line of the WinCSP doc.. LOL

Note that as WinSCP cannot implement terminal emulation, you need to have sudoers option requiretty turned off (what is default).

But, because of the heightened security I've implemented I didn't want to disable tty across the board, so I've disabled it for my user only.

I'll post the solution to hopefully help someone else.. This is specifically for SFTP FULL access and no password when using sudo as the specific user

nano -w /etc/sudoers

## Allow root to run any commands anywhere
myuser       ALL=NOPASSWD: ALL

# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults:myuser    !requiretty

Not concerned with passwords since I'm using SSH keys..

I've commented the following back

## Allows people in group wheel to run all commands
#%wheel  ALL=(ALL)       ALL

## Same thing without a password
#%wheel  ALL=(ALL)       NOPASSWD: ALL

In WinSCP for the session of the particular user:
Environment -> SFTP [Protocol Options] - SFTP server:

sudo /usr/libexec/openssh/sftp-server

Environment -> SCP/Shell [Shell] - Shell:

sudo su

Thanks again everyone and sorry for taking 5 minute of your life you cant get back :p