WinSCP & changing user on login via sudo

setsuid

Registered
Oct 2, 2012
4
0
1
cPanel Access Level
Root Administrator
[RESOLVED] WinSCP & changing user on login via sudo

Hello everyone! So my server was recently hit with the circulating rootkit exploit. As a result, I've done an OS reload and installed some great security applications - RKHunter, ClamAV, MalDet and CSF.. All setup and working great thanks to much help of the good folks of this forum.. Thank you! :)

I've also done much of the system security stuff - SSH key authentication- no password, no root login and changed SSH port.

Since there is no root login, the only problem with the setup is SFTP, when I need to make changes to a file that requires root permission.

I was using FileZilla, but switched to WinSCP since it was stated solved such a problem. Per the WinSCP doc @ How do I change user after login (e.g. su root)? :: WinSCP .. By making a change to your "sudoers" file, adding a switch in the WinSCP configuration, you should be all set. For some reason, it's not working out that way.

Errors range from "permission denied", "is the tftp server running", etc

I have a user who I've added to the "wheel" and I've uncommented the lines in the sudoers config
Code:
## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
%wheel  ALL=(ALL)       NOPASSWD: ALL
This still does nothing.

I know that the sudo is working just fine and as configured..

Code:
[email protected] [~]# su
Password: 
su: incorrect password
[email protected] [~]# sudo su
[email protected] [/home/user]#
The problem appears to be with WinSCP and that whole switch/change of user.. I've searched, but have not posted on the WinSCP forums. Figured I'd start here since this may be a common need and issue for folks.

So I ask - does anyone have this working? If not, but you have the same needs as I mentioned here - how do you do it? I'm open to options.

Thanks everyone!
 
Last edited:

setsuid

Registered
Oct 2, 2012
4
0
1
cPanel Access Level
Root Administrator
Resolved! Proud, but embarrassed to say - it was my mistake. I failed to read the last line of the WinCSP doc.. LOL

Note that as WinSCP cannot implement terminal emulation, you need to have sudoers option requiretty turned off (what is default).
But, because of the heightened security I've implemented I didn't want to disable tty across the board, so I've disabled it for my user only.

I'll post the solution to hopefully help someone else.. This is specifically for SFTP FULL access and no password when using sudo as the specific user

Code:
nano -w /etc/sudoers
Code:
## Allow root to run any commands anywhere
myuser       ALL=NOPASSWD: ALL

# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults:myuser    !requiretty
Not concerned with passwords since I'm using SSH keys..

I've commented the following back
Code:
## Allows people in group wheel to run all commands
#%wheel  ALL=(ALL)       ALL

## Same thing without a password
#%wheel  ALL=(ALL)       NOPASSWD: ALL
In WinSCP for the session of the particular user:
Environment -> SFTP [Protocol Options] - SFTP server:
Code:
sudo /usr/libexec/openssh/sftp-server
Environment -> SCP/Shell [Shell] - Shell:
Code:
sudo su
Thanks again everyone and sorry for taking 5 minute of your life you cant get back :p