how to use sudo in combination with GUI scp tool - SSH

This is a discussion on how to use sudo in combination with GUI scp tool - SSH ; Hi people, need some help since my company introduced SOX. Users are used to viewing/editing files on Unix box through WinSCP tool. But with SOX they are not allowed any more to login as group account but with own user ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: how to use sudo in combination with GUI scp tool

  1. how to use sudo in combination with GUI scp tool

    Hi people,
    need some help since my company introduced SOX.
    Users are used to viewing/editing files on Unix box through WinSCP
    tool. But with SOX they are not allowed any more to login as group
    account but with own user account thus preventing them from editing the
    files on UX via WinSCP.
    Uses want to keep functionality of WinSCP.
    Solution could be to use the sudo functionality in combination with scp
    (WinSCP supports this) but requirement here is that sudo does not
    prompt you for a password. This is not SOX compliant so our setup of
    sudo requires prompting for passwords.
    How to get around this ?
    Is there another GUI for my users who does support scp in combination
    with sudo who prompts for pwd ?
    Thanks a lot for any advice.
    http://winscp.net/eng/docs/faq_su


  2. Re: how to use sudo in combination with GUI scp tool

    >>>>> "2BILD" == 2BILD writes:

    2BILD> Hi people, need some help since my company introduced SOX.
    2BILD> Users are used to viewing/editing files on Unix box through
    2BILD> WinSCP tool. But with SOX they are not allowed any more to
    2BILD> login as group account but with own user account thus
    2BILD> preventing them from editing the files on UX via WinSCP.

    1) What is "SOX?" I thought perhaps you meant SOCKS
    (http://www.faqs.org/rfcs/rfc1928.HTML), but the rest of your text
    doesn't seem to support that (although I can't quite tell).

    2) If I understand you, the simplest answer is just to arrange permissions
    so the correct set of users are allowed to write the appropriate
    files. Which is better than having them all use a single shared
    account, anyway.

    --
    Richard Silverman
    res@qoxp.net


  3. Re: how to use sudo in combination with GUI scp tool

    1. SOX = Sarbanes-OXley
    http://www.sarbanes-oxley.com/
    for IT this is a regulation which you could apply so that you have
    tracebility e.g. where does this number come from, who changed which
    file, who may edit this file, .....

    2. Arrange permissions so the correct set of users are allowed to write
    the appropriate
    files : indeed, this may be the best way but is not applicable to
    me....too many files, too many users, compex way of requesting
    permissions....would take tremendous resources to implement this
    This is not possible for me. Need something that does not involve
    change the attributes of my files (owner, permissions, ....).


  4. Re: how to use sudo in combination with GUI scp tool

    >>>>> "2BILD" == 2BILD writes:

    2BILD> 1. SOX = Sarbanes-OXley http://www.sarbanes-oxley.com/ for IT

    Ah -- I know about Sarbanes-Oxley; I just hadn't seen that abbreviation before.

    2BILD> 2. Arrange permissions so the correct set of users are allowed
    2BILD> to write the appropriate files : indeed, this may be the best
    2BILD> way but is not applicable to me....too many files, too many
    2BILD> users, compex way of requesting permissions...

    Well then, you might have scp to these accounts run an alternate script on
    the server side, which uses sudo to invoke scp as the shared user (passing
    on the arguments as required to make it work, etc.). Write a NOPASSWD
    sudo rule allowing scp for these accounts. The combination of the SSH and
    sudo logs may give you sufficient auditability.

    --
    Richard Silverman
    res@qoxp.net


  5. Re: how to use sudo in combination with GUI scp tool

    Richard,

    that could be a solution for cases where NOPASSWD is allowed. This is
    the core of my problem : SOX rules at my site do not allow sudo with
    NOPASSWD. It only allows sudo with prompting for a password. And that
    is not supported by winscp. But maybe another tool does support this.
    Question is : which tool ?


  6. Re: how to use sudo in combination with GUI scp tool

    >>>>> "2BILD" == 2BILD writes:

    2BILD> Richard, that could be a solution for cases where NOPASSWD is
    2BILD> allowed. This is the core of my problem : SOX rules at my site
    2BILD> do not allow sudo with NOPASSWD. It only allows sudo with
    2BILD> prompting for a password.

    Well, that's stupid. How about using a non-password SSH authentication
    method (publickey, hostbased, Kerberos) to allow the users to access the
    shared account directly via SSH?

    --
    Richard Silverman
    res@qoxp.net


  7. Re: how to use sudo in combination with GUI scp tool

    thanks for the effort Richard but if we allow the users to access the
    system using the shared account, we lose tracebility (we do not see any
    more which user logged in and did what). We are obliged in near future
    to login with our own personal account, shared accounts will be
    "locked" soon.
    Actually, I already use for myself ssh authentication with
    private/public key. Works fine. But I need a sftp/scp tool where users
    login with their own account and then can do a sudo to the shared
    account (after giving the sudo password of their own account).


  8. Re: how to use sudo in combination with GUI scp tool

    >>>>> "2BILD" == 2BILD writes:

    2BILD> thanks for the effort Richard but if we allow the users to
    2BILD> access the system using the shared account, we lose tracebility
    2BILD> (we do not see any more which user logged in and did what).

    Not true. Both hostbased and Kerberos authentication will log which
    identity accessed which account. You also get that with sudo. A
    prohibition on NOPASSWD sudo is not security; it' bureacratic rule-making
    pretending to be security. You need a controlled, audited way to allow
    one account to run a specific program under another account. sudo gives
    you that. The user has already been authenticated.

    2BILD> But I need a sftp/scp tool where users login with their own
    2BILD> account and then can do a sudo to the shared account (after
    2BILD> giving the sudo password of their own account).

    Well, all I can think of is to find a PAM module that replicates the
    function of sudo, and use keyboard-interactive authentication. This will
    let you force your users to type their passwords twice in a row. Which
    is, of course, twice as secure.

    --
    Richard Silverman
    res@qoxp.net


  9. Re: how to use sudo in combination with GUI scp tool

    2BILD wrote:
    > Hi people,
    > need some help since my company introduced SOX.
    > Users are used to viewing/editing files on Unix box through WinSCP
    > tool. But with SOX they are not allowed any more to login as group
    > account but with own user account thus preventing them from editing the
    > files on UX via WinSCP.
    > Uses want to keep functionality of WinSCP.
    > Solution could be to use the sudo functionality in combination with scp
    > (WinSCP supports this) but requirement here is that sudo does not
    > prompt you for a password. This is not SOX compliant so our setup of
    > sudo requires prompting for passwords.
    > How to get around this ?
    > Is there another GUI for my users who does support scp in combination
    > with sudo who prompts for pwd ?
    > Thanks a lot for any advice.
    > http://winscp.net/eng/docs/faq_su
    >


    What about using ACL's to control file access?
    --
    To reply by email remove "_nospam"

  10. Re: how to use sudo in combination with GUI scp tool

    2BILD wrote:
    > Hi people,
    > need some help since my company introduced SOX.
    > Users are used to viewing/editing files on Unix box through WinSCP


    The two requirements seem opposed in my view. Surely this lack of
    security on your files is exactly what SOX audits are supposed to
    pinpoint and get you to remove?

    If you implement SOX and then find a way around it so that everyone and
    their granny can view/edit files via a shared account,then what is the
    point of SOX?

    JohnK

  11. Re: how to use sudo in combination with GUI scp tool

    In comp.security.ssh 2BILD :
    > 1. SOX = Sarbanes-OXley
    > http://www.sarbanes-oxley.com/
    > for IT this is a regulation which you could apply so that you have
    > tracebility e.g. where does this number come from, who changed which
    > file, who may edit this file, .....


    > 2. Arrange permissions so the correct set of users are allowed to write
    > the appropriate
    > files : indeed, this may be the best way but is not applicable to
    > me....too many files, too many users, compex way of requesting
    > permissions....would take tremendous resources to implement this
    > This is not possible for me. Need something that does not involve
    > change the attributes of my files (owner, permissions, ....).


    Rubbish, you can set GID on directories and change files to the
    proper group finally make users part of this group. It doesn't
    matter if there are 5 or 500000 files, you use standard unix
    tools* like 'find' to change permissions and alike in one go.

    *Perhaps xargs in addition if you find is to limited. ;-)

    Good luck

    BTW
    Please try below URL(s) before answering, most people aren't
    using a browser here to read/write, this is usenet.

    http://www.safalra.com/special/googlegroupsreply
    http://cfaj.freeshell.org/google
    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 306: CPU-angle has to be adjusted because of
    vibrations coming from the nearby road

  12. Re: how to use sudo in combination with GUI scp tool

    Chuck schrieb:
    > 2BILD wrote:
    >> Hi people,
    >> need some help since my company introduced SOX.
    >> Users are used to viewing/editing files on Unix box through WinSCP
    >> tool. But with SOX they are not allowed any more to login as group
    >> account but with own user account thus preventing them from editing the
    >> files on UX via WinSCP.
    >> Uses want to keep functionality of WinSCP.
    >> Solution could be to use the sudo functionality in combination with scp
    >> (WinSCP supports this) but requirement here is that sudo does not
    >> prompt you for a password. This is not SOX compliant so our setup of
    >> sudo requires prompting for passwords.
    >> How to get around this ?
    >> Is there another GUI for my users who does support scp in combination
    >> with sudo who prompts for pwd ?
    >> Thanks a lot for any advice.
    >> http://winscp.net/eng/docs/faq_su
    >>

    >
    > What about using ACL's to control file access?


    Yes, I also think this is the appropriate method for this purpose.
    Use group-Permissions or ACL, maybe RBAC or Rules, if using Solaris 9/10
    or similar. Sudo is build to give permissions for uids and processes ,
    not for files.

    If you want traceability, Solaris has BSM Auditing, maybe it is
    supportet by SOX.

    Is SOX a product or a standard/guideline?



  13. Re: how to use sudo in combination with GUI scp tool

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    wolfgang wrote:
    > Chuck schrieb:
    >> 2BILD wrote:
    >>> Hi people,
    >>> need some help since my company introduced SOX.
    >>> Users are used to viewing/editing files on Unix box through WinSCP
    >>> tool. But with SOX they are not allowed any more to login as group

    [snip]
    > Is SOX a product or a standard/guideline?


    More likely a reference to the US Sarbanes-Oxley legislation for
    corporate accountability that's causing headaches in the IT world these
    days.


    - --

    Lew Pitcher, IT Specialist, Corporate Technology Solutions,
    Enterprise Technology Solutions, TD Bank Financial Group

    (Opinions expressed here are my own, not my employer's)
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFEHrX/agVFX4UWr64RAqzeAJwNd7VNGLxGhBrOTG99erDEdbreCwCfem 8d
    LjxFeGeWjXRVceqSjNz0PTU=
    =xXq0
    -----END PGP SIGNATURE-----

+ Reply to Thread