I want to create a folder on a remote EC2 instance from another EC2 Instance and then copy some data into it as well.
I tried to create folder using JSch and passing command sudo mkdir /data but the error I get is sudo: sorry, you must have a tty to run sudo.Without sudo also, I am unable to create folder. I tried to use ((ChannelExec) channel).setPty(true) and by using this I can create the folder but afterwards I am unable to copy any data and even cant ssh the EC2 Instance from commandline .(if i create folder manualy then copying data is done successfully). can someone please guide me that what should be the way to do it.Thanks
How about following example?
http://www.jcraft.com/jsch/examples/Sudo.java.html
I am not familiar with JSch. But if you have root access, you can update your sudoers configuration file to get around this. Add the following line to /etc/sudoers
Defaults:USERNAME_HERE !requiretty
Maybe someone else can elaborate on whether this is a bad idea or not, that's beyond the scope of my knowledge, but I'd love to know more?
I only use this approcah in one specific situation. We have a cronjob that backs up a cluster of remote servers via rsync, but for rsync to run successfully, it needs sudo privileges.
To get around this I did the following-
Created a user "backupuser" - On both servers local & remote
Added the following two lines to /etc/sudoers - Only needed on the server you want to grant sudo privileges to the user on. In our case, only on the remote server.
backupuser ALL = NOPASSWD: /usr/bin/rsync
DEFAULTS:backupuser !requiretty
Adding these two lines grants the user, 'backupuser' sudo privileges for rsync command without the need to enter a password and without the required tty connection.
Here's how it works-
The first line breaks down into two parts.
USER SPECIFICATION OPTION_TAG (: CONDITIONS(opt))
USER SPECIFICATION - this sets the user that these options apply(s) too.
backupuser
OPTION_TAG - the tag for the option you what to grant. In this case, the user is granted sudo privileges without having the enter a password. (see man sudoers for a list of tags available)
ALL = NOPASSWD
CONDITIONS - You also have the option to place conditions on when to grant sudo privileges. In this case, the user only has sudo privileges to run the rsync command.
: /usr/bin/rsync
The second line, overrides the default requirement of the sudo command that you need a terminal connection to run sudo (tty requirement). And it grants this privilege only to the user account 'backupuser'. (See man sudoers for the other DEFAULTS)
DEFAULTS:backupuser !requiretty
Hope this helps answer your question. I know it went on a bit of a tangent, but I wanted to give a full explanation. For more info you can also checkout man sudo
Related
From Linux command shell I can make SSH connection to our CentOS machine using user ABC. After successful SSH connection, I can run sudo command and no password is required.
sudo /usr/bin/rootsh -i -u root
In JSch program, I make am SSH connection using user ABC and then execute the above command, but it asks me:
[sudo] password for [**ABC**]
I am opening a channel using the following code:
session.openChannel("exec");
I do not understand why it asks for password even no password is required. Also it asks password for ABC, but in my sudo command I have specified user root.
How can I solve this problem?
There's requiretty option in sudoers that you have most probably set.
JSch by does not allocate a pseudo terminal for exec channel.
Remove the requiretty option. That's the only correct option.
If you cannot remove it, you can force JSch to allocate pseudo terminal by calling:
channelExec.setPty(true);
See also Use JSch sudo example and Channel.setPty for running sudo command on remote host.
But that's not a good option, as it can bring you lot of nasty side effects. Pseudo terminal is intended for an interactive use, not for automating command execution.
For some examples, see
Is there a simple way to get rid of junk values that come when you SSH using Python's Paramiko library and fetch output from CLI of a remote machine?
Remove of unwanted characters when I am using JSch to run command
Removing shell stuff (like prompts) from command output in JSch
And the same is true to sudo. You should not automate sudo. The correct solution is to setup a dedicated private key with only privileges needed for your task.
When I ssh into a server, I can see that the PATH variable is set as required with some custom folders added required.
When I try to connect to the same server using com.jcraft.jsch.JSch library in Java, the PATH is set to something else.
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
This seems like a out of the box value and doesn't include the custom folders as required. None of the commands that I need to work when I connect through Java unless I give the full path to the executable. I need to connect to different servers and they might be set up with executables in different locations so this is not an option.
I was hoping someone could help me figure out why the ./bashrc file doesn't run when I connect using Java. Should I have to run it manually?
Thanks in advance.
When you connect using command-line SSH, your "default command" is whatever shell you have set up for your username on the remote machine (probably bash, which you can change with chsh), and then bash imports your .bashrc file.
When you connect using JSch, the type of Channel that you open will determine what will be done with your connection. From what I understand about how JSch works, chances are that JSch is not opening bash when it opens the SSH session.
As a general rule of thumb, try using ~/.ssh/environment to set up your PATH instead of .bashrc if the SSH daemon is configured to allow it. This will always be imported before SSH runs any commands, including the shell, so it's more reliable for setting up your PATH.
More info can be found in this Unix StackExchange post about .bashrc, PATH, and SSH, including some alternatives to my answer.
I am calling a C application (console only) from my Java application.
I am calling it with: Process proc = rt.exec("./Debug/CPP_CL --device 0");
The CPP_CL needs access to clinfo() hardware .. so the GPU hardware as its processing on the GPU's. Hence, in this case needs to run as sudo/root.
Its all working fine at the moment but only if I run the Java JAR as sudo. Currently for testing only the CPG is chmod 777 (I know bad).
What I would like to know is what’s the best way to do this ? Will the CPP run as SUDO if called by SUDO java ? Or does it need to be chmod'ed ? If so what’s the best chmod value ?
Thanks.
Running Java with root is, as you said, one possibilty, but not exactly good.
The usual chmod flags (rwx) too won´t help you.
Just call it with a sudo won´t solve anything. Usually, a password is required, and if the java program can enter it (ie. it knows the root password) ... well, then it´s the same as above again.
As said in the comments, you can add a exception to sudo, but there are some catches:
You can only specify a program/script file, but no parameter limitation. You will need a script file which calls ./Debug/CPP_CL --device 0 (better with full path) and add the batch file as exception.
Furthermore, you have to make sure that the script file can´t be modified by users (chmod of the file) and can´t be deleted (chmod of the containing directory). File modification would mean that the modifying user can put anything in it and run it as root, and deletion would let the user place another file there with this name = same effect. Given that, you can call with with sudo.
If you wnat to call it without sudo, make another script file which just calls file 1 with sudo.
Another possibility is the special chmod flag SUID on the program itself (if it is enabled/supported in your distro). But here again, you can´t limit the parameters.
About the data files: A file created by a root program will be owned by root. chmod/chown as root can change that. If you only need to read the file, default umasks will allow that on many systems (if the files are in not-only-root-directories like /root)
Answer:
https://unix.stackexchange.com/questions/18830/how-to-run-a-specific-program-as-root-without-a-password-prompt
This worked.. I was able to sudo from Java and with the above no PWD is required for that application.
I am writing a java program dor Oracle EBS that needs to switch user because of specific permissions defined on an user different than applmgr.
The approach we're taking is to have a java class that will switch user on a separate session and then will list the file from a folder that the new user has access.
Any options available?
So far I could create two shell script files and then I run these shell scripts, one that will store environment variables and the other one will actually switch user and list the files.
Appreciate your help.
you could change the group permissions on the file. You could start a System.process( "su user && cat file" ); You could have the other user copy the file to you using a cronjob...
You can try having Java launch a local command on the system then as part of that command launch another program (far from being very clean, but probably would work)
Check out this Class file for examples on launching local commands:
https://github.com/SnakeDoc/RPi_SerialGPS/blob/master/src/com/vanomaly/rpi/serial/gps/util/System.java
You should be able to use setuid - I expect there is a version available directly in Java, but otherwise, it shouldn't be that hard to make your own JNI code to do that.
However, it may be simpler to run a command that switches user (using su or sudo, for example) and then runs the required Java code.
How I can save file generated by java application in folder with root access?
The straight forward way to do that is to run your application as the root user.
Another solution is to ask to the user the root password. To do that, you have to ask the "su" command of your system. Be careful, your user must have the "wheel" group. Or, you can use sudo (make sure that sudo is installed and configured for the current user).
As caarlos0 said in the comments, you can use "kdesu" or "gtksu/gksudo" if you prefer.
Of course, your application is not portable ! On windows, there's no "su", "sudo", etc.