remote copy to /usr/local/bin

If root is not enabled (other than by sudo), is it possible to scp a
file to a root-owned folder? If so, could you please provide an
example? Thanks a bunch.

In article
<4a4fcec5-bc4c-49ad-8dfa->,
Jack Shown <> wrote:

> If root is not enabled (other than by sudo), is it possible to scp a
> file to a root-owned folder? If so, could you please provide an
> example? Thanks a bunch.

scp is usually used for remote copying. Since remote access via root is
a Bad Idea(tm) unless you implicitly trust the local and remote systems.
Setup a .hosts file on the remote system to allow root access via the
local system, same as rcp.

--
DeeDee, don't press that button! DeeDee! NO! Dee...
[I filter all Goggle Groups posts, so any reply may be automatically by ignored]

Michael Vilain wrote:

> scp is usually used for remote copying. Since remote access via root is
> a Bad Idea(tm) unless you implicitly trust the local and remote systems.
> Setup a .hosts file on the remote system to allow root access via the
> local system, same as rcp.

Since one can spoof a host name, I would not recommend it. (unless you are
really creative with host names)

I've not done it with MacOS, but on all my othe *NIX systems, I always set
up ssh to accept only a key as valid athentication, as script kiddies have
figured out how to open an ssh session and try various user names and passwords.

While RSA-1 keys are easy to crack if you have the right program, it is unlikely
that someone trying to "hack in" over an internet connection will get it,
and RSA-2 or DSA keys are difficult enough to not worry.

Note there was a debian fork of ssh that reduced all keys to 128 bits,
so make sure you have an up to date version of SSH if you are using a
debian based system. All versions of MacOS's ssh are safe.

If you are accepting connections from outside of your own private, firewalled
network for SSH, use a different port, something relatively high to prevent
someone trying a few to get in.

If you do not want someone who walks up to your Mac to have the capability
of using these keys, you can passphrase protect them. This is different
than passwords, as the authentication is still done by key, however the
key is encrypted on your Mac using the passphrase.

Geoff.

--
Geoffrey S. Mendelson, Jerusalem, Israel N3OWJ/4X1GM

Jack Shown wrote:
> If root is not enabled (other than by sudo), is it possible to scp a
> file to a root-owned folder? If so, could you please provide an
> example? Thanks a bunch.

Be specific as to what you're trying to achieve.

Or, just copy it as a normal user to your home directory then use sudo
to put it where you want.

Jack Shown <> writes:

> If root is not enabled (other than by sudo), is it possible to scp a
> file to a root-owned folder? If so, could you please provide an
> example? Thanks a bunch.

I suppose you could change the privileges on the folder to allow a
non-root user to write files there, though depending on the folder I
suppose there could be some unintended consequences of that.

Doug Anderson wrote:

> I suppose you could change the privileges on the folder to allow a
> non-root user to write files there, though depending on the folder I
> suppose there could be some unintended consequences of that.

The folder in question was /usr/local/bin which is really something that
should be read only except to someone who administers the system. However,
AFAIK it's not used in normal Mac operations, only in command line processes
(terminal.app for example) or XWindows.

This is really UNIX related and not MacOS specific. So I may lose people
who are not fluent in UNIX operations and permissions.

MacOS (at least leopard) supports groupids, and /usr/local/bin is owned by
root, group admin. It's writeable only by root. You could change it to be
writeable by admin (mode 775 instead of 755) which would have the side effect
of allowing any administrator to be able to write to it at any time.

The other possibility is to make a new group, or use wheel (group id 0),
which limits the exposure. I don't know if there is any other problem
caused by this.

Since it most likely will be used by shell scripts or XWindows programs,
you could just create an arbirtary user, for example "fred" and a bin
directory below his home. Then you would make /Users/fred world readable
(which I think it is by default) and the same with /Users/fred/bin.

Then the shell scripts would have /Users/fred/bin added to their path.

This would be better IMHO as there is little security exposure, no changes to
the Apple provided system except for adding the userid in the first place
and and putting the directory in /etc/paths.

Geoff.

--
Geoffrey S. Mendelson, Jerusalem, Israel N3OWJ/4X1GM

On Nov 4, 10:05*am, johnny bobby bee <stepore-no_spam_...@gmail.com>
wrote:
> Jack Shown wrote:
> > If root is not enabled (other than by sudo), is it possible to scp a
> > file to a root-owned folder? *If so, could you please provide an
> > example? *Thanks a bunch.
>
> Be specific as to what you're trying to achieve.
>
> Or, just copy it as a normal user to your home directory then use sudo
> to put it where you want.

I have a cronjob which executes every morning on 25 iMac C2Ds. I just
placed it on all 25 iMacs but now I want to modify it and anticipate
wanting to modify it in the future. I don't want to have to sudo on
all 25 iMacs every time. Thanks.

On Nov 4, 11:59*am, "Geoffrey S. Mendelson" <g...@mendelson.com>
wrote:
> Doug Anderson wrote:
> > I suppose you could change the privileges on the folder to allow a
> > non-root user to write files there, though depending on the folder I
> > suppose there could be some unintended consequences of that.
>
> The folder in question was /usr/local/bin which is really something that
> should be read only except to someone who administers the system. However,
> AFAIK it's not used in normal Mac operations, only in command line processes
> (terminal.app for example) or XWindows.
>
> This is really UNIX related and not MacOS specific. So I may lose people
> who are not fluent in UNIX operations and permissions.
>
> MacOS (at least leopard) supports groupids, and /usr/local/bin is owned by
> root, group admin. It's writeable only by root. You could change it to be
> writeable by admin (mode 775 instead of 755) which would have the side effect
> of allowing any administrator to be able to write to it at any time.

Wouldn't I need to do a chmod of all three directories as in:

chmod 775 /usr /usr/local /usr/local/bin

Otherwise, wouldn't the group permissions of the parent directory
cause me grief? And, if I did this, does that create a security
hazard?

I guess I could just place the file in ~admin/bin and create a hard
link to it in /usr/local/bin on each machine or just modify /etc/
crontab on each machine. Then I could always do the scp without
issues.

Thanks for your help.


> The other possibility is to make a new group, or use wheel (group id 0),
> which limits the exposure. I don't know if there is any other problem
> caused by this.
>
> Since it most likely will be used by shell scripts or XWindows programs,
> you could just create an arbirtary user, for example "fred" and a bin
> directory below his home. Then you would make /Users/fred world readable
> (which I think it is by default) and the same with /Users/fred/bin.
>
> Then the shell scripts would have /Users/fred/bin added to their path.
>
> This would be better IMHO as there is little security exposure, no changes to
> the Apple provided system except for adding the userid in the first place
> and and putting the directory in /etc/paths.
>
> Geoff.
>
> --
> Geoffrey S. Mendelson, Jerusalem, Israel g...@mendelson.com *N3OWJ/4X1GM

In article
<fcc71ad3-b901-48f7-804d->,
Jack Shown <> wrote:

> On Nov 4, 10:05*am, johnny bobby bee <stepore-no_spam_...@gmail.com>
> wrote:
> > Jack Shown wrote:
> > > If root is not enabled (other than by sudo), is it possible to scp a
> > > file to a root-owned folder? *If so, could you please provide an
> > > example? *Thanks a bunch.
> >
> > Be specific as to what you're trying to achieve.
> >
> > Or, just copy it as a normal user to your home directory then use sudo
> > to put it where you want.
>
> I have a cronjob which executes every morning on 25 iMac C2Ds. I just
> placed it on all 25 iMacs but now I want to modify it and anticipate
> wanting to modify it in the future. I don't want to have to sudo on
> all 25 iMacs every time. Thanks.

(1) use a "pull if outdated" approach

Install cfengine on all the systems. It can be used to sychronize
copies of files it's told about (a configuration) from a centralized
source. The "how do I synchronize" can be a NFS mount point or some
other way you script. I've only ever used NFS mounted project
directories for this.

(2) use a "push" approach

On a central system, I had a .rhost file setup on every system's root
account that allowed the central system to rdist, rsync, or rsh into
that system. I could use a list of host names and a shell session to
rcp files to the new system. Or setup rdist (or rsync, it's successor)
to copy files. Very dangerous as others have said but it was a closed
environment behind a firewall where only a few people had root access.

All this was with root enabled on remote systems. Without root access,
you can't copy files into a directory that restricts root access. No
way around that without setting up your own remote copy daemon which you
control on a master machine. cfengine does this. Don't know if it's
ported to MacOS X. I ran it on Solaris 2.5, SunOS 4, HP/UX 9, and SCO
Unix.

So, you simple answer to "how do I remotely copy files to a root-owned
directory" is "you don't".

--
DeeDee, don't press that button! DeeDee! NO! Dee...
[I filter all Goggle Groups posts, so any reply may be automatically by ignored]