BTW, if you use the config below, the script would run as ROOT. I realized I didn't explain it well - just in case anyone on the list hasn't used this.
ssh [email protected] /usr/bin/sudo /usr/local/sbin/deploywoa.py would run as root where user "tim" is a member of "woadeploygrp." Tim On Nov 19, 2010, at 8:39 PM, Tim Worman wrote: > Kieran et al: > > Set up /etc/sudoers with escalation for particular scripts. > > 1. Make a script on your deployment server, maybe "deploywoa.py" > 2. Add a command alias to your /etc/sudoers file like: > > Cmnd_Alias DEPLOYWOA = /usr/local/sbin/deploywoa.py > > 3. make your user on remote server part of a group sth like "woadeploygrp" > then give that group sudo escalation privs > > % woadeploygrp ALL=(ALL) ALL > > 4. Then, later in /etc/sudoers > > % woadeploygrp ALL=NOPASSWD: DEPLOYWOA > > > I've also wondered if launchd watch folders would be useful to trigger > deployment of uploaded woa. > > > Tim Worman > UCLA GSE&IS > > On Nov 17, 2010, at 9:34 AM, Chuck Hill wrote: > >> >> On Nov 17, 2010, at 6:03 AM, Kieran Kelleher wrote: >> >>> Hi all, >>> >>> Like many of you, I have custom scripts that use ssh to deploy woa apps. >>> Scripts issue remote commands via ssh and script exec user's id_dsa has >>> corresponding id_dsa.pub in the remote server's auth keys for admin and >>> root. The problem is that root (apparently) is needed to set the chown on >>> the woa bundles to appserver:appserveradm, however I would like to get away >>> from needing root user remote ssh commands for security reasons. >>> >>> Assuming you all use chown of appserver:appserveradm and chmod of 550 on >>> your deployed woa bundles (are you?), then the question is with respect to >>> non-interactive, passwordless, secure remote deployment (copy, untar, >>> chown, chmod) of WOAs, what user/ssh setup are you all using besides >>> r...@remote, or is r...@remote the only way? >>> >>> Regards, Kieran >> >> You can also create copies of the chown and chmod with the SUID bit set: >> http://en.wikipedia.org/wiki/Setuid. So instead of your script doing a >> chmod, you would call (making up a name) chmodappserver. >> >> Chuck >> >> >> -- >> Chuck Hill Senior Consultant / VP Development >> >> Practical WebObjects - for developers who want to increase their overall >> knowledge of WebObjects or who are trying to solve specific problems. >> http://www.global-village.net/products/practical_webobjects >> >> >> >> >> >> >> >> _______________________________________________ >> Do not post admin requests to the list. They will be ignored. >> Webobjects-deploy mailing list ([email protected]) >> Help/Unsubscribe/Update your Subscription: >> http://lists.apple.com/mailman/options/webobjects-deploy/lists%40thetimmy.com >> >> This email sent to [email protected] > > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-deploy mailing list ([email protected]) > Help/Unsubscribe/Update your Subscription: > http://lists.apple.com/mailman/options/webobjects-deploy/lists%40thetimmy.com > > This email sent to [email protected] _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-deploy mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-deploy/archive%40mail-archive.com This email sent to [email protected]
