Tim, Brilliant! I will change my setup to reflect this during the week.
Thanks. Regards, Kieran. On Nov 20, 2010, at 2:51 PM, Tim Worman <[email protected]> wrote: > BTW, if you use the config below, the script would run as ROOT. I realized I > didn't explain it well - just in case anyone on the list hasn't used this. > > ssh [email protected] /usr/bin/sudo /usr/local/sbin/deploywoa.py > > would run as root where user "tim" is a member of "woadeploygrp." > > Tim > > On Nov 19, 2010, at 8:39 PM, Tim Worman wrote: > >> Kieran et al: >> >> Set up /etc/sudoers with escalation for particular scripts. >> >> 1. Make a script on your deployment server, maybe "deploywoa.py" >> 2. Add a command alias to your /etc/sudoers file like: >> >> Cmnd_Alias DEPLOYWOA = /usr/local/sbin/deploywoa.py >> >> 3. make your user on remote server part of a group sth like "woadeploygrp" >> then give that group sudo escalation privs >> >> % woadeploygrp ALL=(ALL) ALL >> >> 4. Then, later in /etc/sudoers >> >> % woadeploygrp ALL=NOPASSWD: DEPLOYWOA >> >> >> I've also wondered if launchd watch folders would be useful to trigger >> deployment of uploaded woa. >> >> >> Tim Worman >> UCLA GSE&IS >> >> On Nov 17, 2010, at 9:34 AM, Chuck Hill wrote: >> >>> >>> On Nov 17, 2010, at 6:03 AM, Kieran Kelleher wrote: >>> >>>> Hi all, >>>> >>>> Like many of you, I have custom scripts that use ssh to deploy woa apps. >>>> Scripts issue remote commands via ssh and script exec user's id_dsa has >>>> corresponding id_dsa.pub in the remote server's auth keys for admin and >>>> root. The problem is that root (apparently) is needed to set the chown on >>>> the woa bundles to appserver:appserveradm, however I would like to get >>>> away from needing root user remote ssh commands for security reasons. >>>> >>>> Assuming you all use chown of appserver:appserveradm and chmod of 550 on >>>> your deployed woa bundles (are you?), then the question is with respect to >>>> non-interactive, passwordless, secure remote deployment (copy, untar, >>>> chown, chmod) of WOAs, what user/ssh setup are you all using besides >>>> r...@remote, or is r...@remote the only way? >>>> >>>> Regards, Kieran >>> >>> You can also create copies of the chown and chmod with the SUID bit set: >>> http://en.wikipedia.org/wiki/Setuid. So instead of your script doing a >>> chmod, you would call (making up a name) chmodappserver. >>> >>> Chuck >>> >>> >>> -- >>> Chuck Hill Senior Consultant / VP Development >>> >>> Practical WebObjects - for developers who want to increase their overall >>> knowledge of WebObjects or who are trying to solve specific problems. >>> http://www.global-village.net/products/practical_webobjects >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Do not post admin requests to the list. They will be ignored. >>> Webobjects-deploy mailing list ([email protected]) >>> Help/Unsubscribe/Update your Subscription: >>> http://lists.apple.com/mailman/options/webobjects-deploy/lists%40thetimmy.com >>> >>> This email sent to [email protected] >> >> _______________________________________________ >> Do not post admin requests to the list. They will be ignored. >> Webobjects-deploy mailing list ([email protected]) >> Help/Unsubscribe/Update your Subscription: >> http://lists.apple.com/mailman/options/webobjects-deploy/lists%40thetimmy.com >> >> This email sent to [email protected] > _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-deploy mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-deploy/archive%40mail-archive.com This email sent to [email protected]
