I'm dealing with a situation on a RHEL 9 server where we have a locked service account. Our users log into the server using their Active Directory credentials and then use "sudo -u -i" to run tasks under that account. This way, we maintain an audit trail for actions taken as the service account. However, they also need to transfer files to and from this account using WinSCP, which is problematic because the account is locked.
If I unlock the account with a password, users could bypass using their AD credentials to SSH into the server and we'd lose the audit logging we want to maintain. I've heard that WinSCP can be configured to work with sudo, but I haven't had success getting it to function properly. Samba isn't an option either since I want to avoid integration with AD, and allowing open access without a password poses a security risk. Any ideas on how I can solve this file transfer issue?
5 Answers
Have you considered using sticky bits? They can help manage shared access effectively. Just make sure to handle the permissions correctly to avoid any potential mess.
Is this more of a regular process or just something for troubleshooting? If it's more of a temp fix, how about using sudo to copy files to a directory with shared permissions? If it's part of a normal workflow, you might want to streamline that process a bit more. Also consider using shared groups or ACLs to make it easier.
You could consider a workaround like this: let them pull files as the service account, or alternatively, push the files to a shared location like /var/tmp with open permissions. This way, they can move files around without needing constant access to the service account. Also, you could look into deploying files through a different mechanism if that makes sense for your workflow.
Have you thought about using SCP with their own credentials instead? That might simplify things since they could SSH in as themselves and copy the files under the service account permissions. It's worth checking if they can access the files that way. Most likely, the files are owned by the service account, which is why they can't access them directly.
I stumbled upon an interesting solution here: https://serverfault.com/questions/354615/allow-sftp-but-disallow-ssh. There are definitely ways to restrict SSH access while still allowing SFTP. However, caveat: the solution might involve some compromises since they need file access across the system. You could create a middle ground where they can drop files in a common space and retrieve them from there.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures