Remote Permissions Problem

[David Gale]

At my office, we have a central file server which employees pull data from
to their own computers to work on. For QA purposes, we don't want them to
be able to modify the information on the file server except for when they're
pulling down/putting up the data.

I've got a perl script which runs through various checks to make sure
they're allowed to modify that data, and then uses 'system("scp"....)' to
pull the data down. Once it is verified to have reached their system, it is
removed from the server (ensuring one copy of the data exists).

What we'd like to do is set the directories on the server to be
non-executable, and have the download script chmod it right before the copy.
Problem is, the employee most likely will not be the owner of the directory
at the point of copy request.

We've thought of a couple of options, none of which seem ideal. One would
be to do:
system("ssh $user@$server unlock $dir");
system("scp $user@$server:$dir")

which would work (unlock being a program that runs as root and issues the
chmod command), but would require the user to type in their password twice.
To get around that, I thought to ask them for their password and then use
expect to do these two commands, but (having not used expect much), I can't
figure out how to tell if the scp is successful or not.

Any help (either in coming up with a better solution, or in getting expect
to work) would be appreciated!

Thanks,
-D.

PS: I'm sure someone's going to suggest setting up ssh keys for passwordless
access, but our sysadmin doesn't want to do that, since that would give
anyone who managed to crack one box passwordless access to the server.

 

[David Gale]

This isn't really a perl question you know -- you're likely to get
better advice from an ssh or security group. I would have suggested
using ssh keys (which is how I've solved this sort of problem). Maybe
ssh-agent would help, though I haven't needed to use it myself.

Jon

True, this aspect of it isn't specifically a perl problem. However, my
current attempt is to use Perl::Expect; I'm just not sure how to tell if the
process completes successfully--does expect give you access to the exit
value of the process once its terminated? How do you access it?

This question, at least, seems to be group-appropriate. Perhaps I wasn't
clear enough in my original post.

-D.

 

[Jon Ericson]

True, this aspect of it isn't specifically a perl problem. However, my
current attempt is to use Perl::Expect; I'm just not sure how to tell if the
process completes successfully--does expect give you access to the exit
value of the process once its terminated? How do you access it?

I don't know anything about the Expect module, but I imagine if you
posted a self-contained example and mentioned how the results differed
from your expectations, you'd get a response from someone who does.
You could also try the mailing list for this module:

http://lists.sourceforge.net/lists/listinfo/expectperl-discuss

Personally I would think this approach is at least as hazardous as
using ssh keys.

Jon

 

[Aaron Sherman]

True, this aspect of it isn't specifically a perl problem. However, my
current attempt is to use Perl::Expect; I'm just not sure how to tell if the
process completes successfully--does expect give you access to the exit
value of the process once its terminated? How do you access it?

This question, at least, seems to be group-appropriate. Perhaps I wasn't
clear enough in my original post.

Expect gives you access to the exit status of the program that it ran
via the exitstatus method. However, if you're running a command on a
remote system, you don't have direct access to that command's exit
status. You can instead get that status through the remote access
program you're using, such as:

use Expect;
my $ssh = Expect->spawn('ssh',$host,'/bin/true');
$ssh->expect(10,
[qr/word:/ => sub {
my $exp = shift;
$exp->send($mypassword."\n");
exp_continue } ],
['eof' => sub {
my $exp = shift;
$exit = $exp->exitstatus << 8;
print "Exit stauts: $exit\n" } ] );