Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

remote copy to /usr/local/bin

0 views
Skip to first unread message

Jack Shown

unread,
Nov 4, 2009, 2:35:21 AM11/4/09
to
If root is not enabled (other than by sudo), is it possible to scp a
file to a root-owned folder? If so, could you please provide an
example? Thanks a bunch.
Message has been deleted

Geoffrey S. Mendelson

unread,
Nov 4, 2009, 8:59:03 AM11/4/09
to
Michael Vilain wrote:

> scp is usually used for remote copying. Since remote access via root is
> a Bad Idea(tm) unless you implicitly trust the local and remote systems.
> Setup a .hosts file on the remote system to allow root access via the
> local system, same as rcp.

Since one can spoof a host name, I would not recommend it. (unless you are
really creative with host names)

I've not done it with MacOS, but on all my othe *NIX systems, I always set
up ssh to accept only a key as valid athentication, as script kiddies have
figured out how to open an ssh session and try various user names and passwords.

While RSA-1 keys are easy to crack if you have the right program, it is unlikely
that someone trying to "hack in" over an internet connection will get it,
and RSA-2 or DSA keys are difficult enough to not worry.

Note there was a debian fork of ssh that reduced all keys to 128 bits,
so make sure you have an up to date version of SSH if you are using a
debian based system. All versions of MacOS's ssh are safe.

If you are accepting connections from outside of your own private, firewalled
network for SSH, use a different port, something relatively high to prevent
someone trying a few to get in.

If you do not want someone who walks up to your Mac to have the capability
of using these keys, you can passphrase protect them. This is different
than passwords, as the authentication is still done by key, however the
key is encrypted on your Mac using the passphrase.

Geoff.

--
Geoffrey S. Mendelson, Jerusalem, Israel g...@mendelson.com N3OWJ/4X1GM

Jolly Roger

unread,
Nov 4, 2009, 10:34:50 AM11/4/09
to
In article <slrnhf31s...@cable.mendelson.com>,

This is easily done on Mac OS X as well. It's how I set up my home
systems and Macs I administer for friends and family.

--
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR

johnny bobby bee

unread,
Nov 4, 2009, 1:05:18 PM11/4/09
to

Be specific as to what you're trying to achieve.

Or, just copy it as a normal user to your home directory then use sudo
to put it where you want.

Doug Anderson

unread,
Nov 4, 2009, 1:10:06 PM11/4/09
to
Jack Shown <jack...@gmail.com> writes:

I suppose you could change the privileges on the folder to allow a
non-root user to write files there, though depending on the folder I
suppose there could be some unintended consequences of that.


Geoffrey S. Mendelson

unread,
Nov 4, 2009, 2:59:03 PM11/4/09
to
Doug Anderson wrote:

> I suppose you could change the privileges on the folder to allow a
> non-root user to write files there, though depending on the folder I
> suppose there could be some unintended consequences of that.

The folder in question was /usr/local/bin which is really something that
should be read only except to someone who administers the system. However,
AFAIK it's not used in normal Mac operations, only in command line processes
(terminal.app for example) or XWindows.

This is really UNIX related and not MacOS specific. So I may lose people
who are not fluent in UNIX operations and permissions.

MacOS (at least leopard) supports groupids, and /usr/local/bin is owned by
root, group admin. It's writeable only by root. You could change it to be
writeable by admin (mode 775 instead of 755) which would have the side effect
of allowing any administrator to be able to write to it at any time.

The other possibility is to make a new group, or use wheel (group id 0),
which limits the exposure. I don't know if there is any other problem
caused by this.

Since it most likely will be used by shell scripts or XWindows programs,
you could just create an arbirtary user, for example "fred" and a bin
directory below his home. Then you would make /Users/fred world readable
(which I think it is by default) and the same with /Users/fred/bin.

Then the shell scripts would have /Users/fred/bin added to their path.

This would be better IMHO as there is little security exposure, no changes to
the Apple provided system except for adding the userid in the first place
and and putting the directory in /etc/paths.

Jack Shown

unread,
Nov 6, 2009, 4:49:50 PM11/6/09
to
On Nov 4, 10:05 am, johnny bobby bee <stepore-no_spam_...@gmail.com>
wrote:

I have a cronjob which executes every morning on 25 iMac C2Ds. I just
placed it on all 25 iMacs but now I want to modify it and anticipate
wanting to modify it in the future. I don't want to have to sudo on
all 25 iMacs every time. Thanks.

Jack Shown

unread,
Nov 6, 2009, 5:03:01 PM11/6/09
to
On Nov 4, 11:59 am, "Geoffrey S. Mendelson" <g...@mendelson.com>
wrote:

> Doug Anderson wrote:
> > I suppose you could change the privileges on the folder to allow a
> > non-root user to write files there, though depending on the folder I
> > suppose there could be some unintended consequences of that.
>
> The folder in question was /usr/local/bin which is really something that
> should be read only except to someone who administers the system. However,
> AFAIK it's not used in normal Mac operations, only in command line processes
> (terminal.app for example) or XWindows.
>
> This is really UNIX related and not MacOS specific. So I may lose people
> who are not fluent in UNIX operations and permissions.
>
> MacOS (at least leopard) supports groupids, and /usr/local/bin is owned by
> root, group admin. It's writeable only by root. You could change it to be
> writeable by admin (mode 775 instead of 755) which would have the side effect
> of allowing any administrator to be able to write to it at any time.

Wouldn't I need to do a chmod of all three directories as in:

chmod 775 /usr /usr/local /usr/local/bin

Otherwise, wouldn't the group permissions of the parent directory
cause me grief? And, if I did this, does that create a security
hazard?

I guess I could just place the file in ~admin/bin and create a hard
link to it in /usr/local/bin on each machine or just modify /etc/
crontab on each machine. Then I could always do the scp without
issues.

Thanks for your help.

Message has been deleted
0 new messages