Join Log in
Score:0
Adam Alleman avatar Server

Command to get Sublime Text SFTP client to execute sudo at every file save

ye flag
Adam Alleman

I am using Sublime Text editor with its SFTP plugin to edit files (also root files) on my server. I thought there is some linux command or file that can be edited that would enable me to execute sudo at every file save, and even at every file open. At every file operation. Because I connect the editors SFTP client with a user from the wheel group that can be root in a passwordless way when executing sudo su.

And I have disabled root login to secure SSH. So I added "sudo" in the sftp subsystem path in my sshd_config file on the server, and it works - it can save with root privileges, it has the same result as if people would add "sudo" in the winSCP client settings at the sftp path. But I was told this is not a secure way to enable sudo at file save, because then every client that connects with the correct credentials will be root, not just my own client.

So I am looking for a more secure way to execute sudo at every file operation when I am using my SFTP client (which is a Sublime Text plugin), this plugin: codexns.io/products/sftp_for_sublime. Could you recommend a way to do this correctly?

110
0 + 0
so flag
Martin Prikryl
Your command runs SFTP server as root, so ultimately every operation throughout the SFTP session will be done as root. Whether you use IP or FQDN is irrelevant in respect to the "sudo".
0
Reply
Adam Alleman avatar
ye flag
Adam Alleman
Thanks @martin-prikryl! Originally I defined this path: sudo /usr/lib/openssh/sftp-server, in my sshd config file at the subsystem path. But I realized that means that all SFTP clients will have root access, if using the correct credentials. So it is much more secure to allow only my client to sudo, with the command: sftp -s "sudo /usr/lib/openssh/sftp-server" myhostname.fqdn. Can you confirm that this is the correct alternative? Thank you! Btw, how do I undo this command with an other command?
0
Reply
so flag
Martin Prikryl
But then anyone can do the same! (`-s "sudo /usr/lib/openssh/sftp-server"`). If you want only one specific user to be able to `sudo`, you have to do it on the server-side. But that's a different question than what you have asked. + *"undo this command with an other command"* What *another command*?
0
Reply
Adam Alleman avatar
ye flag
Adam Alleman
@martin-prikryl after I execute this command `sftp -s "sudo /usr/lib/openssh/sftp-server" myhostname.fqdn`, how do I undo the changes? What file is this command modifying?
0
Reply
Adam Alleman avatar
ye flag
Adam Alleman
So you don't recommend to set a sudo path like this `sudo /usr/lib/openssh/sftp-server` as the subsystem path in the sshd_config settings? Do you rather recommedn to execute `sftp -s "sudo /usr/lib/openssh/sftp-server" myhostname.fqdn` to achieve the same thing? I cannot change the path in the winSCP client because I don't use winSCP. How do you chnage the sftp path in the terminal in Ubuntu, if you don't use winSCP, into `sudo /usr/lib/openssh/sftp-server`? Since I don't use winSCP, I don't have a GUI way to change the path to use sudo.
0
Reply
Adam Alleman avatar
ye flag
Adam Alleman
Executing `sftp -s "sudo /usr/lib/openssh/sftp-server" myhostname.fqdn` only affects my own SFTP client, what do you mean that "others then can do the same"?
0
Reply
so flag
Martin Prikryl
You cannot undo the change. All operations in the session will be dome as root. You have to open another session to do the operation using your regular privileges. I do not understand your question about WinSCP. I've never mentioned WinSCP. Let's skip the `sshd_config` topic for now for simplicity. Please ask separate question about that if you want.
0
Reply
Adam Alleman avatar
ye flag
Adam Alleman
I am using Sublime Text editor with its SFTP plugin, to edit files (also root files) on my server.
0
Reply
Adam Alleman avatar
ye flag
Adam Alleman
Part I: I am using Sublime Text editor with its SFTP plugin to edit files (also root files) on my server. I thought there is some linux command or file that can be edited that would enable me to execute sudo at every file save, and even at every file open. At every file operation. Because I connect the editors SFTP client with a user from the wheel group that can be root in a passwordless way when executing sudo su. @MartinPrikryl
0
Reply
Adam Alleman avatar
ye flag
Adam Alleman
Part II: And I have disabled root login to secure SSH. So I added "sudo" in the sftp subsystem path in my sshd_config file on the server, and it works - it can save with root privileges, it has the same result as if people would add "sudo" in the winSCP client settings at the sftp path. But I was told this is not a secure way to enable sudo at file save, because then every client that connects with the correct credentials will be root, not just my own client. @MartinPrikryl
0
Reply
Adam Alleman avatar
ye flag
Adam Alleman
Part III: So I am looking for a more secure way to execute sudo at every file operation when I am using my SFTP client (which is a sublime text plugin), this plugin: https://codexns.io/products/sftp_for_sublime. Could you recommend a way to do this correctly? @MartinPrikryl
0
Reply
so flag
Martin Prikryl
Your question never mentioned Sublime Text editor. We are not magicians to guess that. This is Q&A site, not a support chat. All information must be edited into the question, not buried in dozens of comments.
0
Reply
Adam Alleman avatar
ye flag
Adam Alleman
@MartinPrikryl I edited the question.
0
Reply
so flag
Martin Prikryl
That disabling root login secures SSH imo myth. What's the difference after all, if you allow passwordless `sudo` anyway?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.