How can you run an SFTP through pbrun

Question

I have a (*nix) server where the access privileges are restricted for certain folders to admin accounts only. In order to access some of these folders, we use the pbrun command to tell some "daemon" to access it for us (I think?).

I need to copy an entire folder in a secure directory (one of the directories that I pbrun into) onto my windows computer (not a server, just a regular PC).

I guess I'll need to use SFTP to SSH into the server and grab the files, but since I don't have access to the files on my account, I can't SFTP with my credentials. Also, I don't have passwords to the account I'm pbrunning on, so I can't just SFTP directly using that account. And pbrun is not an FTP command, so I can't just add that into the FTP...

Basically, my question is how can I get that directory on my computer, when between it stands the whole pbrun obstacle.

Answer 1

pbrun mode allows you to get elevated access privileges usually identified by a group id and along with an user id, which is generally an application id. Once you have those privileges a lot can be done.

Based on your last statement of the problem I think you can just do a normal copy to a temp location on the same server and change the ownership/permissions[chown/chmod] to allow usage of the files/directories by your normal id.

Once you are done with your work remove the files/reverse the permission as before depending on what you would have selected.

on the other hand if you want to explore sftp and ftp, info goes below:

sftp requires you to set up ssh keys before you can do a ftp. So I think there are two ways to tackle the problems:

1) Use normal ftp where you can specify the username when you connect to a destination server. This will be the simplest solution which should work. Cons: Un-encrypted file transfer

2) You may setup ssh keys on windows server and allow the application id for logon.

The other thing you should be concerned about is the ftp service itself on windows machine, if it is there or not.

Answer 2

Basically, you are trying to do the following:

tar cf - file1 file2 | /bin/tar -xf - -C /some/path/directory

You just want the extract to be done on a remote system and the contents encrypted along the network channel. PowerBroker can be used as a transport channel to move the data. By default, all PowerBroker network traffic is encrypted. You would also need a policy that would allow the command. Try the following:

tar cf - file1 file2 | pbrun -h <target_host> -u <target_user> pbcp

You would need a policy to the effect:

if ( user in {"cire", "wax"}
    && command=="pbcp" 
    && requestuser in {"oracle", "root", "other", "allowed", "users" }) {
  runcommand = "/bin/tar";
  runargv = { "/bin/tar", "-xf", "-", "-C", "/some/path/directory" };
  SetRunEnv(requestuser); 
  accept;
}