Use case is web service intended to run as an appliance on a headless Raspberry Pi. OS: Raspbian (Debian).
The web service is running under a non-root service account, using a custom-rolled Boost Beast-based web server (avoid!).
What I want to do: provide a button in the web interface, running in a remote user's browser that allows the system to be shut down or rebooted.
What I've tried so far ... (C/C++)
system("/usr/sbin/shutdown -P now"); // (or -r for reboot)
Fails with the messages:
... [3460]: Failed to set wall message, ignoring: Interactive authentication required.
... [3460]: Failed to power off system via logind: Interactive authentication required.
... [3460]: Failed to open initctl fifo: Permission denied
... [3460]: Failed to talk to init daemon.
I also tried creating a wrapper executable that has been SUID-ed to root, that in turn calls system("/usr/sbin/shutdown ...") with identical results. So even with root credentials, shutdown fails. (Also tried /sbin/reboot, which also fails).
The service in question is written in c++, and services a web socket. The web client app sends a web socket request to shut down the system; and the shutdown is performed in the C++ server code. Everything works fine when the server is started in an interactive session; but it does not work when running in a systemd service.
The web server itself is running as a systemd service using a system account (so no login credentials, and I really do not want login credentials for the service account).
I'm perfectly willing to reconfigure the system, or create a service specifically for this purpose if necessary, and to do what I can to address security issues. But I have no clue as to what the path forward is. The issue is particularly pressing because there's no shutdown button on an out-of-the-box Raspberry Pi (although I do plan to address that for my own Pi). The fact that one CAN install a shutdown button on a Raspberry Pi means there must be some what to do it.
Ideally, I'd like to leave the R-Pi in a state that's usable for other purposes. So a no-password boot into a shell isn't an attractive option. I don't think. And rsh-based solutions are unattractive because they would require the appliance to have a preinstalled login account, with pre-installed credentials (and we all know how THAT goes).
I solved the same issue by creating a C++ daemon, running as root, and listening ONLY on local host TCP port, in charge to shutdown the system when contacted by the web service.
Edit: Use https://man7.org/linux/man-pages/man2/reboot.2.html to shutdown the OS.
Related
I wonder how to authenticate a remote linux server with dropbox daemon installed without X server.
I put it there because it is very hard to find the solution elsewhere from my google search in france.
My problem was : Connect a computer with dropbox installed to my account on a server where there is no graphical interface. This suppose you installed dropbox daemon from one of the many possible ways.
The fact is that I have a dropbox daemon running dropox status says 'Dropbox is running...' but I want my server to connect to my account.
The solution is to:
1) stop the dropbox daemon dropbox stop
2) start the daemon manually on the server cd ~/.dropbox-dist/ && ./dropboxd this will start the dropbox daemon and display in the stdout an url on dropbox.com where as an authenticated user you can authorize the server to be connected.
That is all. This thread acts as a memo at least for me because I don't find easyly the solution each time I have to re-do this setup.
Then you have nothing else to do that run dropbox start again.
Hope this help.
I have a remote machine that runs Ubuntu 14.04. It is powered on, but not logged into. I am writing a web application using Node.js that takes a username and password and logs in to this machine. This application is supposed to run on an Android tablet. I am not going to send further commands through the terminal, so I don't really require the session, but just logging in so that the remote machine starts running some processes.
I'm having trouble on how to start coding this. I'm not sure about what Node module to use, and whether or not to use the SSH protocol.
I've gone through a couple of solutions to related questions on the internet, but they either don't work on Android, or need the remote machine to be running some server already(which is not the case here, as the machine is not logged into).
I am maintaining a Virtual Machine on a Cloud Service with Linux (SLES) operating system. At some point, someone logged in, did some major things (e.g. chmod 777 on ALL files, etc) and, with some other things that he did, messed up the system.
It would be no surprise if he actually hacked it, but...
The vm is hosted inside a VPN (unreachable from outside the VPN), and last root command specifies a user connected through tty1 (!!!), with no IP address, while all my connections, root and user are pts/X.
My thoughts (not like I am an expert) are concluding on one thing, this user must have physical (?) access to cloud service, since tty is reachable locally.
Which means, that if that is true, the "attacker" must be someone from inside the Cloud-Service hosting company.
Question:
Is there ANY way you can connect remotely to a server/cloud service virtual machine using ttyX?
Correct me at any point you see wrong; as I mentioned I am not an expert but I am more than willing to learn.
Depending on the hypevisor, it provides a remote console, so, it is kind of local console connected from a remote place. Also, there is a ipmi protocol that can connected to the hypervisor and use the sol (serial-over-lan) command.
Other than that, the user might be connecting using a VNC, that would also be shown as a tty connection
IPMI SOL: http://www.alleft.com/sysadmin/ipmi-sol-inexpensive-remote-console/
Remote qemu guest console: How to switch to qemu monitor console when running with "-curses"
VNC on guests: https://askubuntu.com/questions/262700/qemu-kvm-vnc-support
What is the difference between daemon and service ? (In windows or Linux).
A daemon is a background, non-interactive program. It is detached from the keyboard and display of any interactive user. The word daemon for denoting a background program is from the Unix culture; it is not universal.
A service is a program which responds to requests from other programs over some inter-process communication mechanism (usually over a network). A service is what a server provides. For example, the NFS port mapping service is provided as a separate portmap service, which is implemented as the portmapd daemon.
A service doesn't have to be a daemon, but usually is. A user application with a GUI could have a service built into it: for instance, a file-sharing application.
For more details: https://askubuntu.com/questions/192058/what-is-technical-difference-between-daemon-service-and-process
Daemons are processes running in the background and are not in your face.They do certain tasks at set times or responds to certain events.
In Windows, daemons are called services.
Daemon
From wikipedia:
A daemon is a computer program that runs as a background process,
rather than being under the direct control of an interactive user.
For example you want to ping google.com. That means something in your OS should know how to handle the Domain name resolution. That is a daemon.
More to read : Berkeley Internet Name Daemon (BIND)
Service
That name comes from Client Server Model. It means that an application runs as a service on a server, and a client version of the application is used to access the service. For example an Apache HTTP server application is a service on a server and a Chrome Browser is a client on a PC.
More to read: Client Server Model
A daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user.
A daemon is a subset of services that always run in memory waiting to service a request.
For example - crond , ftpd ,etc
Whereas, a Service is a server application or set of applications that runs in the background waiting to be used, or carrying out essential task. They are basically called in inter-process communication.
For example - httpd
I'm trying to launch two applications in my server using SSH remote connection. These applications are using D-BUS message bus for communication.
If I login to my server computer locally, the communication between these applications works perfectly. However when I try to launch these applications remotely, errors related to D-BUS occurs.
Is there any way to share D-BUS message bus when starting applications remotely on server computer?
My server is running on Ubuntu 12.04.
Finally found a solution to my question.
First I needed to start ssh connection with trusted X11 forwarding enabled:
ssh -2 -Y user#address
In this remote connection I started the application first application with new D-Bus: dbus-launch --autolaunch=machineID app1. Then I opened new SSH connection and also started second application together with D-Bus with the command dbus-launch --autolaunch=machineID app2. MachineID can be found from ~/.dbus/session-bus/ in Linux environment.
That is how I was able to make this two applications to use the same D-Bus message bus in remote connection.