Can passwords or other sensitive information be removed from system logs?
After mounting shares with
mount -t cifs -o username=[USER],password=[PASSWORD] //[HOST]/[SHARE] /[MOUNT_POINT]
checking logs with journalctl reveals that the command is recorded in its entirety, including the password.
Related
When creating an auditd rule in Linux, what is the behaviour if no permissions are specified?
ie
-w /etc/shadow -p wa -k shadow
will monitor for new writes or changed attributes.
But if I wrote it as:
-w /etc/shadow -k shadow
then is there a default permission? or does it imply that all permissions will be monitored ie rwax?
Without -p:
The -w option tells audit to add a watch to the file specified, in this case /etc/shadow. All system calls requesting access permissions to this file are analyzed
https://documentation.suse.com/sles/12-SP4/html/SLES-all/cha-audit-comp.html#sec-audit-rules
Using -p:
This rule adds a watch to the /etc directory and applies permission filtering for read and execute access to this directory (-p rx). Any system call requesting any of these two permissions is analyzed.
I would like to programmatically mount a volume from my code and I am using the mount system call for that. I have ecryptfs installed. To manually mount a volume, I can use mount -t ecryptfs /src /dst and this will cause ecryptfs to interactively ask me for the information.
I would like it to instead automatically use my key file that I point it at and proceed.
You can use the echo command to take password automatically while mounting with eCryptFs,
Example:
echo | mount -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes,no_sig_cache,key=passphrase:passwd="12345" /data/config/ /data/config/
If you want use it in your code, then form the above string by extracting password from your file and use system API (system("");) to mount the partition with eCryptFS.
I've updated my openwrt firmware using the web interface. Now the web interface is unreachable.
I lost my root password so i started my router (wr1043nd) in failsafe mode, but the mount_root command is not working:
$mount_root
""/bin/ash: mount_root: not found""
Any clue? I can't find any solution in the docs/ online
You can mount jffs2 partition manually. This partition contains your configuration, so when you mount it, you will be able to edit root password.
Use this command: mount -t jffs2 /dev/mtdblock3 /mnt/. Please note that mtd number may vary in different routers. If there is nothing in /mnt dir after issuing this command, try another mtdblock number.
Then go to /mnt dir and remove /etc/shadow and /etc/passwd files from there to reset root password.
Hi I'm new in Linux and I have been trying synchronize two folder with rsync command. I'm using CentOS and when I execute command (#rsync -zvr /tmp/f1/ /tmp/f2/) through command line is working fine, but through rc.local on rebooting is not working. The following message is showed:
sending incremental file list
rsync: change_dir "/tmp/f1" failed: Permission denied (13)
rsync: ERROR: cannot stat destination "/tmp/f2/": Permission denied (13)
rsync error: errors selecting input/output files, dirs (code 3) at main.c(554) [receiver=3.0.6]
rsync: connection unexpectedly closed (9 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(600) [sender=3.0.6]
Please some help?
You are having trouble with SELinux. SELinux is a module which allows for much more fine grained access control than file system permissions and ACLs do. Among others, it will disallow access to files for rsync by default, if it is not run by a user from a terminal. Now how can you let it access the files you want?
There are two options. If you are only dealing with directories no other service (including httpd or such) needs access to, you can do the following:
semanage fcontext -a -t public_content_t "/tmp/f1(/.*)?"
semanage fcontext -a -t public_content_t "/tmp/f2(/.*)?"
This should persistently change the SELinux rules to make the directories /tmp/f1 and /tmp/f2 accessible by rsync. In fact, it will set the public_content_t type on the directories and the files. Nodes with that type are accessible by rsync. However, there is a catch, as mentioned: A node (directory or file) can only have one type. Many services have other requirements for files they access, (e.g. sshd requires ssh_t), so you cannot do this in /etc for example.
Another solution is to persistently allow rsync access to all files. This is fine if you do not run the rsync daemon:
setsebool -P rsync_full_access 1
Afterwards, rsync will be able to access all files, even if run from init and not from a users terminal.
Why does it make a difference if rsync is started by a daemon or by a user?
(this is only true for the most common, targeted policy)
SELinux knows users, and normal users use the SELinux-user unconfined_u. unconfined_u is allowed to do pretty much everything the file system ACLs allow it to do. However, init and such are running as system_u, and system_u is far more constrained. This helps to prevent attacks on httpd and other exposed daemons.
If you have just rebooted /tmp will have been cleared and so /tmp/f1 and /tmp/f2 will not exist
rc.local usually runs quite late in the boot sequence so I'd guess that /tmp is mounted rw but it's possible that it is still only mounted ro
I am trying to write a script that would ssh into a host, perform mount operation there, run some other commands and exit.
other commands (cd, cp) do not require sudo privelages but mount option requries sudo permission. I want to write a script that would do:
ssh user#server "mount -t nfs xx.xx.xx.xx:/ /nfs -o rsize=4096,wsize=4096 ; cp pqr rst ; umount /nfs ;"
and some other non-sudo commands. How can I do this without a sudo option and without entering any passwords when the script is running.
Desktop linux distributions use udisks to grant non-root users limited mounting priviliges.
udisks version 2
udisksctl mount -b [device]
udisks version 1
udisks --mount [device]
Of course, if we are talking about a server VM, then these tools might not be installed.
Installing them would require root access (once)
You must add /nfs entry to /etc/fstab on the server host.
In the list of options of the entry must be option user or users (depends on that if you want that user could unmount the filesystem or not).
Example:
xx.xx.xx.xx:/ /nfs nfs rsize=4096,wsize=4096,user 0 0
You can allow that user to mount without needing sudo power.
Use NOPASSWD directory
Follow this Link.
Or you may prefer to write expect script which will have password written and password will be entered when it prompts for it.