I two CentOS 6.5 servers and I have a very complex shell script connecting this two servers and make some backups with root user without password. There is some rsa keys for this.
For security purpes I disabled root login on both servers and I tried to change the script to use a user insted of root but it's doesen't work. I have changed the user rights from /etc/sudoers to user ALL=(ALL) ALL.
If I generate another ssh key with ssh-keygen -t rsa it say me that I don't have permisson and if I use sudo ssh-keygen -t rsa he create me a key for root#server.
I think the problem will be solve if I can change the user rights to run sudo comands without "sudo", like root but I don't know if this it's possible.
Thanks!
To maintain security, yet to accomplish this certain work, you need to do the followings:
Create a new user account, for this certain work only.
Give this user an ssh-key to automatically login without password.
The login shell should not be /bin/bash, for obvious security
reason. You can setup SSH connection to run certain program/command
for this specific user. I don't want to explain the details here.
Please search the web for the answer for this.
Since this program needs root permission, and this user is not the
root, you need to setup an effective executable permission as
root (i.e. setuid). To make it only executable by this certain user (and root),
you need to create a new group, set this user to join this group,
and set the program to be executable by this group (chmod 4770, 4
for setuid, 770 to be executable by the group, and the owner). The
program must be owned by root (so that it setuid to root), with the group assigned
to that certain group. The program can be a binary-executable, or a script.
That does not matter.
Caution: Your setuid program/script must be very careful not to
contain exploitable security weaknesses.
Related
At Debian im trying to change specific directory ownership after every reboot. But in my case it doesnt work, because user always set as root at reboot time.
When i try this in terminal it works well (i think because myUser session created) but i need to change it at reboot time.
So far i refer this link but it fails for me : https://unix.stackexchange.com/questions/183183/using-chown-useruser-inside-bash-script
CURRENT_USER=$(who | awk 'NR==1{print $1}')
sudo chown -R $CURRENT_USER:$CURRENT_USER /myfile/foo
second way:
sudo chown -R ${USER:=$(/usr/bin/id -run)}:$USER /myfile/foo
i dont want to write like this :
sudo chown myUser:myUser /myfile/foo
Linux is a multiuser system. There can be more than one users logged in simultaneously or no one at all. Often there is no way to define something like a "default" user. There are however workarounds that you could use to find the "default" user if the machines are setup as typical single user company computers.
Take the user with UID 1000. If all the machines are setup so that the "default" user has UID 1000, you could just use this UID instead of the username in the chown command.
Look for the subdirectories of /home. Only standard (non-system) users have a home directory. On standard systems they are named with the username.
That beeing set: Your script will be highly dependent on the specific setup of the machines. Also there might be a less intrusive, less machine dependent and more secure solution to your problem. You could try to
leave root as owner of the directory but enable read and write permissions for other users.
set the sticky bit for the directory (just like /tmp).
make a new group that owns the directory and add the users to it.
The last option is actually used a lot. For example often web servers make their source directories owned by a group called www and users, that are allowed to read/write the data are added to that group. This also works well in real multiuser systems like servers or shared machines.
linux security and root access question....
I'm setting up a server that has a validator node running on it for a substrate-based blockchain. I was trying to harden the security of my server. I set up ufw for all ports but those necessary for the node to operate. I set up 2FA, SSH with ed25519, and then I was spending time trying to figure out, if for some crazy reason someone got in... how could I stop someone from using systemctl or poweroff with sudo privilages. The goal is maximize uptime and remain in sync with the other nodes at all times.
Anyways, I started blocking bash commands for the user account that allows SSH and blocked SSH to root. Then I blocked a few more commands and thought, what if someone could find their way around this? So, I just started blocking too many things lol. Even though I disabled sudo for the user and blocked a number of commands the user could still use systemctl and stop the service for the node. Eventually I found this guide on how to only allow a few commands for a user.
Update: I didn't properly remove the user from the sudo group. Afterwards they could still use systemctl but the system then allowed systemctl to pop up with an input for the root user password for authentication. Anyways, I just wanted something simple yet secure sooo....
I ended up removing all of the commands from the user and symlinked the su command and renamed it to a random command that only I know. All of the other commands done by the user respond with
-rbash: /usr/lib/command-not-found: restricted: cannot specify /' in command names
I took away bash history and bash autocomplete/tab completion. Now the only thing you can do is guess commands that will get you to the point where you still have to get past my root password. Is there a way for hackers to scan for available commands when there is only one available that is masked in this way?
Anyways, I'm saying all of this because I have always heard best security practices involve "disabling root". Sometimes I see it as just disable root SSH, which i already have done, but sometimes i read it like disable the root account. Some say disable the password and try to divvy it up with sudo privileges so it's more traceable to individual users.
In my case I need to preserve root access in some way but I basically hid everything within the root user. So, if anyone gets access to root it's over. But, it's behind 2FA, SSH, and an unknown command that just gets to where you can try a password to access root.
Am I thinking about this "disable root for security" all wrong and I should disable it completely or does it make sense what I've done so far?
You can also create a SSH key and use this to login to a Linux server, instead of using a password, and do not share your private key.
The following link is a tutorial on how to create a SSH key one, https://www.cyberciti.biz/faq/how-to-set-up-ssh-keys-on-linux-unix/
You could also add user filtering with AllowUsers option in sshd_config file:
AllowUsers admin1#192.168.1.* admin2#192.168.1.* otherid1 otherid2
This allows admin1 and admin2 only from 192.168.1.* addresses and otherid1, otherid2 from anywhere.
I have several actions that need to be performed on a network of servers.
for these actions i have two options:
manually, this will take a lot of effort and potentially i will need to do it over and over again on different networks.
automatically, with scripts or ansible that do not allow password prompt when connecting with ssh.
some of these actions require root access. for example, the
useradd and groupadd commands need to be used.
also, i will need to change several files in etc and in var folder.
in terms of security, is it safe and acceptable to require passwordless root ssh access so that ansible or others will be able to do it?
if not, is it possible to add an official reference? preferably redhat site or other.
notice that using a sudoer user is not permitted.
I would say no, "passwordless root ssh access" is not secure. However, you can use key based authentication via ssh as root. In other words you can do what you want to do, just not exactly how you described it.
Adding users and groups is a very typical config mgmt task, and a perfect job for ansible. I would suggest creating an ansible playbook that uses the user and group modules rather than running the raw useradd and groupadd commands (See example below). However, this will require setting up the necessary ssh key based authentication.
Ansible can help with that task as well, but you'll have to authenticate with a password in order to setup the key based auth.
https://docs.ansible.com/ansible/latest/modules/user_module.html
https://docs.ansible.com/ansible/latest/modules/group_module.html
- name: Add the user 'johnd' with a specific uid and a primary group of 'admin'
user:
name: johnd
comment: John Doe
uid: 1040
group: admin
i tried to create user "support" with password and listed on etc/sudoers under root account :
#User Privilege Specification
root ALL=(ALL:ALL) ALL
support ALL=(ALL:ALL) ALL
But whenever i use command "sudo su" it just ask the support password and gain the root access. i want the user "support" use root password (not his password) to gain root access.
this is some detail information that what i want :
some VM had been setup by another Sys Admin and when i use command "sudo su" and put support's password it comes notification
user support is not allowed to execute '/bin/su' as root on localhost-server
thank you very much
The behavior you describe is typical for debian based distributions, others follow others setups. Once you think about it you will agree that this actually does make sense from a security point of view: the root password does not have to get shared, so it is not forgotten and does not have to be re-shared with every change. Instead sudo allows a fine grained selection of what single users can do or not, so permissions can also be retracted which is not possible if you use the traditional approach to share the root password.
That said I suggest you start reading the documentation, namely the manual pages of the sudo command suite. At the end of man sudo_root you will find the exact answer of what you ask:
It is possible to "revert" the behavior to the traditional approach by setting a root password, but that is discouraged for security reasons.
This is not a code-related question.
Then don't use sudo. simply use su root or su (which without arguments implies user root), and enter the root password.
I need to get a hold of web-server logs by regular users who have /bin/bash as their shell enabled. Logs are stored in a directory which has drwx------ permissions and is owned by root:root so obviously they can't access any files in it (and yes, I can't really change this permissions setup).
The system(s) is Debian Linux. So I'm looking for some wrapper script, it might not be bash exactly, which, in my vision, will do the following:
you pass one argument to it - a sitename - i.e. site.com;
it greps all the lines containing this site.com;
stores the result to user home dir.
This part is easy, the real problem arises when you want to bypass restrictions yet to stay (at least somewhat) safe. So:
script must only be started after password is provided for it to be run;
in case of bash scripts they are run with permissions of the user account who ran it - so my guess is it should have su -m root -c 'grep ...' in it, but I found no way how to pass password to the prompt inside the script so far (sudo is not exactly suitable unfortunately);
if there is a way to pass password to su from inside the script then of course script itself must have permissions 751 and owner of root:root - so that the end user who runs the script (or anyone else) won't be able to see the script's content.
I'm open to suggestions how this should be done or if it's should be done at all (at least this way) :) Thank you.
Given what I understand of your needs, I summarize here the various options that come to my mind. In no particular order:
Use sudo together with a policy file (/etc/sudoers -- edit with
visudo) to restrict the commands available to the user
Use a cron job (more or less smart) to collect data on the server at regular
intervals and store them at a location accessible to you (or mail them to you...)
If you have administrative access to the server, you might create a special user with
the "log-grepping" tool as connection shell (/etc/passwd)
If you have ssh access to your server, you may also use the
authorized_keys file on the server to restrict remote command over ssh
Those are only general directions. Read about them. Try them. And if you're struggled, don't hesitate to post an other question!
As a last word, as it has already been stated in a comment, please refrain yourself to develop your own "security restriction system". sudo, ssh, pam (and probably others ... selinux?) have been specifically crafted for that purpose...