I have a user in linux
and i have a problem, because the user in linux is accessed by many users and in some times somebody for error write crontab -r and delete all crontabs.
Is there a way to lock the command: "crontab -r"? (i am not the user root, only have this permisions in this user)
But i need that all the persons in the user can create crontab ("crontab -e") or list the crontab ("crontab -l")
I have a red hat server.
Thanks
If all you need to prevent is carelessness, a simple wrapper in /usr/local/bin/crontab is all it takes.
#!/bin/sh
case $1 in
-r) echo "$0 -r disabled; aborting" >&2
exit 1;;
esac
exec /usr/bin/crontab "$#"
You'd have to make crontab into a shell script that would catch this and throw an error. How you would tell when the operation is proper or not, though, is up to you. Since many different people log in with the same username, there's no intrinsic way to tell when it's proper to do something and when it's not.
Related
(I'm a beginner in linux and shell)
I need to run a sudoedit -u from a non interactive bash script
I have the password in a variable and the input for the editor
My challenge is to give password AND editor inputs to sudoedit
For the context, I need to make a kind of automatic unit tests for sudoers commands.
So my actual strategy is to run the main script with a user A. In that script I need to switch to a second user B (su) to run a subscript that run the sudoedit command (sudoedit -u userC). And I need to get the $? of the sudoedit for my main script report.
I have tested many things without success. Is there a way to give both password and editor input ? (Or an other way to perform what I need to do ?)
I tried that :
#!/bin/bash
# master script
userB=userB
userBpassword=xxx
export userBpassword
su - userB bash child.sh >/dev/null 2>&1 < <(echo $userBpassword)
isSuccess=$? # I need the information of success or not for file edition
#!/bin/bash
sudoedit -u userC file.txt >/dev/null 2>&1 < <(echo ":wq") # I must inject userBpassword here but how ?
return $?
I must do that non interactive (just asking logins and passwords once at start)
Ideally I should have 0 if sudoedit is success or anithing else if there is a failure (no right or missing file)
Thanks in advance for reading and help
I always want to run a script as user1, but the code flow always runs it as root. So, I want to check the current user inside the script. If it is root, I want to run the rest of the script as user1.
I want to do something similar to this. But only difference is I need to run the script as a particular user (say user1). So, when I find that the current user is not user1, I do not want to exit but want to run rest of the shell script as user1.
How can I achieve this?
Thanks #User123. But I was facing some issues with that solution as there are many functions and variables in the script. Not sure what the problem exactly is. But, this worked for me now:
if [ $USER == <undesired user> ]; then
echo Current user is $USER. Running the script as <desired user>
su -c 'sh <script.sh>' <desired user>
else
echo Current user is $USER
...
<rest of the script>
...
fi
I have the following bash script to restart the network manager in Debian. The script works as is it should, but not as I would like it to. When the script asks for the sudo password I am able to pass it along using echo, but it displays the password in terminal while the script executes, making it less asthetically pleasing than I would like. Is there anyway to have the script enter the password, but not display the password text while the script calls for the sudo password?
I have tried as many suggestions on Stack Overflow as i could find, well as Stack Exchange before submitting this question.
Script is as follows:
#!/bin/bash
clear
echo "Restarting service Network Manager"
echo""
sleep 1
echo -e "\033[0;31m......................................\033[0m"
echo -e "\033[0;31m......................................\033[0m"
sleep 1
echo""
sudo service network-manager restart
sleep 2
echo <Password>
sleep 2
echo "Service Network Manager Restarted"
sleep 1
echo ""
echo "Relinquishing control of terminal to user..."
sleep 7
clear
Remove the echo <Password> line? I am pretty sure it does nothing other than display the password, as sudo apparently (through an appropriate entry in /etc/sudoers) works without you having to give a password. (What you write to terminal with echo does not get passed to any other process.)
Generally speaking, you can use sudo -S to make sudo expect the password on stdin. But also generally speaking, if you have to hardcode a password in a script, you're doing it wrong in some way.
Is there anyway to have the script enter the password
Putting password in script is not a good idea. First, from security point of view, password may be recovered from script from anyone with access to script. Second, from maintenance view, once you change your password, scripts suddenly stop working and you have to update them all.
Fortunately, as you are already using sudo there is better solution. You can configure sudo to allow running certain command without password, by using NOPASSWD rule in /etc/sudoers.
myuser ALL=(ALL) NOPASSWD: service network-manager restart
See:
How do I run specific sudo commands without a password?
How to run a specific program as root without a password prompt?
Warning: Always edit /etc/sudoers with visudo, never directly. It prevents you from breaking /etc/sudoers. Once you break your /etc/sudoers, you won't be able to use sudo, including using sudo to fix /etc/sudoers.
try this /bin/echo -e "password\n" | sudo apt-get update
or see this Use sudo with password as parameter
#! /bin/sh
# Carry out specific functions when asked to by the system
case "$1" in
start)
chmod a+rwx /var/www/html/Images/*
echo "success"
;;
stop)
;;
*)
echo "Usage: /etc/init.d/image {start|stop}"
exit 1
;;
esac
Im using run levels to run my chmod when the system is boot up but it is only run once and how can i keep allow chmod to keep running when system is boot up? Anybody can help? i'm using ubuntu 16.04.
Don't use chmod in this way. In the long run it creates lots of pain and will turn your box into a worm pit. What you want to do there is a huge security no-go.
If you want users to be able to write to a certain location, use proper filesystem access rights. Create a new group for whoever shall be able to write to that directory, set its permissions to 1775 (owner and group rwx, others rx, sticky bit enabled) and set the directory owning group to the one created formerly. Then add all users that shall be able to write to that directory to this group.
Why don't you use a cronjob for that? You can set up this script (just the chmod line) to be run every minute...
Ubuntu CronHowto
I would like to know if there is anyway to send a mail as soon as someone tries su -, su or su root. I know the mail command and I am trying to write a script but I am very confused as to
where to write it - whether in .bashrc of root or in /etc/process
how to invoke the mail on the use of su
I've tried the usual Google search etc. but got links on usage of su, disabling it, securing ssh etc - none of which answered this question.
Thanks in advance
I guess that your underlying requirement is that you have a bunch of people you have given root privilege to but you don't completely trust them so you want to keep an eye on them. Your solution to this is to get yourself sent mail whenever they become root.
The problem with this solution is that the root user has unlimited privilege and so there's nothing to stop them from counteracting this mechanism. They could for instance, edit the /etc/login.defs file in one session, do the good thing that you want them to do and then later su to root and do the bad thing that you fear and at the end of that session they edit the /etc/login.defs file back to it's original state and you're none the wiser. Alternatively they could just make a copy of /usr/bin/bash and make the copy a suid file that will give them privilege whenever they run it.
You might be able to close any of the vulnerabilities I've just suggested but there will be many, many more. So you either trust them or else don't use su at all and give them sudo permission to run just those commands that they need to do the thing you want them to do.
There's a log file called /var/log/secure which receives an entry any time su is executed. It gets entries under other conditions as well. It's described in the Linux Administrator's Security Guide.
If user "fred" executes su -, an entry will appear which looks something like this:
Jul 27 08:57:41 MyPC su: pam_unix(su-l:session): session opened for user root by fred(uid=500)
A similar entry would appear with su or su root.
So you could set up a script which monitors /var/log/secure as follows:
#!/bin/sh
while inotifywait -e modify /var/log/secure; do
if tail -n1 /var/log/secure | grep " su: "; then
tail -n1 /var/log/secure | grep " su: " | mail -s "su occurred" you#email.com
fi
done
Note that you need to have the inotify-tool package installed to use inotifywait.
If this script is running in the background, it should send an email to you#email.com any time an su entry occurs.
Now where to run the script. One approach would be to put this into an executable script file (say, watchsu) and call it from your rc.local file:
nohup /path/to/watchsu 2>&1 &
I'm sure there are other ideas for where to start it. I'm not familiar with CentOS.
According to the man page for su, in /etc/login.defs you can set either SULOG_FILE file or SYSLOG_SU_ENABLE yes to log all su activity. Then you just need something like inotifywait to watch the log file for su events.