I am writing script which contains smbget -u user -p password smb://host/share/file command. Is there any way to hide password parameter in this script? Script will be used on computer which is shared by multiple users. I want to give them opportunity to download file without showing my password.
The comment provided by Marc is correct. You can work around the problem by using mount.cifs (possibly via AutoFS if required) and taking advantage of the credentials option during mount - that option allows you to store the password in a non-user readable location.
mount.cifs //some/server /mnt/somewhere -o credentials=/root/credentials_file ...
Your script could mount this location and retrieve the file for the user (or just give the users access to the location). You'd need to have an appropriate entry in your /etc/fstab file or configured with AutoFS to make it work with your script.
An alternative would be to write the script using something which can be compiled - it's not secure for a number of other reasons, but might fit your bill.
Related
I am looking to write a script which does following
List item
As I run it, it should ask for sever entry(linux or AIX)
Once it is provided, I should be able to login into it with sudo access
Then it should run command from particular location and display the output.
I have been looking for this entire day on this site, but could not find the satisfactory answer.
Hope to get good response on this.
Thanks
Abhi
There are a couple of ways to do this. As Leo pointed out, you could use Tcl/expect. This tool allows you to emulate a user and interact with programs as if you were at the keyboard. You can provide passwords to login clients and so forth. It's a bit involved and sometimes not so reliable. If you're using ssh to log in, it might be easier depending on your skills just to use your favorite shell script and use pre-exchanged keys for logging in. If you do an ls ~/.ssh in the directory of the system you're logging in from (running the script), you may see a file called id_rsa.pub or similar. If not, you can use ssh-keygen to create one. Then create or edit the file ~/.ssh/authorized_keys on the machine you're logging into. Append the contents of this file (id_rsa.pub) to authorized_keys. This should allow you to log into that user from the other machine without a password (note: This could be a security risk!). Then, you can use the command ssh user#dest -C remote_command to execute your command, obviating the need for expect.
I need to get a hold of web-server logs by regular users who have /bin/bash as their shell enabled. Logs are stored in a directory which has drwx------ permissions and is owned by root:root so obviously they can't access any files in it (and yes, I can't really change this permissions setup).
The system(s) is Debian Linux. So I'm looking for some wrapper script, it might not be bash exactly, which, in my vision, will do the following:
you pass one argument to it - a sitename - i.e. site.com;
it greps all the lines containing this site.com;
stores the result to user home dir.
This part is easy, the real problem arises when you want to bypass restrictions yet to stay (at least somewhat) safe. So:
script must only be started after password is provided for it to be run;
in case of bash scripts they are run with permissions of the user account who ran it - so my guess is it should have su -m root -c 'grep ...' in it, but I found no way how to pass password to the prompt inside the script so far (sudo is not exactly suitable unfortunately);
if there is a way to pass password to su from inside the script then of course script itself must have permissions 751 and owner of root:root - so that the end user who runs the script (or anyone else) won't be able to see the script's content.
I'm open to suggestions how this should be done or if it's should be done at all (at least this way) :) Thank you.
Given what I understand of your needs, I summarize here the various options that come to my mind. In no particular order:
Use sudo together with a policy file (/etc/sudoers -- edit with
visudo) to restrict the commands available to the user
Use a cron job (more or less smart) to collect data on the server at regular
intervals and store them at a location accessible to you (or mail them to you...)
If you have administrative access to the server, you might create a special user with
the "log-grepping" tool as connection shell (/etc/passwd)
If you have ssh access to your server, you may also use the
authorized_keys file on the server to restrict remote command over ssh
Those are only general directions. Read about them. Try them. And if you're struggled, don't hesitate to post an other question!
As a last word, as it has already been stated in a comment, please refrain yourself to develop your own "security restriction system". sudo, ssh, pam (and probably others ... selinux?) have been specifically crafted for that purpose...
Related to my question: "How can I configure Cassandra to create files with custom rights?". I'm trying to approach the problem from the OS level.
Given two different Linux users - cassandra and tomcat7 - can I give tomcat7 read access rights to all the files which have read access rights by cassandra? The files are only o+rw (so I can't play around with groups); Cassandra keeps creating new files all the time so setting the group permissions manually isn't an option.
You could try changing the default file permission of the cassandra user using umask, assuming the mask isn't hard coded into Cassandra. This would allow you to add tomcat7 to the default cassandra user group with read/write access.
Somewhere in the shell profile or other config file for cassandra there is likely to be a line referencing umask with a setting of 077 or 0077. Replacing the first 7 with a 0 will allow rw for the group on all new files created. It is likely to be in the shell profile as it has it's own user, but it is sometime part of an application configuration file. You will of course need to change the file permissions of existing files, but this should be trivial.
The man pages don't do a brilliant job at explaining the ins and outs of the umask, but there is a nice tutorial on Understanding umask settings on Nix Craft. However, to guard against link rot, googling "linux umask" chucks up a whole bunch of tutorials from everyman and his dog.
There are two ways to do this
1) alter the uid in the password file to be the same for cassandra and tomcat7. Add cassandra and tomcat7 to the same set of groups
To show this actually works
a) add a user, I used the command
sudo adduser likeme --shell /usr/bin/zsh
I added a different shell so it is immediately apparent that this entry is being used
b) alter the uid in the /etc/passwd file. I used this command and edited the file so that the uid for my normal login (jamie) is used as the uid for the new user.
sudo vipw
c) test the new user. Here is what happens
$ who am i
jamie pts/10 2013-11-06 19:04 (:0.0)
$ sudo su - likeme
%
Note the prompt has changed because a different shell is being used. However:
% id
uid=1000(jamie) gid=1000(jamie) groups=1000(jamie)
It still says I am me!!
This is because in a fundamental way the two users are the same. You might say that there are two usernames but only one user.
2) configure sudo to allow tomcat7 to become cassandra
tomcat7 ALL = (cassandra:cassandra) ALL
Assuming you are also interested about non-system users which are supposed to be allowed to act as the other user, I would just allow him to log on as the other user.
If you are reluctant to just give him the password of the other user, then you can allow him to log on via ssh (locally) and pre-shared keys. For this, generate a key (ssh-keygen), store it in ~cassandra/.ssh/ and put the public part also in ~tomcat7/.ssh/authorized_keys. User cassandra should then be able to just switch to the other user using ssh tomcat7#localhost.
I've this need, I have to install ubuntu on a machine for a specific purpose, and I have to create a particular locked user account.
On startup i need to display the login box (so I have to admin the machine, only reboot and login as root) in the format with username and password fields.
After the login of this user, I have to auto open Google Chrome on a specific page.
Stop, this specific user doesn't have to do more. This machine is connected to a display with show ads in the expo of my client.
How to do this? I don't have any idea. Can anyone tell me ALL the correct step to achieve this?
Thanks in advance, Francesco
You have to setup a kiosk mode. You can find a good tutorial and all needed steps at http://www.alandmoore.com/blog/2011/11/05/creating-a-kiosk-with-linux-and-x11-2011-edition/
This may be an "old hat" answer...but yes, it's pretty common in practice to simply create a login shell that does a specific task (kind of similar to FTP or backup user accounts).
This means - simply put - in the /etc/passwd where you normally put the shell for the user (/bin/bash or whatever) you actually put a script that does whatever you want it to. When the script ends, the user is booted off.
If this is combined with a properly configured selinux, its pretty safe as long as the script is not hackable (I.e. does not request input which can have appended commands (I.e. "input name:" Mike; rm -rf /) or that can lead to a buffer overrun.
For this reason, its good practice to put the script in an isolated directory, chroot the user, put the user in its own group, and have the user/group only have permissions to that dir.
There's a script that I don't own but I have an execute (and read) permission on it.
I do not have any write permission on the file system.
The script tries to create some files on the file system and then it deletes them.
Hence, when I run the script I get "permission denied" messages, since I don't have permission to write on the file system.
How do I solve this?
One thing that cannot change is, that I'm not allowed to ask for permanent write permission on the file system, for my user.
But I want to be able to create files, in the case that it's done through the script.
If the changes that you suggest require to edit the script or its permissions, I can do it by asking the admin to do it for me. But generally the admin will not give me permanent write permission to any file on the system.
You could ask your admin if he'd be willing to let you run this script, and only this script with sudo.
Since you can't modify the script, this could something they could consider once he approves the content of the script.
in /etc/sudoers
youruser ALL= NOPASSWD: /path/to/your/script
he could probably also restrict who the script runs as so you have only limited access, and not full root access.
It feels to me that it's worth looking for a folder somewhere that is available to users for this kind of access. It could be possible to write to a user/ or tmp/ directory perhaps? What is/are the path(s) you are trying to write to?
Failing that I would look into why the script needs to write to and delete a file. Is it possible to use something less persistent e.g. variables rather than writing to file and avoid having to write files at all? What sort/size of data are you writing?
Finally perhaps the system is locked down for a good reason and maybe you could find a more permissive system to use for your purposes. It sounds unusual to not let a user write to any file.