Security :: Write A Shell Script Setup Security Policies?
Feb 3, 2010
Is there a way to delete files on the commandline that uses the KDE-Wastebin?It appears that I never ever need the KDE4 Wastebin for files that I deleted through Konqueror or Dolphin. It is only when I delete files on the konsole with rm that I wish I could undelete them. It always happens like that, mostly by being in the wrong directory or using a wildcard when I should not have. (I don't have any erroneous deleted file right now, and I do have plenty of backups, but I just wonder whether there is something better than rm to use generally on the commandline.)
I don't know how to write a shell script to set security policies for Linux to start. and how. I know that there are many security policies for Linux but do not know which one best suited to write a shell script.
Here, I want to deny all traffic except DNS traffic, it should be permitted. I tried to log the traffic but I did not find any update in /var/log/messages.
I am currently reviewing what it means to switch over to Ubuntu and I have the following scenario. If I was to switch all the windows servers over to an Ubuntu solution. I already understand that file servers/ mail servers and resources can be provided Ubuntu 10.04. The issue comes with the user accounts access and control. In a windows environment, I have a domain with sub domain sites. I am able to control passwords in each site separately thought Active directory. I need the instructions on how to setup an LDAP server so that I can control access rights to different services located on different servers.
Example 1. I have 5 mail servers and on the HR side, I have 2 email administrators. I wish to provide them access to only the relevant resources centrally. With out having to add users to different users repeatedly. For example, if I wanted to grant the two administrators access to all five servers. As I understand it, I would have to create the same user on every server and add a public key on every server, as well as set the administration rights for that user on each server individually.
I want to be capable of doing this like I am in a windows environment from some sort of domain controller equivalent. Things that I must be able to do, manage users public keys on each server centrally. Add and remove user's access to each server centrally. Finite control on what each user can do on each server. (i.e., add them to the sudo group or any other group for specific servers/server class I specify). To a lesser extent of requirement, I also need to be able to inform users they have to change there password every 3 months from when they change it. As well as enforce password rules, such as characters complication.
A US ISP's "privacy" policy basically states that they will collect any and all of your data (email, posts, surfing etc ) and then "share" it". direct me to a "checklist" which can suggest counter measures for non-geeks? How can we function if we cant trust our ISP? Are there some specific 'tricks' in Ubutu to foil rogue ISPs? If yes, it would be a great 'selling point', especially for professionals concerned that rogue ISPs could "share" their intellectual property.
So I have just set up my cryptsetup.I can open/mount it by either "crypsetup luksOpen" or just clicking on the partition from the "Places" tab and it will ask me for a password and all.
The only problem is that I can't read or write to it at all. Everything is probably root, which isn't useful to me.
So how can I change it so that when I do either of those 2 methods for opening it, I can just fully use it, read and write and everything? As my user.
For example, can I write something to the effect: block all outbound UDP connections over port 53 except those going to IP 123.456.789. Or stated another way: Block outbound to port 53/udp NOT going to ip address 123.454.678Is it possible to do this? How would I write the argument?
Long time reader, first time poster. I've got, what has become to me, a brain bender. It seems ACL's are the best way to go, but I am not 100% sure. Each user should be able to create files and modify each others'files, but should not be able to delete any one elses files in a directory.chmod -1777?setfacl?
I am using the "extend" function of snmpd to run a script in order to extend a monitoring platform. This script being ran by snmpd needs to write to a file in /tmp for later parsing, but SELinux is stopping it from writing to the file under /tmp. The following two lines from my audit.log file show what is happening:
obviously it's at least difficult but I'm interested in knowing if it's theoretically possible to allow anonymous users of vsftpd to upload to the same directory that anon_root is set to. If it's not then it's no big deal, I'm just trying to get a sense of the range of possibilities.
I am having difficulties assigning permission for wordpress to write files. I am having problems with the permalink within wordpress and I think it might be because of the level of permission wordpress has. Currently on my system I need to set permission to 777 in order for wordpress to write to the .htaccess file.
I am running my website on a Ubuntu machine. Version 10.10 Apache2 2.2.4
However, when I leave the permission level set to 777 I still cannot get the permalink to point to the corrent page......See my discussion on this here. [URL]
I think what I need to do is change wordpress to use a user permission or a group permission and not "everyone". I would rather have wordpress setup to login as a specific user before it can write over a file.
I am about to write a script to manage daily backup on a USB HDD. The server that holds the data works 24 hours a day and therefor, is seldom rebooted. I have 2 options :
OPT 1 : I mount the usb drive once and for all, and copy the data to it when I need to (twice a day, no more) and never unmount it. Except when the server is rebooted of course.
and OPT 2 : I mount the drive, copy the data and unmount it ASAP twice a day when the time has come to backup the data.
I am not at all convinced by the idea of giving permissions to read,write and execute as these Learning Management Systems say. Let me know what you people have to say? What is the best practise in such situations? I have to get all these LMS run on same web server.
We have some script files on our linux servers. For security purpose our requirement is to keep these files encrypted . I mean when we open the files it will looks like as for example i am showing you one encripted file of iur server. how can i do this.
I just found that I could perform write operation using a normal user account to a file system I mounted with the commands as followed:
sudo mount -t ntfs /dev/sda1 /mnt/disk/
This is the corresponding entry in the output of "mount" command: /dev/sda1 on /mnt/disk type fuseblk (rw,nosuid,nodev,allow_other,blksize=4096)
As far as I remember, when using a normal user account, I had to use "sudo" to perform any write operations (mkdir, rm, etc) to a device mounted using "sudo". But now it seems to be changed.
Do I remember wrong, or did Karmic have any updates change this setting? (I never manually changed user settings, except that I added a root user, but I never used it.)
OS: Karmic(up2dated) Kernel: Linux stephen-laptop 2.6.31-17-generic #54-Ubuntu SMP Thu Dec 10 16:20:31 UTC 2009 i686 GNU/Linux
I use Ubuntu 10.10 with encrypted home. I'm new with apparmor. My firefox-3.6.13 is now in enforce mode - with standard profile. With this profile it should have write access only to: owner @{HOME}/Downloads/* rw,
But I can save files (with standard downloadmanager of firefox) e.g. in $HOME itself and I can't find any other rule, which could allow that. I have thing, that ecryptfs workaround just affects the eCryptFS "part of things" and limitations of normal filenames/paths (in mounted ecryptfs) are still possible. Why can firefox write elsewhere as in to ${HOME}/Downloads? I get also this in kern.log (but not by saving a file as wrote above):
Why do firefox try to write to it and why do it fail even with #13 workaround? Feb 27 06:03:23 duron650 kernel: [ 3118.231818] type=1400 audit(1298783003.534:49): apparmor="DENIED" operation="open" parent=1782 profile="/usr/lib/firefox-3.6.13/firefox-*bin" name="/tmp/.X0-lock" pid=2304 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Why try firefox to access X lock?
I had to reinstall Ubuntu (Natty) on a brand new computer and while installing I setup the datas partition to be mounted in /usr but now I can't have access to files I put in there even if I setup the group/user permission! I can accezz /usr/Music but all files are locked
I was running '# ls -l' in '/' directory and I noticed all directories in '/' have the following permeation 'drwxr-xr-x' [except root's home which is 'drwx------' (after I change it from 'drwxr-xr-x' )]
I don't want all the user (except root) to be able to read and execute (in) any directory, I just want every user to be abel to read/write/execute only in his/her home directory.
my question is, is it ok to change file and directory permeation of the following directories in '/' from 'drwxr-xr-x' to 'drwxr-x---' or 'drwx------' recursively?
/bin /boot /dev /etc
[Code]....
-I and the other users use the pc for internet, open office and email mainly.
-It does not run server(s) like smb/cif or NFS.
-There are 5 usernames (created by me, non of them are superusers) in th pc, only one user is required to login at any one time.
Just wanted input for this script i have cobbeled together. Its not done yet. I am trying to think of ways to close up my outgoing while maintaining full functionality of my laptop ( irc, web stuff, a torrent or two, etc.) . Anyways, I have done some myself; as well as, pulling bits and pieces from other stuff out on the web. I am starting to wonder why i have to write a specific rule to check for spoofed packets if my default input is set top drop. wouldnt it be caught?
I have setup my linux fedora server and i want to restrict access to my server.Basically i control using iptables.I'm not sure how to write an iptables rules to control drop all connection to port 8080 and allow only certain ip can access the instance on port 8080 example ip=10.254.14.16,192.168.1.10.
how to write secure code for bash scripts in general? Strangely I didn't found anything in google and in the forum so far. If someone here is willing to review a bash script for me (about 600 lines).
I am learning exploit development and learning some stuff about shellcodes now! The shellcode is absolutely right and have tested it. I am using the following code...(created by me) to run my shellcode..
Code: // #include<stdio.h> we will not be needing this as we are not using any functions from the C library...Just basic logic of Pointers.. char shellcode[] = "x31xc0xb0x01x31xdbxb3x07xcdx80"; // basic exit shellcode int main() { int *ret; // a simple integer pointer pointing a address ret = (int *)&ret + 2; // change the address pointed by (*ret) = (int)shellcode; }
Compiling :- Code: aneesh@aneesh-laptop:~/articles/C$ gcc test.c -o test -fno-stack-protector Compiling gives no errors as expected..
Now the problem I am facing is that As I run the program :- Code: aneesh@aneesh-laptop:~/articles/C$ ./test Segmentation fault
I'm currently creating a simple sh file which will copy the contents of a certain directory to / directory. in my sh file:
Code:
cd "$DIR" for i in *.*; do sudo cp -iv "$i" "$DEST" done
but this requires user password. can i add the user password in my sh file? how? I'm trying to do this because I have an application to run the sh file and the application has no way to enter the password..
Ok, so I have a few web apps that need to run shell commands. Heres a great example of one:
Code:
This is a PHP script getting my system volume. Herein lies the problem... www-data doesn't have permission to do this!
I changed my apache config to use MY account as the web user, and it does in fact work the way I want it to.
Obviously, I dont want to leave apache running as me, and want it to keep using www-data.... heres my question... how can I give permission for www-data to execute certain programs?
As I was researching on how to create a kiosk Ubuntu setting I came upon a suggestion to create the user with '/usr/bin/screen' shell option.Hope you all would forgive me for this noob question but what does this mean? I saw when I checked the Advance Settings Advance tab that there are a couple of possible options there, what do they mean and how will they affect the user profile I'm creating? I tried google for this and if my understanding is correct, these shells are suppose to be programmable and a scripting language for linux but I'm confused on what effect this has on the user profile I'm creating?One thing I notice though is that with the '/usr/bin/screen' option, the user account is refused of the Applications > Accessories > Terminal option.When I googled each one of the options I'm getting more confused as to the relevance of this to the user profile.
I have disabled root login in my remote shell and I have a pretty strong password. I am not happy though. I want to increase security. I've been thinking about installing some basic tripwire rig, like say, send myself an email every time I (or anyone) log in. My questions:
- What kind of data would be useful to be sent in that email? Anything else besides "user so-and-so logged in at {date and time}"?
- How would I achieve that? Is it enough to include it in .tcshrc (because my shell is tcsh)? Should I add it to other shells as well (.bashrc, .csh etc.) even though nobody uses the other shells? Is it better placed in some other file, like .login? What is the optimal place?
- Would that be enough? Can I make that whole idea more secure in any way?
I need to write program (preffer Python) to change range for users. Does anyone know some library which can help me to do that? Maybe someone has written program like that?
Up until recently, as in a few days ago, I was using Ubuntu and had ufw managing the firewall.It's been "recommended" that iptables itself be used. Where do I do the rules go (as in a file) and how do I call those rules at startup?
