prevent .exe apparmor_parser ubuntu 18.04 - apparmor

idea is to allow executing all .exe files inside specific folder and deny all other on the system. Problem is when I enable apparmor with this config file i got not possible to open any .exe:
Also, if you have other suggestions or better solution, shoot! :)
#include <tunables/global>
/usr/bin/wine-stable {
#include <abstractions/base>
#include <abstractions/user-tmp>
/home/user/.wine/dosdevices/c:/users/user/My\ Documents/New\ Folder\ -\ For\ \(user\)/** r,
/home/user/.wine/dosdevices/c:/users/user/My\ Documents/New\ Folder\ -\ For\ \(user\)/*.exe rix,
audit deny /**.exe rwx,
}
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.wine
sudo systemctl stop apparmor.service
sudo systemctl start apparmor.service

Related

Run Terminal at startup and execute command as sudo

I'm trying to run an executable file as sudo using terminal at startup but I'm having some issues. I couldn't find the solution in other answers, so I opened up this one. I'm using a Raspberry Pi 3 B+ with the Raspbian Stretch with desktop and recommended software downloaded from the official Raspberry Pi website.
I have an executable that needs to be run with sudo (I use the pigpio library to communicate with another hardware through SPI and if I don't run the executable with sudo, the pigpio doesn't work). What I'm trying to achieve is that when the Pi finishes to startup the graphical interface, it would run the LXTerminal and execute "sudo home/pi/myfolder/myprogram".
I've tried:
sudo nano ~/.config/autostart/myprogram.desktop
[Desktop Entry]
Encoding=UTF-8
Type=Application
Name=myprogram
Exec=lxterminal -e "sudo /home/pi/myfolder/myprogram"
Terminal=true
sudo chmod a+r ~/.config/autostart/myprogram.desktop
Also tried:
sudo nano /etc/xdg/lxsession/LXDE-pi/autostart
lxterminal --command="sudo /home/pi/myfolder/myprogram"
Both methods did open the lxterminal at startup, but didn't executed my program.
Can anyone help me out?
I found the solution, so I'm gonna post it here in case someone else needs it. If it already exists in somewhere else around here, feel free to tag it as duplicated.
The solution that worked for me was this:
sudo nano ~/.config/autostart/myprogram.desktop
[Desktop Entry]
Encoding=UTF-8
Type=Application
Name=myprogram
Exec=lxterminal -e bash -c 'sudo /home/pi/myfolder/myprogram;$SHELL'
Terminal=true
sudo chmod a+r ~/.config/autostart/myprogram.desktop
The $SHELL makes the terminal stay open after myprogram ends its execution. If you don't need this feature, just exclude the ;$SHELL part of the code above.

Vagrant Error: File upload source file must exist

I'm trying to use a vagrant file I received to set up a VM in Ubuntu with virtualbox.
After using the vagrant up command I get the following error:
File provisioner:
* File upload source file /home/c-server/tools/appDeploy.sh must exist
appDeploy.sh does exist in the correct location and looks like this:
#!/bin/bash
#
# Update the app server
#
/usr/local/bin/aws s3 cp s3://dev-build-ci-server/deploy.zip /tmp/.
cd /tmp
unzip -o deploy.zip vagrant/tools/deploy.sh
cp -f vagrant/tools/deploy.sh /tmp/.
rm -rf vagrant
chmod +x /tmp/deploy.sh
dos2unix /tmp/deploy.sh
./deploy.sh
rm -rf ./deploy.sh ./deploy.zip
#
sudo /etc/init.d/supervisor stop
sudo /etc/init.d/supervisor start
#
Since the script exists in the correct location, I'm assuming it's looking for something else (maybe something that should exist on my local computer). What that is, I am not sure.
I did some research into what the file provisioner is and what it does but I cannot find an answer to get me past this error.
It may very well be important that this vagrant file will work correctly on Windows 10, but I need to get it working on Ubuntu.
In your Vagrantfile, check that the filenames are capitalized correctly. Windows isn't case-sensitive but Ubuntu is.

boot2docker startup script to mount local shared folder with host

I'm running boot2docker 1.3 on Win7.
I want to connect a shared folder.
In the VirtualBox Manager under the image properties->shared folders I've added the folder I've want and named it "c/shared". The "auto-mount" and "make permanent" boxes are checked.
When boot2docker boots, it isn't mounted though. I have to do an additional:
sudo mount -t vboxsf c/shared /c/shared
for it to show up.
Since I need that for every time I'll ever use docker, I'd like that to just run on boot, or just already be there. So I thought if there were some startup script I could add, but I can't seem to find where that would be.
Thanks
EDIT: It's yelling at me about this being a duplicate of Boot2Docker on Mac - Accessing Local Files which is a different question. I wanted to mount a folder that wasn't one of the defaults such as /User on OSX or /c/Users on windows. And I'm specifically asking for startup scripts.
/var/lib/boot2docker/bootlocal.sh fits your need probably, it will be run by initial script /opt/bootscripts.sh
And bootscripts.sh will also put the output into the /var/log/bootlocal.log, see segment below (boot2docker 1.3.1 version)
# Allow local HD customisation
if [ -e /var/lib/boot2docker/bootlocal.sh ]; then
/var/lib/boot2docker/bootlocal.sh > /var/log/bootlocal.log 2>&1 &
fi
One use case for me is
I usually put shared directory as /c/Users/larry/shared, then I add script
#/bin/bash
ln -s /c/Users/larry/shared /home/docker/shared
So each time, I can access ~/shared in boot2docker as the same as in host
see FAQ.md (provided by #KCD)
If using boot2docker (Windows) you should do following:
First create shared folder for boot2docker VM:
"C:/Program Files/Oracle/VirtualBox/VBoxManage" sharedfolder add default -name some_shared_folder -hostpath /c/some/path/on/your/windows/box
#Then make this folder automount
docker-machine ssh
vi /var/lib/boot2docker/profile
Add following at the end of profile file:
sudo mkdir /windows_share
sudo mount -t vboxsf some_shared_folder /windows_share
Restart docker-machine
docker-machine restart
Verify that folder content is visible in boot2docker:
docker-machine ssh
ls -al /windows_share
Now you can mount the folder either using docker run or docker-compose.
Eg:
docker run it --rm --volume /windows_share:/windows_share ubuntu /bin/bash
ls -al /windows_share
If changes in the profile file are lost after VM or Windows restart please do following:
1) Edit file C:\Program Files\Docker Toolbox\start.sh and comment out following line:
#line number 44 (or somewhere around that)
yes | "${DOCKER_MACHINE}" regenerate-certs "${VM}"
#change the line above to:
# yes | "${DOCKER_MACHINE}" regenerate-certs "${VM}"
Thanks for your help with this. An additional few flags I needed to add, in order for the new mount to be accessible by the boot2docker "docker" user:
sudo mount -t vboxsf -o umask=0022,gid=50,uid=1000 Ext-HD /Volumes/Ext-HD
With docker 1.3 you do not need to manually mount anymore. Volumes should work properly as long as the source on the host vm is in your user directory.
https://blog.docker.com/2014/10/docker-1-3-signed-images-process-injection-security-options-mac-shared-directories/
I can't make it work following Larry Cai's instruction. I figured I could make changes to "c:\Program Files\Boot2Docker for Windows\start.sh", add below
eval "$(./boot2docker.exe shellinit 2>/dev/null | sed 's,\\,\\\\,g')"
your mount command
eval "$(./boot2docker ssh 'sudo mount -t vboxsf c/shared /c/shared')"
I also add the command to start my container here.
eval "$(docker start KDP)"

Add Entries to Hosts File

I would like to create a bash script that I will run inside an administrator account. I want the script to backup the existing hosts file to the same directory with the file extension .original and then I want the script to add 3 pre-defined entries (specified within the scripts body) into the hosts file and maintain the existing formatting of the hosts file. How can I accomplish this without the user having to authenticate - I want the administrators password to be stored in the script and passed to sudo every time it requests escalation. Thank you.
You shouldn't store the password in the script. That is a security vulnerability. You can achieve the behaviour you want without storing the password anywhere by using the setuid bit.
First run chmod u+s myscript to make it run as owner (when you make the owner root, this will make your script run as root, so you won't need to use sudo at all within your script).
Then make sure that anyone you want can execute the script. If you want all users to be able to then run chmod +x myscript. If you want only yourself to be able to make sure you are the only user in the group and use chmod g+x myscript instead.
Then run sudo chown root myscript to make it owned by root.
Now any time that anyone with permissions to execute that script runs it it will be executed as root, whether that user is an administrator or not.
You have to write a program (compiled code) and suid root to perform that, then you do not have to reveal the root password to the users. I have yet to encounter a system that allows you to suid scripts. Or you have to suid bash itself which is the actual program, then everyone can be root.
example: (run as root)
ex qq.c << EOF
1,\$d
i
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <assert.h>
int main() {
assert(0 == setreuid(geteuid(),-1));
return system(
"/bin/bash << DONE\n"
"if [ \"\$UID\" != '0' ];then echo \"need to be root to do this\";exit 16;fi;\n"
"cp /etc/hosts /etc/hosts.org\n"
"echo 127.0.0.1 banned1.domain >> /etc/hosts\n"
"echo 127.0.0.1 banned2.domain >> /etc/hosts\n"
"echo 127.0.0.1 banned3.domain >> /etc/hosts\n"
"DONE\n");
}
.
x
EOF
gcc -o qq qq.c && chmod u+s qq
You can do this via the sudo command. The sudo command allows you to specify which users can run which commands and what users. Normally, you give users access to particular commands that they need to be root to execute. For example, a particular person needs to be able to start and stop Apache httpd. Normally, only root is allowed to do this, but you can grant this permission to your web administrator without giving that person permission to do anything else as root.
The sudo command is controlled by the /private/etc/sudoers file. (Which you should edit with the visudo command).
Let's say you create a shell script to edit your /etc/hosts file. You'd first want to put it in a particular location, say /usr/local/edit_hosts_file. This is a good location since the directory is owned by root.
Now, you want to make sure that only root can execute this file, and maybe only root can even read this file, and you especially want to make sure only root can edit this file. Otherwise, people could use this file to give themselves root access to other parts of your system:
$ sudo chown root:root /usr/share/edit_hosts_file
$ sudo chmod 700 /usr/share/edit_hosts_file
Now, that your command is secure, you can edit the /private/etc/sudoers file to allow only particular users to run this shell script as root:
User_Alias ALLOWED_USERS = bob, carol, ted, alice
Cmnd_Alias ETC_HOSTS_EDIT = /usr/share/bin/edit_hosts_file
Host_Alias MACHINE_LIST = localhost
ALLOWED_USERS MACHINE_LIST=(ALL) NOPASSWD: ETC_HOSTS_EDIT
This would allow any user in the defined ALLOWED user list to run your etc/hosts edit script, without requiring a password.
Now, if someone wants to run your script, they can do it as root without knowing the password and without having to give the password. This way, your script could be executed by another script:
$ sudo /usr/share/bin/edit_hosts_file
Script completed: /etc/hosts edited

Tomcat startup script permission on Mac OS X

I'm struggling with a Mac OS X 10.5.8 that I've started using recently for development. I successfully installed tomcat and create launchd.conf for my environment variables.
I believe it works fine. Coz I can build a project with Netbeans using maven and cargo plugins successfully so i found online a script for start and stop the tomcat
#!/bin/bash
case $1 in
start)
sh /Library/apache-tomcat-6.0.20/bin/startup.sh
;;
stop)
sh /Library/apache-tomcat-6.0.20/bin/shutdown.sh
;;
restart)
sh /Library/apache-tomcat-6.0.20/bin/shutdown.sh
sh /Library/apache-tomcat-6.0.20/bin/startup.sh
;;
*)
echo "Usage :start|stop|restart"
;;
esac
exit 0
That script was created in nano in sudo sh
but when i want to run it. is spit out this
sh: /usr/bin/tomcat: Permission denied
I've added chmod 755 *.sh and *.bat inside /Library/apache-tomcat-6.0.20/bin
Still access denied so what do I go around that? I have the admin privileges on the machine.
Thanks for reading
Go to Tomcat bin directory and run the below command:
chmod +x *.sh
This worked for me.
Where did you install the tomcat script to? I'd recommend you install it to /usr/bin. Once installed, make sure the permissions are correct (i.e. chmod 755 /usr/bin/tomcat). You can then confirm with ls -l /usr/bin/tomcat.
If you still get errors once the permissions on /usr/bin/tomcat are correct, then you can add the following two lines following the #!/bin/bash line.
set -x
set -v
With the above lines, bash will output additional information that will allow you to tell what's being executed and where the error is happening.
1) Go to the tomcat directory, which preferably should be "/usr/local/folder-name"
2) Check for the permissions for the folder: ls -l
3) Change the permissions using: sudo chmod -R 755 folder-name
4) Change the owner to the current owner: sudo chown -R owner-name:group-name folder-name
e.g sudo chown -R userName:admin folder-name
Try executing the script again and it should work.

Resources