When installing tripwire on debian, it prompts me if I want to create a site key, local key, and finally, need to click 'ok' when completed.
Is there a way I can install tripwire, not create any keys, and answer the 'ok' at the end?
I'm using Digital Ocean's 'user data' where I copy & paste a bunch of bash commands so I can deploy a new droplet quickly.
Edit:
Looks like I was able to mute them but I still get this:
Setting up tripwire (2.4.2.2-4) ...
chmod: cannot access ‘/etc/tripwire/site.key’: No such file or directory
chmod: cannot access ‘/etc/tripwire/debian-512mb-nyc2-01-local.key’: No such file or directory
How can I avoid the chmod: cannot access errors?
To just suppress the errors redirect the stderr to /dev/null in your userdata script. Or if you want a log of the errors redirect it to a file so you can review upon startup.
chmod /etc/tripwire/site.key 2>/dev/null
or
chmod /etc/tripwire/site.key &>/tmp/chmod.log
Related
I have a post-commit hook in my subversion that will export a copy of my repo to a desired location for deployment. That part works fine, but it comes in with apache:apache. I need this to be changed to prod_user:prod_user. If I try to add a chown statement in my script, it will fail. If I try to use sudo, it will ask for a password that I cant give because this happening in a post-commit script. I'd like this to be as automated as possible.
My question is: How can I make this work? I need to export the contents of my repo to the production folder and convert the users/groups to match existing production users/groups.
Is there a way to pass my password as an argument to a sudo command?
Thank you for your help!
Is there a way to pass my password as an argument to a sudo command?
Don't do it, if at all possible. This will leak your password to anyone that can read the script.
But if you can't avoid it, use echo <password> | sudo -S <command> - -S makes sudo read from stdin so you can give it the password from there
Don't do any of sudo, chown, chgrp. It is not the responsibility of the uploader to fix permissions on the remote server.
Have the server administrator properly setup these, so that pushing production files from the repository works straight without messing with sudo permission at the server.
If you are the one same person, then take the time to fix the server side to avoid having a remote user elevate its privileges (even temporarily with sudo) for the sake of fixing uploaded files permissions.
Use crontab -e as root user, then you can change ownership without escalation of privileges.
Or run as prod_user and make it check out the code ...then it is already the owner of the files.
Keeping a file with the last deployment timestamp can be used to compare to HEAD timestamp.
I have just got some domain hosting and I am wondering how to execute a CMD or a .sh file.
I am attempting to make a game server but the software requires me to execute the file. The file managers are rubbish and I have a Nexus 7 that can do FTP. I think I missed something just let me know if you need more information.
You must set executable permission to the .sh file in order to execute it in console.
First of all I am not sure if you could execute it with a cli ftp connection to the hosting.
You must connnect via ssh, then cd the directory where the .sh file is, then change the permission.
If you only want to execute the file, and you don't care the code, then give only execute permission to the file for your user with: chmod 100 file.sh then execute it with ./file.sh
If you want to read the code, then chmod 500, and if you want full perms for your user then chmod 700 make any combination to give or deny perms for users in your own group, or for others.
I have written a little test script to prevent running my script simultaneously with flock:
#!/bin/bash
scriptname=$(basename $0)
lock="/var/run/${scriptname}"
umask 0002
exec 200>$lock
flock -n 200 || exit 1
## The code:
sleep 60
echo "Hello world"
When I run the script with my user and try to run the script with another user I got following error message with the lock file.
/var/run/test.lock: Permission denied
Any idea?
Kind regards,
Andreas
In a comment, you mention that
other user is in the same group. file permissions are -rw-r--r--
In other words, only the first user has write permissions on the lock file.
However, your script does:
exec 200>$lock
which attempts to open the lockfile for writing. Hence the "permission denied" error.
Opening the file for writing has the advantage that it won't fail if the file doesn't exist, but it also means that you can't easily predict who the owner of the file will be if your script is being run simultaneously by more than one user. [1]
In most linux distributions, the umask will be set to 0022, which causes newly-created files to have permissions rw-r--r--, which means that only the user which creates the file will have write permissions. That's sane security policy but it complicates using a lockfile shared between two or more users. If the users are in the same group, you could adjust your umask so that new files are created with group write permissions, remembering to set it back afterwards. For example (untested):
OLD_UMASK=$(umask)
umask 002
exec 200>"$lock"
umask $OLD_UMASK
Alternatively, you could apply the lock with only read permissions [2], taking care to ensure that the file is created first:
touch "$lock" 2>/dev/null # Don't care if it fails.
exec 200<"$lock" # Note: < instead of >
Notes:
[1]: Another issue with exec 200>file is that it will truncate the file if it does exist, so it is only appropriate for empty files. In general, you should use >> unless you know for certain that the file contains no useful information.
[2]: flock doesn't care what mode the file is open in. See man 1 flock for more information.
I was trying to use flock on a file with shared group permissions with a system account. Access permissions changed in Ubuntu 19.10 due to an updated kernel. You must be logged in as the user who owns the file, and not a user whose group matches the file permissions. Even sudo -u will show 'permission denied' or 'This account is currently not available'. It affects fifo files like the ones used by the flock command.
The reason for the change is due to security vulnerabilities.
There is a workaround to get the older behaviour back in:
create /etc/sysctl.d/protect-links.conf with the contents:
fs.protected_regular = 0
Then restart procps:
sudo systemctl restart procps.service
Run the whole script by sudo /path/script.sh instead of only /path/script.sh
I'm wanting to make a simple program that runs each time on login behind the UI. In my applescript I'm running a sudo command that requires admin authentication. Is there a way to overwrite the need for authentication each time it runs? I don't want to have to type my username and password each time this script runs after login. any help? (and in very simple terms to as I'm a novice.)
Much Thanks!
You can put your username and password in the applescript command so that it doesn't ask for those credentials. However note that these items are stored as plain text inside the applescript and thus it's possible for others to see them. It's not really secure but it's up to you to decide if it's safe. NOTE: you don't need "sudo" in the command any longer.
do shell script "whatever" user name "username" password "password" with administrator privileges
There are methods where you can store your password in the Keychain and retrieve it from the applescript, thus making it secure. If you want to do that then you create the password item as follows.
Open Keychain Access application and select the keychain in the left column. Then click File>New Password Item..., give it a name, put your account shortname in account, and enter the password. Highlight it in the password list and get information on it. Under the Attributes button enter its kind as generic key. This is chosen because there aren't many of them and the search is much faster. Whatever name you give to it must be put in the code below in "Your Password Name".
Now from applescript you can use it like this...
set myPass to getPW()
do shell script "whatever" user name "username" password myPass with administrator privileges
on getPW()
do shell script "security 2>&1 >/dev/null find-generic-password -gl \"Your Password Name\" | awk '{print $2}'"
return (text 2 thru -2 of result)
end getPW
Good luck!
Another solution is editing the
etc/sudoers
configuration file.
A setting on that file can allow a specific user to execute a specific commands (with... yes... specific parameters) as super user.
If the command itself is not the problem, but the problem is exposing the password in the code then this may be the solution.
The sudores file should be edited running the command visudo as super user.
Before you start tampering with sudoers I strongly suggest you to get a basic knowledge of visudo and the sudoers syntax, as messing that file may causes serius issues to the system.
As you know what you are doing is just a matter of adding a couple of lines.
For information you may Google or start here http://www.sudo.ws/sudoers.man.html
If you want all Administrator accounts to be able to use the sudo command without entering a password, then do the following.
Change the line shown below in the /private/etc/sudoers file from
%admin ALL=(ALL) ALL
to
%admin ALL=(ALL) NOPASSWD: ALL
This edit can be accomplished, by using the Terminal and TextEdit applications. Open the Terminal application and type the following commands:
cd ~/desktop
sudo cp -n /etc/sudoers /etc/sudoers.orignal
sudo cp /etc/sudoers sudoers.txt
sudo chmod ug+w sudoers.txt
open sudoers.txt
visudo -c -f sudoers.txt
sudo cp -X sudoers.txt /etc/sudoers
When done, the sudoers.txt file on your desktop can be put in the trash.
To undo your changes, use the command:
sudo cp /etc/sudoers.original /etc/sudoers
This was tested using OS X 10.10.1
If you want to do the same for a single user then see:
http://hints.macworld.com/article.php?story=20021202054815892
Below is a brief explanation of what each command does:
cd ~/desktop
This makes sure you are working from your desktop folder.
sudo cp -n /etc/sudoers /etc/sudoers.original
This backups your sudoers file. The backup can be used to undo your changes. The -n option insures that an existing sudoers.original file will not be overwritten.
sudo cp /etc/sudoers sudoers.txt
Copies the sudoers file to your desktop. The .txt extension is added so OS X will know this is a text file.
sudo chmod ug+w sudoers.txt
Changes the file’s permissions to allow write access.
open sudoers.txt
Opens the file in the TextEdit application. You need to edit the file and save the changes.
visudo -c -f sudoers.txt
Checks the edited file for syntax errors. The output should be sudoers.txt: parsed OK.
sudo cp -X sudoers.txt /etc/sudoers
Copies the file back to the /etc directory.
Problem: to copy a directory tree from the "me" master user to the encrypted harddrive of the "cs"-user:
su cs
bash-3.2$ cp -R /Users/me/cs_project /Users/cs/
cp: /Users/cs/cs_project: Permission denied
cp: /Users/me/cs_project/h_mark: unable to copy extended attributes to /Users/cs/: Permission denied
cp: /Users/cs/: No such file or directory
...
Question: How can I copy my project of the master user "me" to my other user "cs"?
New information about the Encryption
I got the suggestions working with other users, but not with the origal users. The problem is that the 'cs' user has Mac's SafeVault encryption.
Is the "me" user an administrator? If so, you can log in as me, then manually mount cs's home image with:
sudo hdiutil mount /Users/cs/cs.sparsebundle
cp -R /Users/me/cs_project /Volumes/cs/
Notes: the sudo command will ask for me's password, and then hdiutil might pop up a GUI dialog asking for the FileVault master password; you can either supply this (if you know it), or hit the cancel button and enter the encryption password (i.e. cs's password) in the CLI when it prompts for that. Also, the image should mount with file ownership ignored, meaning that you don't have to sudo the cp command (OTOH, the permissions may come out a little weird on the copied files, so expect to clean them up afterward).
Alternately, you could take the easy way: log in as me, copy/move the files to some public location, set the permissions on them to grant cs read access, then log in as me and copy them.
You need to set permissions. The easiest thing is probably:
$ su me
$ chmod -R o+r /Users/cs/cs_project
Whatever user you're running this command under needs permission to read (and search dirs, i.e. the x permisison bit) throughout the tree rooted at /Users/me/cs_project and for course permission to write in /Users/cs. You can change permissions as needed with command chmod.
try sudo cp -R /Users/me/cs_project /Users/cs/