Using Red Hat Enterprise Linux is it possible to place a global option that whenever a user exits an SSH connection the BASH history for that user is cleared?
In the /etc/bash.bash_logout script you can put:
unset HISTFILE
The default for HISTFILE is ~/.bash_history. The user can set this to whatever they wish. If it's not set, the logout process doesn't write the history information that's in RAM to the history file.
Put the following in ~/.bash_logout
echo > $HISTFILE
This will erase the saved history for a user at logout, but will keep a useful running history when user is logged-in.
I know you can manually run
history -c
I think you can put this into your ~/.bash_logout.
The user can always save their history to a non-standard file and reload it on the next login, so their isn't much you can do from a global standpoint to stop it.
For example, Bob might put the following in his ~/.bash_login:
HISTFILE=~/my_secret_history_file
When needed to let the histories empty - I use symlinking them to /dev/null...
lrwxrwxrwx 1 root root 9 Dez 16 19:10 .ash_history -> /dev/null
lrwxrwxrwx 1 root root 9 Dez 16 19:10 .bash_history -> /dev/null
...then the history of typed commands work only for current session.
Starting a new shell, starting a new empty temporary history.
Symlinking them for normal users to /dev/null have to be done by: root
Related
This might probably be a no brainer for unix guys. Just wanted to ask a simple query.
I had created 3 scripts:
wrapper.sh
inside1.sh and
inside2.sh.
Within wrapper.sh I'm calling the inside1.sh and inside2.sh. Now I have logged in as user bob and in the sudoers file I have given permissions for bob to run the wrapper.sh as root.
I have deliberately provided no read or execute access for all the 3 scripts for user bob. So 'bob' cannot see the scripts existing.
Now since I have added wrapper.sh in sudoers, I'm able to run the wrapper.sh file as root. The id command inside the wrapper.sh prints id=0.
But when the line calling the inside1.sh or inside2.sh comes to execute, there is an error saying that inside1.sh - not found.
So coming to my query:
If a shell script is set to run as root in sudoers file and if that shell script calls multiple other shell scripts, will the other scripts be executed as root? Will the permissions cascade?
Can someone clarify? Thanks for the patience.
The whole path to inside1.sh must be open to root, otherwise he won't view the file. To check this, run something like this
U_PATH= < path to inside1.sh >
LIST=` echo ${U_PATH} | sed "s/\// /g" `
T_PATH=""
for x in $LIST
do
echo ${x}
T_PATH=${T_PATH}/${x}
ls -lsd ${T_PATH}
done
and check everything either is owned by root or as privileges > 555.
I am trying to make the at bash command to run, but it is not working for me. I can add a job to the queue, but it is not run when the time is up. What am I doing wrong?
hpek#melda:~$ cat /usr/lib/cron/at.deny
hpek#melda:~$ atq
hpek#melda:~$ at now +2 minutes
echo TTTEEEST
job 12 at Sun May 6 02:09:00 2012
hpek#melda:~$ date
Sun May 6 02:10:24 CEST 2012
hpek#melda:~$ atq
12 Sun May 6 02:09:00 2012
hpek#melda:~$
UPD2021.08.06 atd was removed in MacOS 11.5.2 (or earlier)
$ sudo find / -name atd -print 2>/dev/null
$
It is working fine. It's just that commands running with at don't write their output to the terminal that you called it from.
Try:
at now +2 minutes
echo TTTEEEST > new_file_test
You'll see the file appear in two minutes.
Take a look at /var/at/jobs and see if your at jobs are listed there. (It may be a different directory based upon OS).
By default, at isn't enabled on most systems. In order for at jobs to actually get executed, the atrun command must execute.
This command is executed either through launchd or through the cron depending upon the system.
The exact mechanisms are different from system to system, so you'll have to read all the various manpages on at, atrun, etc. to verify if at is really enabled on your system, and whether you have permissions to run at jobs. There's normally both an ant allow and an ant deny file on your system, so you need to check both. You must be both in the allowed file, and also not in the deny file.
On top of that, you have to make sure that at is even enabled on your system (due to security concerns, it is usually disabled).
Check your mail:
An at - or batch - command invoked from a su(1) shell will
retain the current userid. The user will be mailed standard
error and standard output from his commands, if any. Mail
will be sent using the command /usr/sbin/sendmail. If at is
executed from a su(1) shell, the owner of the login shell
will receive the mail.
I've found this here
First make sure that the at daemon is running using a command like this:
# ps -ef | grep atd
root 8231 1 0 18:10 ? 00:00:00 /usr/sbin/atd
If you don’t see atd running start it with this command:
# /etc/init.d/atd start
To analyze at(d) execution problems it may help to
Check /etc/at.allow and /etc/at.deny for existance and contents (see man at.allow)
Check owner and access rights of the atd spool directory
(/var/spool/cron/atjobs, daemon:daemon, 770 on Ubuntu)
Check if atd daemon is running (systemctrl -a | grep atd on Ubuntu)
tail -f /var/log/syslog (at execution time)
journalctl -b | grep atd (found that here, contains further hints)
The "Permission denied" error may also be caused by limited number of logins defined (for the at running user) in /etc/security/limits.conf.
I too faced same issue with echo when used along with at command. But if you try to redirect the output using > or >> then it works perfectly. Also try some other system commands like reboot, ls > some_text_file etc to make sure at command is working. Else try
sudo systemctl enable --now atd to enable at daemon
Conclution First:
atrun or atd daemon is not running, causing this problem.
Guideline to solve your case:
check at mannul by man at first.
In my case, I(macos 10.13.6) found following info:
Note that at is implemented through the launchd(8) daemon periodically invoking atrun(8), which is disabled by default. See atrun(8) for information about enabling atrun.
check atrun mannul by man atrun, I found :
The atrun utility runs commands queued by at(1). It is invoked periodically by launchd(8) as specified in the com.apple.atrun.plist property list. By default the property list contains the
Disabled key set to true, so atrun is never invoked.
Execute the following command as root to enable atrun:
launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist
I wrote a script that sends the date and username of the person who logs in to a log file to keep a record of who has logged in. I am wondering how can you set this script to execute automatically when a user logs in rather than have to manually run it in the terminal. NOTE: the USERNAME is the current user that is logged in.
my code:
#!/bin/bash
printf "$(date) $HOSTNAME booted!\n" >> /home/USERNAME/boot.log
A more elegant way to solve this problem is to read from log files that are already being written and cannot be changed by the user. No one could say it better than Bjørne Malmanger's in his answer:
I wouldn't trust the user to GIVE you the information. As root you
TAKE it ;-)
A nice way to do this is the last command, which is great because it neatly displays all logins: Graphical, console and SSH.
last
A less elegant but still secure way is to do a grep on /var/log/auth.log. On my Gnome/Ubuntu system I can use this to track graphical logins:
grep "session opened for user USERNAME"
The right pattern for your machine needs to be found for each login type: graphical, console and SSH. This is cumbersome, but you might need to do it if you need information that goes further back than last reaches.
To directly answer your question:
You can modify the script like this to get the username
#!bin/bash
printf "$(date) $HOSTNAME booted!\n" >> /home/$(whoami)/boot.log
And add this line to /etc/profile
. /path/to/script.sh
This is not secure though because the user will be able to edit his own log
Why don't you use the last command?
I wouldn't trust the user to GIVE you the information. As root you TAKE it ;-)
Put it in ~/.bash_profile. It will be run each time they log in.
More information is available at the women's rights page (i.e. man bash).
there are currently 2 PCs, PC1 and PC2.
I have an Ant script on PC1, the script will execute bash commands on PC2 using sshexec task, the snippet may like the following:
<sshexec
host="${IPofPC2}"
username="${USERofPC2}"
password="${PASSofPC2}"
command='echo "Hello World!"'
trust="true"></sshexec>
in practice the command is a complex one, I give echo "Hello World!" for an example.
I want to see what exactly the command is that have executed on PC2, but I don't know how to.
I googled and find .bash_history will save the remotely executed commands by one login using ssh-like terminal.
It seems this may help, but tried with no success, the .bash_history file won't record commands executed by sshexec task remotely.
So SOS, please help. Thanks in advance.
Edit:
#/etc/syslog.conf
!sshd
*.* /var/log/sshd.log
Attachment:
$cat /var/log/sshd.log
Dec 8 17:36:29 brownshen
launchproxy[1373]:
/usr/libexec/sshd-keygen-wrapper:
Connection from: 10.224.105.186 on
port: 4090 Dec 8 17:36:30 brownshen
sshd[1376]: in pam_sm_authenticate():
Failed to determine Kerberos principal
name. Dec 8 17:36:30 brownshen
sshd[1374]: Accepted
keyboard-interactive/pam for zhouvega
from 10.224.105.186 port 4090 ssh2 Dec
8 17:36:30 brownshen
com.apple.SecurityServer[23]: Session
0x3096eb created Dec 8 17:36:30
brownshen
com.apple.SecurityServer[23]: Session
0x3096eb attributes 0x20 Dec 8
17:36:30 brownshen
com.apple.SecurityServer[23]: Session
0x3096eb dead Dec 8 17:36:30
brownshen
com.apple.SecurityServer[23]: Killing
auth hosts Dec 8 17:36:30 brownshen
com.apple.SecurityServer[23]: Session
0x3096eb destroyed
Take a look at this: http://www.unix.com/unix-advanced-expert-users/4722-ssh-command-logging.html
My first thought was that you could change the shell specified in passwd to be a shell-wrapper that logs all input, but I think the sshd approach is better.
And, unless you have a good reason to (user input?) you should use SSH keys for auto-logins instead of saving passwords.
You will need to make sure that your script is actually being executed by Bash and not sh. Then, add these to the beginning of your script:
HISTFILE=$HOME/.bash_history
set -o history
Choose a different file to save the history separately from the user's interactive history. You can use set -o history to turn history saving on and set +o history to turn it off. You can use this selectively to only save parts of the script.
Add this at the end of your script to write the in-memory history to the file:
history -w
Note that the HISTSIZE variable affects how many lines of history are stored in memory. The default is 500 which could be quickly filled by an executing script. The HISTFILESIZE variable also defaults to 500 and the same issue applies. You may need to set these variables to larger values in your script and set HISTFILESIZE' also in the user's startup file (e.g.~/.bashrc`) so it doesn't get truncated during interactive use if you're using the same history file.
Note that for some uses, instead of using history you can use set -x to turn on tracing and capture stdout to a file.
How do I get the name of the active user via the command line in OS X?
as 'whoami' has been obsoleted, it's probably more forward compatible to use:
id -un
If you'd like to display the full name (instead of the username), add the -F flag:
$ id -F
Andrew Havens
I'm pretty sure the terminal in OS X is just like unix, so the command would be:
whoami
I don't have a mac on me at the moment so someone correct me if I'm wrong.
NOTE - The whoami utility has been obsoleted, and is equivalent to id -un. It will give you the current user
whoami
EDIT
The whoami utility has been obsoleted by the id(1) utility, and is equivalent to id -un. The command id -p is suggested for normal interactive use.
Via here
Checking the owner of /dev/console seems to work well.
stat -f "%Su" /dev/console
There are two ways-
whoami
or
echo $USER
You can also use the logname command from the BSD General Commands Manual under Linux or MacOS to see the username of the user currently logged in, even if the user is performing a sudo operation. This is useful, for instance, when modifying a user's crontab while installing a system-wide package with sudo: crontab -u $(logname)
Per man logname:
LOGNAME(1)
NAME
logname -- display user's login name
If you want to know who's currently logged in to the system:
$ w
15:56:14 up 5 days, 20:58, 6 users, load average: 0.43, 0.53, 0.50
USER TTY LOGIN# IDLE JCPU PCPU WHAT
me pts/2 Fri19 1:03m 0.98s 0.98s -/bin/bash
me pts/3 09:55 6:00m 0.43s 0.43s /bin/bash
me pts/5 15:56 0.00s 0.23s 0.00s w
(This is from a Linux system; the formatting on OS X may be slightly different, but the information should be about the same.)
There may be multiple login sessions; UNIX is designed to be a multi-user system, after all.
The question has not been completely answered, IMHO. I will try to explain: I have a crontab entry that schedules a bash shell command procedure, that in turn does some cleanup of my files; and, when done, sends a notification to me using the OS X notification center (with the command osascript -e 'display notification ...). If someone (e.g. my wife or my daughter) switches the current user of the computer to her, leaving me in the background, the cron script fails when sending the notification.
So, Who is the current user means Has some other people become the effective user leaving me in the background? Do stat -f "%Su" /dev/console returns the current active user name?
The answer is yes; so, now my crontab shell script has been modified in the following way:
...
if [ "$(/usr/bin/stat -f ""%Su"" /dev/console)" = "loreti" ]
then /usr/bin/osascript -e \
'display notification "Cleanup done" sound name "sosumi" with title "myCleanup"'
fi
getting username in MAC terminal is easy...
I generally use whoami in terminal...
For example, in this case, I needed that to install Tomcat Server...
You can also retrieve it from the environment variables, but that is probably not secure, so I would go with Andrew's answer.
printenv USER
If you need to retrieve it from an app, like Node, it's easier to get it from the environment variables, such as
process.env.USER.
Define 'active user'.
If the question is 'who is the logged in user', then 'who am i' or 'whoami' is fine (though they give different answers - 'whoami' reports just a user name; 'who am i' reports on terminal and login time too).
If the question is 'which user ID is the effective ID for the shell', then it is often better to use 'id'. This reports on the real and effective user ID and group ID, and on the supplementary group IDs too. This might matter if the shell is running SUID or SGID.
you can open terminal and write down following command:
id -un
or
whoami
This will return your current login username.