Archive

Posts Tagged ‘tips’

Ultra Restricted Shell in Solaris

February 19th, 2009
Comments Off

How to setup a readonly environment on Solaris:

If you want to give a specific user readonly access to your solaris machine via ssh, and want to log everything they do, it is sort of easy to setup. Here is a quick step-by-step guide to setting it up.

1. First you will need to chose what restricted shell you want to use. In this case I used bash as I wanted the .bash_history file to contain the exact time every command was run on the system. Since Solaris does not come with the rbash command, the only thing you need to do is make a copy of /usr/bin/bash to /usr/bin/rbash.

2. Make the user’s shell be /usr/bin/rbash, this will make them use the restricted bash shell.

3. Make their home directory owned by root.

4. Make their .profile owned by root

5. Create a .bash_history file and make it owned by that user. This should be the only file in their directory that is owned by the user.

6. Pick a location for your “restricted” binaries to reside. If this user will be logging in to multiple machines and you have a shared file system (say /home) I would suggest making the directory in /home; say /home/rbin.. This way you only have to put /home/rbin in their PATH.

7. Make symbolic links in your restricted binary directory to the binaries you want to run. I.e. ls, ps, more, prstat,passwd and hostname :

lrwxrwxrwx   1 root     root          17 Feb 19 20:47 hostname -> /usr/bin/hostname*
lrwxrwxrwx   1 root     root          11 Feb 19 19:56 ls -> /usr/bin/ls*
lrwxrwxrwx   1 root     root          13 Feb 19 19:57 more -> /usr/bin/more*
lrwxrwxrwx   1 root     root          15 Feb 19 19:56 prstat -> /usr/bin/prstat*
lrwxrwxrwx   1 root     root          11 Feb 19 19:56 ps -> /usr/bin/ps*
lrwxrwxrwx   1 root     root          11 Feb 19 19:56 passwd -> /usr/bin/passwd*

By making these sym links instead of the actual binaries, you do not have to worry if you have multiple platforms that you are going between (i.e. Sparc, x86) and doing custom logic to use the right binary.

8. Create the users .profile with the following in it:

readonly PATH=/home/rbin
readonly TMOUT=900
readonly EXTENDED_HISTORY=ON
readonly HOSTNAME="`hostname`"
readonly export HISTTIMEFORMAT="%F %T "
readonly export PS1=‘${HOSTNAME}:${PWD}> ‘

This will make it so they can not change any of the Environment variables. It sets their path to /home/rbin. Sets a inactivity time out to be 15 minutes. Sets the extended history to be on (this logs the time each command was executed in their .bash_history file). And finally sets their prompt and makes it readonly as well.

9. The last thing you need to do is change the permissions on the scp and sftp-server binaries so that the user can not execute them. Otherwise, they would be able to download files and go any where on the server they want. (Restricted shell will prevent them from cd’ing out of their home directory) To do this, I created a group and put my user in it as their primary group. Say the group was called rdonly. Now I do the following:

setfacl -m group:rdonly:— /usr/lib/ssh/sftp-server
setfacl -m group:rdonly:— /usr/bin/scp

So the files should show up like this now:

bash-3.00# ls -la /usr/lib/ssh/sftp-server /usr/bin/scp
-r-xr-xr-x+  1 root     bin        40484 Jan 22  2005 /usr/bin/scp
-r-xr-xr-x+  1 root     bin        35376 Jan 22  2005 /usr/lib/ssh/sftp-server

And the getfacl will look like this:

bash-3.00# getfacl /usr/bin/scp

# file: /usr/bin/scp
# owner: root
# group: bin
user::r-x
group::r-x              #effective:r-x
group:rdonly:—           #effective:—
mask:r-x
other:r-x

This makes it so when the user tries to sftp or scp in to the machine, it will immediately disconnect them as they don’t have permissions to run those 2 executables.

That is about it. Don’t forget to set their password, make sure it has a policy set on it to be changed often and require a combination of letters, numbers and special characters and that it is at least 8 characters in length.

So now when the user logs in they will see something similar to this:

[laptop:~] unixwiz% ssh unixwiz@fozzy
Password:
Last login: Thu Feb 19 22:10:15 2009 from laptop
fozzy:/home/unixwiz> cd /
-rbash: cd: restricted
fozzy:/home/unixwiz> vi /tmp/test
-rbash: vi: command not found
fozzy:/home/unixwiz> PATH=$PATH:/usr/bin
-rbash: PATH: readonly variable
fozzy:/home/unixwiz> timed out waiting for input: auto-logout

As you can see, it will give you errors if you try to do something that you are not allowed to do. The last line shows the time out message where it closes the connection due to inactivity.

Now if the administrator goes and looks at the users .bash_history file they would see this:

#1235099570
cd /
#1235099577
vi /tmp/test
#1235099587
PATH=$PATH:/usr/bin

The #number is the exact time that the user ran the command below it. The item is the seconds since the epoch…

Security, Solaris, tips , , , , ,

Why everyone should use bart (AKA do the Bart Man)

May 17th, 2008
Comments Off

If you are using Solaris 10, and you have not used bart yet, you should stop everything and take a look at it.

For those who don’t know what bart is, it is the Basic Auditing and Reporting Tool that is in Solaris 10.

In a quick synopsis bart will create a report that shows all files/directories on a solaris machine. This report contains the permissions, owners, sizes, modify times and md5 hashes of all files on the system, along with acl’s if you are using ZFS.

So why is bart so important? First, it can be used as a security tool. When you install a new Solaris 10 system, the first thing you should do after you get it installed and patched and before it is placed on the network is run a bart on the system and save the report to a cd. This will be the “baseline” image of the system. Then every week/month you should run a bart against the machine again and then use the compare option to see what files have changed, added or deleted from the system. Where this comes in really handy is if your think that your machine has been hacked or compromised. You can use the comparison to determine which files may have been modified by the hacker.

But there is a non-security use for bart as well that is VERY useful. This use is one that I had not thought of until I needed it the other day. So what is this use? Reseting the permissions on files that were accidentally changed by an in-experienced UNIX person thinking that a “chmod -R 777 *” is the best way to fix their problems.

The first thing that came to my mind when I saw this happen was oh no, the machine had not even been backed up yet, and a day’s worth of work would have been lost. Even if the machine had been backed up, do you realize how long it would take to restore a file system with 40,000+ files, just because the permissions were screwed up. ( Note, the permissions on the various files were very different and even included some setuid, and setgiud files which were wiped out as well.)

So how did bart save the day? Luckly I had taken a bart of the machine before the work had begun on the file system. So after the chmod command was issued, I then took a bart of the file system again. I now could run a bart compare against the control and test manifest and see exactly what all had changed.

Once I had this output, I could then create a script to change the permissions of the files/directories back to the original values. All told after I finished tweaking my script it took about 20 minutes to reset the permissions on all the files and directories.

So here is a quick start to getting your first bart manifest of your system:

1. Create a bart_rules file. If you do not create a rules file, your output will only have Files and not directories listed in it. My simple bart_rules file looks like this:

/
CHECK ALL
/home
IGNORE ALL

I ignore the /home file system as in my case it was nfs mounted. In reality you would want to include all local file systems.

2. Create the bart, I keep the rules file in /root/bart_rules so I would run the command:

bart create -R / -r /root/bart_rules > /tmp/bart.output

This will create a bart manifest and output it to /tmp/bart.output. Looking at the first couple of lines of it looks like this:

unixwiz@sungeek:/home/unixwiz> head -20 /tmp/bart.out
! Version 1.0
! Saturday, May 17, 2008 (21:24:27)
# Format:
#fname D size mode acl dirmtime uid gid
#fname P size mode acl mtime uid gid
#fname S size mode acl mtime uid gid
#fname F size mode acl mtime uid gid contents
#fname L size mode acl lnmtime uid gid dest
#fname B size mode acl mtime uid gid devnode
#fname C size mode acl mtime uid gid devnode
/ D 1024 40755 user::rwx,group::r-x,mask:r-x,other:r-x 481d0e43 0 0
/.ICEauthority F 310 100600 user::rw-,group::—,mask:—,other:— 44c581c2 0 0 3eb63faf448e8a2b2c1a7b2019a8bde3
/.Xauthority F 99 100600 user::rw-,group::—,mask:—,other:— 44c560e0 0 0 5ffe2e5f4b6f73e662001f62f7cae4d3
/.bash_history F 649 100600 user::rw-,group::—,mask:—,other:— 481d1109 0 0 9132e0e798d5d05644cafc90c2aa876a
/.dt D 512 40755 user::rwx,group::r-x,mask:r-x,other:r-x 44c560e0 0 0
/.dt/appmanager D 512 40755 user::rwx,group::r-x,mask:r-x,other:r-x 44c5534d 0 0
/.dt/help D 512 40755 user::rwx,group::r-x,mask:r-x,other:r-x 44c5534d 0 0
/.dt/icons D 512 40755 user::rwx,group::r-x,mask:r-x,other:r-x 44c5534d 0 0
/.dt/sessionlogs D 512 40755 user::rwx,group::r-x,mask:r-x,other:r-x 44c5534c 0 0
/.dt/sessionlogs/sungeek_DISPLAY=:0 F 132 100644 user::rw-,group::r–,mask:r–,other:r– 44c560e0 0 0 6d4e62fc972046a7a85fdb36a0ce21fd

The first part of the file, the part that begins with #fname is a legend as to how each type of line is formed.
So looking at the first actual line of the contents :

/ D 1024 40755 user::rwx,group::r-x,mask:r-x,other:r-x 481d0e43 0 0

We see that the fnmae is /, it is a directory, with a size of 1024. Its mode is 755, the last modified time is the “481d0e43″ and it is owned by uid 0 and gid 0.

Looking at a file in particular we see this:

/httpd/htdocs/index.html F 10 100644 user::rw-,group::r–,mask:r–,other:r– 463d4f4b 0 0 b7a9369d4cc9f82ed707bce91ced8af8

In the above, we see that the file is 10 bytes, has a permissions of 644 and is owned by root/root.

Now suppose that I for some reason by accident was in the /httpd/htdocs directory and did a chmod -R 777 *. Since I had my control manifest, I would then run another bart and then use the compare option. What I would get is something like this:

#bart compare /tmp/bart.output /tmp/bart.output2
/httpd/htdocs/index.html:
  mode  control:100644  test:100777
  acl  control:user::rw-,group::r–,mask:r–,other:r–  test:user::rwx,group::rwx,mask:rwx,other:rwx

Here we can see that the permissions has changed from 644 to 777. But the output is not really easy to parse with a script. So we need to use the “-p” option on the bart compare:

#bart compare -p /tmp/bart.output /tmp/bart.output2
/httpd/htdocs/index.html mode 100644 100777 acl user::rw-,group::r–,mask:r–,other:r– user::rwx,group::rwx,mask:rwx,other:rwx

In the above, since the only thing that was changed was the mode, that is the only thing that is listed.

here are some other examples:

/var/samba/locks/browse.dat mtime 482f8544 482f8800
/var/samba/locks/unexpected.tdb contents 7c3404e9622749702e3df56caf26fe72 72983947ada3260a236394a51aef0d31

The first line shows that the file browse.dat modify time changed, but nothing else. The second line shows that the unexpected.tdb had it’s contents change. This can been see by the 2 different hashes.

Here is another example of the index.html file above, after it had been edited:

bash-3.00# bart compare /tmp/bart.out /tmp/bart.out3
/httpd/htdocs/index.html:
  size  control:10  test:26
  mode  control:100644  test:100777
  acl  control:user::rw-,group::r–,mask:r–,other:r–  test:user::rwx,group::rwx,mask:rwx,other:rwx
  mtime  control:463d4f4b  test:482f8b89
  contents  control:b7a9369d4cc9f82ed707bce91ced8af8  test:1567caf683e3859cb5da7335c35438f7

Once again this is in the “human” readable format, the “machine” readable looks like :

bash-3.00# bart compare -p /tmp/bart.out /tmp/bart.out3
/httpd/htdocs/index.html size 10 26 mode 100644 100777 acl user::rw-,group::r–,mask:r–,other:r– user::rwx,group::rwx,mask:rwx,other:rwx mtime 463d4f4b 482f8b89 contents b7a9369d4cc9f82ed707bce91ced8af8 1567caf683e3859cb5da7335c35438f7

(the above is actually all on one line.)

Once you have the output of the bart after the “oops” you will need to run the bart compare with options to ignore some items. Since I am only interested in the mode, the size, mtime and contents can be ignored. I used the following:

bash-3.00# bart compare -i size,mtime,contents,uid,gid -p /tmp/bart.out /tmp/bart.out2

This only shows files that have had their mode changed:

bash-3.00# bart compare -i size,mtime,contents,uid,gid -p /tmp/bart.out /tmp/bart.out2
/httpd/htdocs/index.html mode 100644 100777 acl user::rw-,group::r–,mask:r–,other:r– user::rwx,group::rwx,mask:rwx,other:rwx

You should redirect this output to a file, so that it can then be used to generate a script.
With the output in a file I then did this:

cat /tmp/bart.compare | awk ‘{print "chmod "$3" "$1}’ > /tmp/CHANGEPERMS

So basicly I cat the file and print the chmod command allong with the 3rd field (100644) and then the first field (/httpd/htdocs/index.html) and redirect this to a new file. Once I spot check this file, you can then run it and it will “reset” the permissions back.

Now everything I have shown above is based on the machine having a UFS file system. If you run bart against a file system that is ZFS, you will get a manifest that looks something like this:

/home/unixwiz/bin/php F 10587732 100755 owner@::deny,owner@:read_data/write_data/append_data/write_xattr/execute/write_attributes/write_acl/write_owner:allow,group@:write_data/append_data:deny,group@:read_data/execute:allow,everyone@:write_data/append_data/write_xattr/write_attributes/write_acl/write_owner:deny,everyone@:read_data/read_xattr/execute/read_attributes/read_acl/synchronize:allow 4743a7fa 100 14 9b8cfb15ed069bd6e43d7c2ae11a3e23

It shows the ZFS extended acl’s.

So if you haven’t started using bart, you should start as soon as possible.

Security, Shell Scripts, Solaris, ZFS, tips , , , ,

Toyota Prius + Delphi RoadyXT

February 19th, 2007
1 comment

I got Ashley as RoadyXT for christmas, but ever since then when using the line out of it going to the line in in her car produced awful results. I called Delphi back in january and told them I thought I had a grounding problem (which I thought was in the base that the radio plugs in to) so they sent me a new base. Well that base did the same thing. So I called them back today and talked to some one who actually had a clue, and told him what was going on. He agreed that I had a grounding problem, but wasn’t totally sure how to fix it. So I went to Auto Zone and the only thing they had was a noise filter that had to be soldered inline in to the 12volt port. Something about doing that was not comfortable to me. So I went to Radio Shack, and got a Ground Loop Isolator and some other cables to do all the gender changing, and now the radio works perfectly.. Hope this helps any one else who is having a “humming” and has a dirty sounding audio.

Interesting, Random Stuff, tips , ,

Interesting AIX tip

September 29th, 2006
1 comment

Ever wonder were all the space went in a file system? Does du and df show different results on the same file system? Chances are some one deleted a file that was open in a particular file system. For example the /tmp file system on one of our machines has been filling up and then some one was deleting files from it. But the space is never recovered. In the AIX errpt you may see something like this:

LABEL: JFS_FS_FULL
IDENTIFIER: 369D049B

Date/Time: Wed Sep 27 16:58:08 2006
Sequence Number: 780
Machine Id: 002AA9AF4C00
Node Id: aixbox
Class: O
Type: INFO
Resource Name: SYSPFS

Description
UNABLE TO ALLOCATE SPACE IN FILE SYSTEM

Probable Causes
FILE SYSTEM FULL

Recommended Actions
USE FUSER UTILITY TO LOCATE UNLINKED FILES STILL REFERENCED
INCREASE THE SIZE OF THE ASSOCIATED FILE SYSTEM
REMOVE UNNECESSARY DATA FROM FILE SYSTEM

Detail Data
MAJOR/MINOR DEVICE NUMBER
000A 0007
FILE SYSTEM DEVICE AND MOUNT POINT
/dev/hd3, /tmp

The hint to finding the files is given in the first line of the recommended actions. Use the fuser command. The actual command is:

fuser -dV /tmp

What this will show you is something similar to this:

root@aixbox:/>fuser -dV /tmp
/tmp:
inode=34     size=675155       fd=0      200858
inode=43     size=114531       fd=0      286764
inode=66     size=59021846     fd=0      335986
inode=77     size=2322588      fd=0      389232
inode=46     size=601938       fd=0      413872
inode=61     size=28498        fd=0      430332
inode=44     size=1280774965   fd=0      434292
inode=40     size=2884063      fd=0      442590
inode=51     size=2395908      fd=0      467132
inode=73     size=8224333      fd=0      479402
inode=42     size=140607       fd=0      524474
inode=64     size=163405       fd=0      553054
inode=49     size=350562       fd=0      618644
inode=63     size=2375730      fd=0      663568
inode=74     size=3372392      fd=0      696356
inode=58     size=65535        fd=0      819204
inode=57     size=424777       fd=0     1106024
inode=62     size=2030397      fd=0     1147064
inode=76     size=57187        fd=0     1163494
inode=31     size=1376255      fd=0     1171540
inode=56     size=53834        fd=0     1216530
inode=52     size=361520961    fd=0     1278152
inode=81     size=15972886     fd=0     1294462
inode=70     size=13390097     fd=0     1323224
inode=60     size=7559         fd=0     1380400
inode=50     size=40132        fd=0     1429514
inode=65     size=720895       fd=0     1450220
inode=79     size=12582477     fd=0     1507350
inode=47     size=169682       fd=0     1593582
inode=48     size=259432       fd=0     1605642
inode=78     size=1488191      fd=0     1671280

The column we are really interested in is the last one. That is the column that contains the Process ID of the process that has a particular file open in that file system. So for example process id 1671280 has inode 78 in the /tmp file system open, and that file is using ~1.4MB of space. So if you “kill 1671280″ you would recover the 1.4MB of space. (But make sure you kill it in the proper way, i.e. find out what the process really is and shut it down nicely.)

AIX, tips ,

File moving tip and other tar info

January 26th, 2006
Comments Off

With the recent move of a lot of machines around, we have run in to some problems with SSH interoperability. Specificly between the OpenSSH and the SSH from ssh.com. One of the quirks that we have seen is that you can not use scp from openssh to the ssh.com one. For some reason it always wants to use ssh v1 instead of v2. So I have been answering a lot of questions about how to move files from one machine to another. For example say you had all your files in your home directory on Machine A and you wanted to move them to Machine B, you could do the following:

#Make sure you are on machine B
ssh machineA "tar -cf – ." | tar -xf -

What the above will do is log you in to machine A and run the tar command with the output going to stdout. Which then gets piped in to the tar command on the local host to read from stdin. Depending on the size of your home directory will tell how long it takes to copy. Remember that it will take a little longer than doing it locally as you are now encypting/compressing each file as it goes through ssh. It will also depend on the network speed between the hosts and even down to the processor speed some times.

Now a couple of interesting notes on tar:

  1. To handle extremely long paths/links on solaris, use the gnu tar, which on Solaris 9+ is in /usr/sfw/bin/gtar
  2. AIX tar will not handle files over 2GB for some reason. So you must use GNU Tar. Also make sure it is a fairly recent one if you are on AIX 5.x, IBM made the nobody uid be 4294967294. Yup they made it 4,294,967,294 which is larger than the uid_t value that can be stored in some tar archives.

tips