Archive
Enablement Security Policies with Sudo
Policies in Linux
You get many types of security policies that allow or prevent users in a multiuser environment to perform a certain task. You get policies that allow a specific task, and you get policies that disallow a task where it would otherwise be allowed, and policies that control the frequency or limit that amount of times a task can be performed, and so on.
Linux doesn’t have a single system or architecture for such policies. Software usually implement these themselves and provide a way to manage them if the administrator wants to enable them. Though, an enormous amount of control can be exercised with process ownership and file permissions or ACLs alone.
However, the root user (administrator user on Unix systems) on Linux has total control. When you have a root shell there is no file you can’t edit, or no process you can’t control. With ultra high security requirements this can be a problem. SELinux is a system which implements policies in a different way where you can secure your system beyond what is available by default. For more information on SELinux, see SELinux on WikiPedia.
Creating Policies with sudo
Let me explain with a hypothetical example. Assume you wanted to give a specific group of users the ability to clear a certain process’ log file.
To do this the file itself needs to be emptied and a USR1 signal sent to the process to have it reopen the file. The process runs as user and group foo, so the logged in users will not be allowed to send a signal to it. The log file is also owned by the same foo user and group, so they won’t be allowed to write to it, and thus can’t empty it either.
To give them access to this, you can create a group named logflushers which will control access through membership. Then create a script that performs the 2 necessary tasks. Assuming the script is named /usr/bin/flushfoolog, you can add the following line to the /etc/sudoers file to enable the members of the logflushers group to execute the command as the foo user:
%logflushers ALL=(foo) NOPASSWD: /tmp/notouch
With this in place any of logflushers group’s members can flush the log by running:
sudo -u foo flushfoolog
If the user is not part of the logflushers group and they try to run this, they’ll get an error like the following:
Sorry, user quintin is not allowed to execute '/usr/bin/flushfoolog' as foo on localhost.
Simplifying the Command
The command to flush the foo log seems a bit redundant. You can simplify it by adding the following to the top of the /usr/bin/flushfoolog bash script. If it’s not a bash script you just need to implement the same logic in whatever language it is.
targetuser=foo if [ $(id -u) -ne $(id -u $targetuser) ] then sudo -u $targetuser "$0" exit $? fi
What this does is check if the script is being run as the foo user. If it’s not, then it will execute the same command as the foo user, using sudo. If a user isn’t granted permission to run this command via sudo, (they’re not in the logflushers group) then they’ll get the error saying they’re not allowed to run this command as the foo user.
Conclusion
Sudo makes it very easy to control or grant access to commands to certain users. If combined with scripts access control can be made finer performing programmatic tasks or access control inside the script.
So Why Love Linux? Because it’s so simple to implement flexible access control when combining sudo and scripting.
Pipes and FIFOs
Overview
The basic design of the Unix command line world is the same one which makes it so powerful and which many people swear by, namely the pipes and FIFOs design. The basic idea is that you have many simple commands which take an input and produce an output, and then to string them together into something that will give the desired effect.
Standard IO Streams or Pipes
To start out, let me give a rough explanation of the IO pipes. These are Standard Input, Standard Output and Standard Error. Standard Error and Standard Output are both output streams writing out whatever the application puts into to them. Standard Input is an input stream giving to the application whatever is written into it. Each program when run has each of these 3 streams available to it by default.
From this point forward I’ll refer to the 3 streams as STDOUT for Standard Output, STDERR for Standard Error and STDIN for Standard Input. These are the general short form or constant names for these streams.
Take for example the echo and cat commands. The echo command takes all text supplied as arguments on it’s command line and writes it out STDOUT. For example, the following command will print the text “Hi There” to the STDOUT stream, which by default is linked to the terminal’s output.
echo Hi There
Then, in it’s simplest form the cat command takes all data it reads from it’s STDIN stream and writes it back out to STDOUT exactly as it was received. You can also instruct cat to read in the contents of one or more files and write it back out to STDOUT. For example, to read in the contents of a file name namelist, and write it to STDOUT (the terminal) you can do:
cat namelist
To see cat in it’s purest form, simply run it without arguments, as:
cat
Each line of input typed in will be duplicated. This is because the input you type is sent to STDIN. This input is then received by cat which will write it back to STDOUT. The end of your input can be indicated by pressing Ctrl+D, which is the EOF or End of File key. Pressing Ctrl+D will close the STDIN stream, and will be handled by the program the same as if it was reading a file and came to the end of that file.
Pipes and Redirects
Now, all command line terminals allow you to do some powerful things with these IO pipes. Each type of shell has it’s own syntax, so I will be explaining these using the syntax for the Bash shell.
You could for instance redirect the output from a command into a file using the greater than or > operator. For example, to redirect the STDOUT of the echo command into a file called message, you would do:
echo Hi There > message
You could also read this file back into a command using the less than or < operator. This will take the contents of the file and write it to the command’s STDIN stream. For example, reading the above file into the cat program, would have it written back to STDOUT. So this has the same effect as supplying the filename as an argument to cat, but instead uses the IO pipes to supply the data.
cat < message
Where things really get powerful is when you start stringing together commands. You can take the STDOUT of one command and pipe it into the STDIN of another command, with as many commands as you want. For example, the following command pipes the message “Pipes are very useful” into the cut command, instructing it to give us the 4th word of the line. This will result in the text “useful” being printed to the terminal.
echo Pipes are very useful | cut -f 4 -d " "
As you can see, commands are stringed together with the pipe or | operator. The pipe operator by itself makes many powerful things possible.
Using the pipe (|) and redirect (>) operator, let’s give a more complex example. Let’s say we want to get the PID and user name of all running processes, sorted by the PID and separated by a comma. We can do something like this:
ps -ef | tail -n+2 | awk '{print $2 " " $1}' | sort -n | sed "s/ /,/"
To give an idea of what happens here, let me explain the purpose of each of these commands with the output each one produces (which becomes the input of the command that follows it).
| Command | Description |
|---|---|
| ps -ef | Gives us a list of processes with many columns of data, of these the 1st column being the user and the 2nd column being the PID.
Output: UID PID PPID C STIME TTY TIME CMD root 4222 443 0 20:14 ? 00:00:00 udevd quintin 3922 2488 0 20:14 pts/2 00:00:00 /bin/bash quintin 4107 2496 0 20:18 pts/0 00:00:00 vi TODO |
| tail -n+2 | Takes the output of ps and gives us all the lines from line 2 onwards, effectively stripping the header.
Output: root 4222 443 0 20:14 ? 00:00:00 udevd quintin 3922 2488 0 20:14 pts/2 00:00:00 /bin/bash quintin 4107 2496 0 20:18 pts/0 00:00:00 vi TODO |
| awk ‘{print $2 ” ” $1}’ |
Takes the output of tail, and prints the PID first, a space and then the user name. The rest of the data is discarded here.
Output: 4222 root 3922 quintin 4107 quintin |
| sort -n | This sorts the lines received from awk numerically.
Output: 3922 quintin 4107 quintin 4222 root |
| sed “s/ /,/” | Replaces the space separating the PID and user name with a comma.
Output: 3922,quintin 4107,quintin 4222,root |
Some Example Useful Commands
The above should give you a basic idea of what it’s all about. If you feel like experimenting, here are a bunch of useful commands to mess around with.
I’ll be describing the commands from the perspective of the standard IO streams. So even though I don’t mention it, some of these commands also support reading input from files specified as command line arguments.
To get more details about the usage of these commands, see the manual page for the given command by running:
man [command]
.
| Command | Description |
|---|---|
| echo | Writes to STDOUT the text supplied in command line arguments. |
| cat | Writes to STDOUT the input from STDIN. |
| sort | Sorts all lines of input from STDIN. |
| uniq | Strips duplicate lines. The input needs to be sorted first, thus same basic effect can be achieved with just sort -u |
| cut | Cuts a string by a specified character and returns requested parts. |
| grep | Search for a specified pattern or string in the data supplied via STDIN. |
| gzip | Compresses the input from STDIN and writes the result to STDOUT. Uses gzip compression. |
| gunzip | Uncompresses the gzip input from STDIN and writes the results to STDOUT. Basically the reverse of gzip. |
| sed | Stream editor applying basic processing and filtering operations to STDIN and writes to STDOUT. |
| awk | Pattern scanning and processing langauge. Powerful script-like processing of lines/words from input. |
| column | Takes the input from STDIN and formats it into columns, writing the result to STDOUT. Useful for displaying data. |
| md5sum | Takes the input from STDIN and produces a md5sum of the data |
| sha1sum | Takes the input from STDIN and produces a sha1sum of the data |
| base64 | Takes the input from STDIN and base64 encodes or decodes it |
| xargs | Takes input from STDIN and a uses it as arguments to a specified command |
| wc | Count the number of lines, words or characters read from input. |
| tee | Read input and write it to both STDOUT as well as a specified file. |
| tr | Translate or delete characters read from input |
Conclusion
I would recommend anyone to get comfortable with these aspects of the Linux terminal as well as Bash scripting. Not knowing this, you might not even realize how many of your common tasks could be automated/simplified by it. Also remember that automation not only makes your tasks be completed quicker, but also reduces the chances for errors/mistakes that come from doing repetitive tasks by hand.
So Why Love Linux? Because the pipes and FIFOs pattern gives you a lot of power for building complex instructions.
Knowing the Moment a Port Opens
Automated Attempts
Sometimes when a server is rebooted, whether a clean soft reboot or a hard reboot after a crash, I need to perform a task on it as quickly as possible. This can be for many reasons like ensuring all services are started to making a quick change. Sometimes I just need to know the moment a certain service is started to notify everyone of this fact. The point is that every second counts.
When the servers starts up and the network is joined you can start receiving ping responses from the server. At this point all the services haven’t started up yet (on most configurations at least), so I can’t necessarily log into the server or access the specific service, yet. Attempting to do so I would get a connection refused or port closed error.
What I usually do in cases where I urgently need to log back into the server is ping the IP address and wait for the first response packet. When I receive this packet I know the server is almost finished booting up. Now I just need to wait for the remote access service to start up. For Linux boxes this is SSH and for Windows boxes it’s RDP (remote desktop protocol).
I could try to repeatedly connect to it, but this is unnecessarily manual, and when every second counts probably less than optimal. Depending on what I’m trying to do I have different methods of automating this.
If I just needed to know that a certain service is started and available again, I would put a netcat session in a loop, which would repeatedly attempt a connection. As long as the service isn’t ready (the port is closed), the netcat command will fail and exit. The loop will then wait for 1 second and try again. As soon as the port opens the connection will succeed and netcat will print a message stating the connection is established and then wait for input (meaning the loop will stop iterating). At this point I can just cancel the whole command and notify everyone that it’s up and running. The command for doing this is as follows:
while true; do nc -v 10.0.0.221 80; sleep 1; done
If I needed remote access to the server, I would use a similar command as above, but use the remote access command instead, and add a break statement to quit the loop after the command was successful. For example, for an SSH session I would use the ssh command, and for a remote desktop session the rdesktop command. A typical SSH command will look like:
while true; do ssh 10.0.0.221 && break; sleep 1; done
This will simply keep trying the ssh command until a connection has been established. As soon as a connection was successful I will receive a shell, which when exited from will break the loop and return me to my local command prompt.
Automatically Running a Command
If you had to run some command the moment you are able to do so, you could use the above SSH command with some minor modifications.
Lets say you wanted to remove the file /opt/repository.lock as soon as possible. To keep it simple we’re assuming the user you log in as has permission to do so.
The basic idea is that each time you fail to connect, SSH will return a non-zero status. As soon as you connect and run the command you will break out of the loop. In order to do so, we need a zero exit status to distinguish between a failed and successful connect.
The exit status during a successful connect, however, will depend on the command being run on the other end of the connection. If it fails for some reason, you don’t want SSH to repeatedly try and fail, effectively ending up in a loop that won’t exit by itself. So you need to ensure it’s exit status is 0, whether it fails or not. You can handle the failure manually.
This can be achieved by executing the true command after the rm command. All the true command does is to immediately exit with a zero (success) exit status. It’s the same command we use to create an infinite while loop in all these examples.
The resulting command is as follows:
while true; do \ ssh 10.0.0.221 "rm -f /opt/repository.lock ; true" && break; \ sleep 1; \ done
This will create an infinite while loop and execute the ssh and sleep commands. As soon as a SSH connection is established, it will remove the /opt/repository.lock file and run the true command, which will return a 0 status. The SSH instance will exit with success status, which will cause a break from the while loop and end the command, returning back to the command prompt. As with all the previous examples, when the connection fails the loop will pause for a second, and then try again.
Conclusion
By using these commands instead of repeatedly trying to connect yourself, there is a max of 1 second from the time the service started till when you’re connected. This can be very useful in emergency situations where every second you have some problem could cost you money or reputation.
The Linux terminal is a powerful place and I sometimes wonder if those who designed the Unix terminal knew what they were creating and how powerful it would become.
So Why Love Linux? Because the Linux terminal allows you to optimize your tasks beyond humanly capability.
All Configuration Files are Plain Text
Plain Text Configs?
Almost all of the configuration files in a Linux system are text files under /etc. You get the odd application that stores it’s config in a binary format like a SQL database, specialized or some other proprietary format.
The benefit of text, however, is the ease of accessing it. You don’t need to implement an API, which if it’s your first implementation can set you back quite some time. And if you only need 1 or 2 entries from it, could end up as a huge expense. Having the configuration available as plain text you can immediately access it with the myriad of stream processors you have at your disposal, like grep, sed, awk, cut, cat, sort to name a few, or inside programming languages any of the file operations and methods.
To give an example, lets say I wanted to know the PIDs of all the users on the system. I didn’t need their names, just the PIDs, it’s as simple as this (assuming you don’t use something like NIS):
awk -F ':' '{print $3}' /etc/passwd
Or if you wanted to get a list of all hostnames a specified IP is associated with in /etc/hosts:
grep "127.0.0.1" hosts | cut -f 2- -d ' '
A very useful one is where your configuration file’s entries take the format of
RUN_DAEMON="true" INTERFACE="127.0.0.1" PORT="7634"
In this case you can easily extract the values from the file. For example, if the configuration file is named /etc/default/hddtemp, and you want to extract the PORT option, you simply need to do:
value=$( . "/etc/default/hddtemp"; echo $PORT ) echo "PORT has value: $value"
Or for the same file, if you want to extract those options into your current environment, it’s as simple as doing:
. "/etc/default/hddtemp" echo "PORT has value: $PORT" echo "INTERFACE has value: $INTERFACE"
What the above does is evaluate the configuration file as a bash script, which then basically sets those configuration options as variables (since they use the same syntax as bash for setting variables). The difference between the first and the second method, is that the second method could potentially override variables you’re already using in your environment/script (imagine already using a variable named PORT at the time of loading the configuration file). The first method loads the configuration in it’s own environment and only returns the value you requested.
Note that when using these 2 methods, had there been commands in the configuration files they would have been executed. So be aware of this if you decide to use this technique to read your configuration files. It’s very useful, but unless you’re careful you could end up with security problems.
Conclusion
The mere fact that these files are text means you immediately have access to it using methods available to even the most primitive scripting/programming langauges, and all existing text capable commands and programs are able to view/edit your configuration files.
Something like the Windows registry surely has it’s benefits. But in the world of Unix pipes/fifos, having it all text based is a definite plus.
So Why Love Linux? Because it has mostly plain text configuration files.
Fourty One SQL Queries in 60 Seconds
I needed to capture some data from a database into CSV files. MySQL supports this easily, so this in itself isn’t a problem. Part of the requirement was that the data had to be divided into separate files, one for each month since 2008. Being May 2011, that gives us 41 months.
The only way I could do this was to run 41 separate queries, one for each month. Each query will differ in 3 places from the other. These are
- The start date
- The end date
- The CSV filename
If I had to create 41 queries by hand it will take me quite a while and there is a big possibility of making a mistake and messing up the result.
But my friend Linux and Bash is around, which allows me to do it very quickly and with virtually 0 probability of errors or mistakes. I planned to generate a SQL script with the queries.
The command I ended up with was as follows (I split it into multiple lines for clarity):
year=2008; for from in {1..12} {1..12} {1..12} {1..5}; do
[ $from -eq 12 ] \
&& { tyear=$((year + 1)); to=1; } \
|| { tyear=$year; to=$((from + 1)); };
echo "SELECT columns FROM table INFO OUTFILE '$year-$from.csv' " \
"WHERE time>='$year-$from-01' AND time<'$tyear-$to-01';";
year=$tyear;
done >> dbscript.sql
After executing this I had a file dbscript.sql which I can run on the database to give me the files I needed. It took me less than a minute to type up the command and use it to generate the full script.
The command itself might seem complex, but it’s really very simple.
- In the first line I’m looping through the numbers 1 to 12 three times, and then through the numbers 1 to 5
- The next 3 lines inside the loop calculates the “next” month’s year and month number. For example, if the current iteration’s month and year is 9 and 2008, then the next month would be 10 and 2008, or for the month 12 and 2008, it will be 1 and 2009.
- The 5th and 6th lines are just echoing the generated SQL query.
- The last line sets the base year to use for the next iteration’s month, as calculated in nr.2 above.
- The resulting output of the whole loop is appended to the file called dbscript.sql.
If you had to the command regularly, you could always make a bash script from it and execute it whenever you need it. This will save you having to type it out every time. Bash scripts are nothing more than what you can type on the command line, and are very powerful.
So Why Love Linux? Because the command line allows you to write “smart” commands.
Why Love Linux 