My requirement is to execute a system command like (ls) or C program when a trigger executes. Is there any way to create a trigger function to solve this problem.
You can write trigger functions Python, Perl or Tcl, and provided that you use the "untrusted" version of the language, any of these can be used to execute arbitrary shell commands. The shell will be run under the same user as the Postgres server process (typically "postgres"), so you will need to set permissions accordingly.
For example, after running CREATE EXTENSION plpythonu, you can write a trigger function using LANGUAGE plpythonu, and run commands by calling e.g. os.system().
Take care with any commands which modify the system, as these changes are not tied to your database transaction (so you would need to find your own way of dealing with concurrent writes, transaction rollbacks, etc.).
Here's a quick exampe of how you can achieve this in PG15 on Ubuntu:
sudo apt-get install -y postgresql-plpython3-15
CREATE EXTENSION plpython3u
CREATE OR REPLACE FUNCTION reboot_server(version text) RETURNS text AS $BODY$
import subprocess
subprocess.call(f"/usr/lib/postgresql/{version}/bin/pg_ctl restart -D /var/lib/postgresql/{version}/main",shell=True)
$BODY$ LANGUAGE plpython3u;
select * from reboot_server('15')
In this case, i'm restarting specified instance of postgres.
Related
I am getting the following error and the process of creating a DB gets terminated automatically while creating a DB in PostgreSQL.
ORACLE_HOME must be set and %ORACLE_HOME%\database must be writeable
createdb terminated unsucessfully.
How to create a Database in Postgres using createdb command?
Running the same command on the Git Bash also doesn't work, the process doesn't getting terminated and it showing as in the picture below.
I wanted to leave this as a comment but I cannot, there are several issues that may be happening here, the first that comes to mind is that your command prompt is not showing as admin. This can also be a path issue, because sometimes cmd will not recognize paths for software except when you try to use it on the folder its installed. Another common issue with Windows is that sometimes you want to run the GUI software instead of cmd, and if you absolutely need cmd try powershell with admin rights.
The error it gives makes me believe that its either a path error or a user rights error, I also agree with the comments. My suggestion if you keep having issues like this who are either depending on your windows path system or your system requirements in general is to try using Anaconda or (conda), this will give you a clean environment to properly see what you did wrong.
I was wondering what type of security Zeppelin provides to avoid a user run a shell command (using %sh) that, for example, would delete files from disk.
For example, take a look here at the Bash interpreter test
I'm trying to make a simple c-shell like program on C (for Linux) that will execute scripts.
I need to read a script file in order to execute it, but how can I read it if it has only execute permission, and no read permission?
In short,
A binary file you can execute with only execute permissions.
A script is a text file, so you need read permissions.
So, you would need to play some games with group ownership, sudo, or similar.
Yes, you need read permissions to execute script.
However, I want to mention one possibility for another_user to run script without having r permission on the file.
You can allow somebody to execute somescript with sudo as another_user that have an r+x access to file.
However, you should have an access to /etc/sudoers (i.e., to be root, or ask superuser to add the record from below to etc/sudoers)
# Run script as the user 'another_user' without asking for password
somebody ALL = (another_user) NOPASSWD: /usr/bin/somescript
Solution found at
https://unix.stackexchange.com/a/77538 and
https://stackoverflow.com/a/21309969/1566267
You don't need read permission in order to execute a file.
In fact, if you have read permission, but not execute permission, you can't execute the file.
The execute permission allows you to ask the system to execute the script file.
Try with:
system("script.sh");
in order to execute a script (in the example script.sh).
You could also use:
execve("script.sh");
That would run the script replacing your script with the one in the specified script keeping the same pid as your script (as shown here)
The classic way of doing this is to make the wrapper C application setuid root. Root can read everything, regardless of permissions. That comes with a whole bunch of warnings though. Make sure that you're not closing a small security hole by opening a much larger one.
I'm attempting to set up my computer such that I can authenticate myself using an external device connected to a python script. I started by replacing the login program in inittab with my own program, and I've been able to get into a bash shell. The problem is that it doesn't get a fresh environment like the one that is (I presume) given with login. I know there are ways for me to mess with the environment, but i haven't seen a way to give it a "default" configuration, if even such a thing makes sense.
Some ideas:
First of all it would be better in most cases to use the pluggable login architecture PAM. This will ensure, that all PAM-enabled applications and services can use the authentification method (ssh for example) and that there is no way to bypass it using regular services.
If you really want to replace login i'd suggest to clear the environment by yourselves using unsetenv for each environment variable set (you may use environ to determine the variables already set). After cleaning up the environment you may use a exec-like call to replace your program with a bash, the environment will be unchanged in this context. You may want to add the command line argument -l to start up bash as it would have been invoked by login.
Bash is running some init scripts on startup. You may check /etc/profile, /etc/bashrc and similar files for environment variables you don't want to be set.
If you want to be dependant on env (wich is not so bad, since it should be present on every linux system out there) you can use env -i bashto call bash in a clean environment.
When main(int argc, char *argv[], char *envp[]) is called by the operating system, the third parameter contains the environment. So just save a copy of it until you need to call bash.
I have a written a C program that creates a file "abcd.txt" and write some data into it. I was executing my code by logging with a username"bobby" and so the file abcd.txt was created with owner as bobby.
But my task is, even though I execute my code with some username "bobby", the file should always be created with owner as root. Can someone help me by saying how this could possible?
As a general principle you need your effective uid (euid to be root) either when you are are writing the file or when you perform a chown(2) on the file.
If you are doing this under Linux then there are linux specific methods that you can use.
Generic Solution
Without availability of sudo
This is the old UNIX DAC approach, it's fraught with peril. It assumes that you do not have something like sudo installed or cannot install it.
Your executable should be owned by root and have the executables setuid bit set.
Process
You should use seteuid () to drop your privileges from root to bobby for most of the operation, including writing. When you are done, bring your privilege level back up to root using seteuid(0) and perform a chown() (or fchown on the fd) on the file to change its ownership to root.
some basic safety
For safety set it up so that your executable is owned by root:safegrp where 'safegrp' is name of a group unique to users who are allowed to execute this file (add bobby to safegrp) ; and ensure that the setuid executable's mode is 4510 ;
With availability of sudo
If sudo is available on your system then follow the same process as above for dealing with privileges within the executable but DO NOT set the file mode to setuid, have safegrp added to sudoers for this executable and now bobby can run it with sudo /your/bin/prog
Linux specific solution
POSIX.1e
It is possible to have tighter control over the file use POSIX.1e capabilities support. In your case you wish to grant SYS_CHOWN to your program;
For security reasons, I would probably set that up as a COMPLETELY separate binary or a sub process and still use sudo and perform appropriate dropping of privileges.
linuxacl[ACL Using Access Control Lists on Linux] has excellent tutorial on this topic
SE-Linux
You can use Mandatory Access Control to limit the access to such a dangerous binary but SE linux is a pain to configure :^) although a possibly a good approach
You probably don't want to run your program as root, unless you really have to. Perhaps run "chown" from a shell script after running your program? Or, you can use chown(2) from a program running as root (or with equivalent capabilities, on linux).
Use the chown() method. There are probably more authoritative links, but this one is nice since it includes the calls to getpwnam(). I've done all of this in the past, but unfortunately I don't still have the code (it's owned by IBM).
http://manpages.courier-mta.org/htmlman2/chown.2.html