I write a pam module that is called when user execute the sudo command. I have already got the username, password, tty, but now, I have to get the user command to encrypt.
If user exec
sudo ls -l
I have to get ls -l
I have no pam app for my module. (So I use only pam_modules.h) and my module is called first in /etc/pam.d/sudo
I thought about using the netlink socket like pam_tty_audit, but I don't thinks this is the best method (or the most simple)
Have you any idea for getting the user command ?
Thank you and sorry for my bad english
According to the API documentation of sudo's authentication mechanisms, the command is not passed to the authentication backend, so PAM is the wrong place to do whatever you are trying to do. Consider writing a sudo plugin instead.
Related
I'm trying to remotely launch and debug a new process with lldb without much success.
Attaching to an already launched process works well by running these commands:
process connect <url>
process attach -P gdb-remote --pid <pid>
But if I want debugserver to launch the executable by itself I'm running into troubles. Especially, I have no clue what arguments should I pass to target create.
According to this page LLDB "will transparently take care of [..] downloading the executable in order to be able to debug", yet target create seem to always require a local file. If I specify the remote file via -r I get either unable to open target file or remote --> local transfer without local path is not implemented yet errors. If I set the target to a local file (such as a local copy of the remote's loader executable) without using -r, then attempt to run process launch -p gdb-remote -s <remote path> LLDB will attempt running the local path on the remote machine and fail.
What are the correct commands I need to use in order to launch a remote process?
After contacting LLDB's mailing list Greg updated the documentation page, which now clearly explains what I have to do (Specifically I was missing the script lines, which appear to be the correct way to set the remote executable path)
I am using Apache 2.4 on Ubuntu. I have written one module in C language and integrated it into Apache server using Apache Extension tools (apxs). There is some part of my code where I am calling executable using exec function but I want to call that executable as superuser. so I want to run my module with superuser privileges but by default Apache is running as www-data user and asking for password for www-data.
Is there any way to run this module using superuser privileges?
Otherwise is there any other way to run root command in C within Apache module?
Is it possible to use suExec module for this?
No, it's not possible to run the Apache module under a different user from the Apache server itself. But there are several strategies to workaround that limitation.
1) You can set the "setuid bit" on the executable you want to run from Apache, like this:
chown root:root executable
chmod 06755 executable
Then, when you run this executable (say, with fork + exec or with system) from the Apache module, the executable will run from under the root user, with root permissions.
2) You can configure the /etc/sudoers file in a way that will allow the www-data to run the executable in question with the root priviledges with the help of the sudo command.
3) You can have a separate process running with root priviledges and receiving commands from the Apache module with any kind of IPC/RPC.
Please note, that you should avoid using the root priviledges if it all possible since running your code under root might pose a security risk. Unless, of course, you're absolutely sure that your code won't have any bugs.
I have been using the cake command on my linux server for 2 years. but now im trying to move to a new server and some how the cake command gives back the error: No such file or directory
even if i give the entire path to the cake command file chmod 777 it stil wont work.
I found the solution: All I had to do is use the program dos2unix the cake file for CakePHP 2.4.2 has wrong endings when you download it with Ubuntu 13.10
I used the following command:
sudo dos2unix /path/to/cake/lib/Cake/Console/cake
I also have this problem on some servers and never figured out why this happened. I suspect the so called "shebang" might not be set correctly for every Linux distribution (e.g. if the cake script stars with #!/usr/bin/env bash, but you don't use bash on your server or your distribution doesn't have the env binary in that path, it might fail on that. This is just a theory though, as I said I never really figured it out, nor did I invest much time in investigating.
Although, what I always use as a fallback is simply calling the cake.php script (from the app folder) instead, like:
php Console/cake.php -app `pwd` bake
That never lets me down. The -app pwd bit is to tell the shell that your current directory is your app directory, so the shell can find all your files.
The REAL solution to this is to change the End-of-Line (EOL) characters to Unix format, instead of MsDos. So I guess this error will only occur if you worked in Windows.
Anyway, teh mighty
SOLUTION:
(1) Open app/Console/cake file using any text editor that allows changing of EOL characters e.g. NotePad++.
(2) In NotePad++ click:
Edit -> EOL Conversion -> Convert to Unix format
(3) Save the file and upload it to the server. Now if you navigate to the CakePHP app directory using command like:
cd /usr/share/nginx/html/cakeproject/app
...you should be able to run Console/cake without any problems and see standard output (basically help commands).
Hope this helped you!
I encountered the same problem as well, but the top answer reminded me of a similar problem I faced before: https://stackoverflow.com/a/5514351/1097483
Basically, instead of using dos2unix or installing it, you can open the file in vim, do
:set fileformat=unix
And save it.
In some versions it's possible to install cake using sudo apt-get install cakephp-scripts.
After instalation, you coud access bake anywere simple by typing bake
I'm programming application using libpcap. when I debug the application in normal mode, pcap cannot get the network device. it seems that I have to debug the application in root.
How can I debug the application in root? I have the root password.
I think eclipse has such an option that can add root for the debugging application,but I don't know how to do it.
please help.
Enable your user to run gdb as root without being asked for any
password:
sudo visudo
Add the following line after all other rules:
<youruser> ALL=(root) NOPASSWD:/usr/bin/gdb
Create or modify a debug configuration in eclipse to run gdb as root
e.g. in Run > Debug Configurations > C/C++ Application > YourProject Debug:
change Debugger > Main > GDB debugger from gdb to sudo -u <youruser> gdb
Update (and warning!):
In his comment nategoose pointed out that this answer should come with a warning:
Enabling a user to use sudo for gdb like suggested in my answer in fact gives admin privileges to him/her which in many cases might be an undesired side effect. I therefore consider the answer appropriate in an environment where it's not assumed that the user would try to harm the system (e.g. it's your own personal computer or a virtual machine)
For a multi-(non-trusted)-user environment I think it might be a better idead to utilize unix' file capabilities to enable gdb to debug an application without the need of admin privileges
You can use gdbserver on localhost to attach a existing process, the following is the command line:
sudo gdbserver :<listening port> --attach <pid>
Or you can create a new process using gdbserver:
sudo gdbserver :<listening port> <process executable>
Then you can create a debugging configuration in Eclipse, in the debugger tab, the debugger item, select gdbserver, and input the listening port in the connection tab in the bellow.
Launch Eclipse with sudo (just for completeness: http://www.eclipse.org/forums/index.php?t=msg&goto=516838&)
Update: Follow xmoex solution. If you run Eclipse as root (ie. using sudo) your files will be root-owned... which you probably don't want.
Another solution is to grant you (or the gdb executable) the rights to make some pcap captures as mentioned here. With something like this :
setcap cap_net_raw,cap_net_admin=eip /usr/bin/gdb
you should be able to allow to capture packets to gdb without being root.
Here's how I did it:
Create a C/C++ Remote Application
On the target, make sure your sudo does not prompt for a PW
Look at Debug Configurations → Debugger → Port number
Edit Debug Configurations → Main → Commands to execute before application
Change to:
sudo gdbserver :<port number> <path to application>;exit #
This will basically run the gdbserver that would normally be executed by eclipse inside the sudo, the trailing '#' will keep the eclipse command from executing.
this question was asked a long time ago but if this will help to anybody I open a bug in bugzilla and this short thread solved the problem:
bugzilla bug
From the console in the directory with your executable:
sudo gdb ./my_program
If eclipse supports remote debugging then you could do that even though it is running locally.
From the console:
sudo gdbserver localhost:<port_number> ./my_program
And then tell Eclipse the address (localhost and the port number you chose).
Oh yeah, you said the reason you were doing this was because you were using libpcap, so you may not want to use remote debugging over TCP because you may end up capturing your debugging connection packets in addition to your other network traffic.
In that case you do your remote (but really local) debugging over a serial port. I have never done this on a local machine, but you could use two actual serial ports (attaching them though a null modem) or try using a psudoterminal:
sudo gdbserver /dev/ptmx ./my_program
This will create the psudo-terminal under /dev/pts/ but you'll have to figure out the name of it, and it might also create it with restrictive permissions. You can get around those. Unless you are running lots of terminal windows as root, it is not likely that you have many entries under /dev/pts that belong to root, so take note of the one that does after running the above command and then sudo chmod or sudo chown it to make it usable for your normal user and then tell your debugger to use that as your serial connection to your remote debugging target.
easiest way, try sudo ./eclipse, then debug as usual
We are trying to bind a Linux machine (debian 4.0) to W2k3 AD. We have configured kerberos properly so that we can get TGTs. And users authenticate properly. However, PAM seems to be the sticky wicket. For example when we try to SSH to the linux machine as one of the AD users, the authentication succeeds (as per the auth.log) but I never get shell. The default environment is configured properly and PAM even creates the Homedir properly. As a reference we were loosely following:
https://help.ubuntu.com/community/ActiveDirectoryHowto
If you're confident everything but PAM works correctly, I suggest passing the debug option to pam_krb5.so to see if that gives a clue to what's happening.
I'd also suggest verifying that nss-ldap is set up correctly using
getent passwd avalidusername
I have used Likewise to do something similar on our servers. Here is the process we use to configure it:
Install Likewise:
$ sudo apt-get update
$ sudo apt-get install likewise-open
Join the domain (Assuming the domain "domain.local")
$ sudo domainjoin-cli join domain.local Administrator
$ sudo update-rc.d likewise-open defaults
$ sudo /etc/init.d/likewise-open start
Assuming you are using sudo AND want AD users to be able to have sudoer powers, you need to edit the sudoers file. This can be done with following command:
$ sudo visudo
then add the following to the end of the file (this assumes the domain "DOMAIN" and all the users that should have sudo are in a group called "linux_admin" in active directory):
%DOMAIN\\linux_admin ALL=(ALL) ALL
POSIX accounts demand that you have a vaild shell set in the user account. When using LDAP, this is referenced by the attribute loginShell. You need to use PAM and map an appropriate attribute to loginShell in your configuration, or active MS services for UNIX on the DC, which will extend the AD schema to include the needed POSIX attributes.
See http://www.ietf.org/rfc/rfc2307.txt as a reference to RFC2307, which defines this for LDAP.
A simple solution.. pam_krb5+ldap project
A fork of the pam_krb5 PAM module that provides a very easy to use configuration for utilizing linux client authentication against and existing Active directory domain and/or OpenLDAP server.