Friday, December 27, 2013

How can I chroot sftp-only SSH users into their homes?

All this pain is thanks to several security issues as detailed here.

Basically the chroot directory has to be owned by root and can't be any group-write access. Lovely. So you essentially need to turn your chroot into a holding cell and within that you can have your editable content.
 
sudo chown root /home/bob
sudo chmod go-w /home/bob
sudo mkdir /home/bob/writeable
sudo chown bob:sftponly /home/bob/writeable
sudo chmod ug+rwX /home/bob/writeable

And bam, you can log in and write in /writeable.


found at: http://askubuntu.com/questions/134425/how-can-i-chroot-sftp-only-ssh-users-into-their-homes

selinux blocks access via sftp for chrooted user

you may want to install setroubleshoot. audit2allow is installed as part of that install.


If selinux blocks access via sftp for chrooted user

try:
grep denied /var/log/audit/audit.log | audit2allow -M postgreylocal

this is how postgrey will looks like and give permission to remove, rename, delete, create file/directory

module postgreylocal 1.0;

require {
        type user_home_t;
        type chroot_user_t;
        class dir { rename write rmdir remove_name create add_name };
        class file { write create unlink link setattr };
}

#============= chroot_user_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     ssh_chroot_rw_homedirs, ssh_chroot_full_access
allow chroot_user_t user_home_t:dir { rename rmdir };

#!!!! This avc is allowed in the current policy
allow chroot_user_t user_home_t:dir { write remove_name create add_name };

#!!!! This avc can be allowed using one of the these booleans:
#     ssh_chroot_rw_homedirs, ssh_chroot_full_access
allow chroot_user_t user_home_t:file { unlink link };

#!!!! This avc is allowed in the current policy
allow chroot_user_t user_home_t:file { write create setattr };

after that run command
semodule -i postgreylocal.pp


Friday, December 20, 2013

Find and kill a process in one line using bash and regex

  
 
How can I extract the process id automatically and kill it in the same line?


In bash, you should be able to do:

kill $(ps aux | grep '[p]ython csp_build.py' | awk '{print $2}')

Details on its workings are as follows:
  • The ps gives you the list of all the processes.
  • The grep filters that based on your search string, [p] is a trick to stop you picking up the actual grep process itself.
  • The awk just gives you the second field of each line, which is the PID.
  • The $(x) construct means to execute x then take its output and put it on the command line. The output of that ps pipeline inside that construct above is the list of process IDs so you end up with a command like kill 1234 1122 7654.
Here's a transcript showing it in action:
pax> sleep 3600 &
[1] 2225
pax> sleep 3600 &
[2] 2226
pax> sleep 3600 &
[3] 2227
pax> sleep 3600 &
[4] 2228
pax> sleep 3600 &
[5] 2229
pax> kill $(ps aux | grep '[s]leep' | awk '{print $2}')
[5]+  Terminated              sleep 3600
[1]   Terminated              sleep 3600
[2]   Terminated              sleep 3600
[3]-  Terminated              sleep 3600
[4]+  Terminated              sleep 3600
pax> _

and you can see it terminating all the sleepers.

Explaining the grep '[p]ython csp_build.py' bit in a bit more detail:
When you do sleep 3600 & followed by ps -ef | grep sleep, you tend to get two processes with sleep in it, the sleep 3600 and the grep sleep (because they both have sleep in them, that's not rocket science).
However, ps -ef | grep '[s]leep' won't create a process with sleep in it, it instead creates grep '[s]leep' and here's the tricky bit: the grep doesn't find it because it's looking for the regular expression "any character from the character class [s] (which is s) followed by leep.
In other words, it's looking for sleep but the grep process is grep '[s]leep' which doesn't have sleep in it.
When I was shown this (by someone here on SO), I immediately started using it because
  • it's one less process than adding | grep -v grep; and
  • it's elegant and sneaky, a rare combination :-)
found at http://stackoverflow.com/questions/3510673/find-and-kill-a-process-in-one-line-using-bash-and-regex

Cybermap

Internet Storm Center Infocon Status

Internet Storm Center Infocon Status
Internet Storm Center Infocon Status