I'm trying to execute a command to add a user to the local machine using useradd from a controller. In rails console, system 'sudo useradd -b /home username' runs fine, but not from the controller. The only response is false. I've tried using backticks, but get no output.
How can I get this to work? Is there a flag that I'm missing?
The user that the web app runs under must have sudo access.
That being said, unless you're developing an internal server management app that is absolutely not accessible from the outside, what you're describing sounds really dangerous (creating a user, with security rights to your system, from a web app).
Even if it is an internal app, I hope it's locked down and only accessible to proper admins. :)
Related
I have seen similar questions, but nothing helped.
Like here:
SSH login with no authentication
SSH session without ANY authentication
My problem is as the question states. I want to setup ssh to work without any password prompt or any keys. Means, doing
ssh computer#IP_address
should give me access to the remote machine.
Question ends here^^^^^^^^^^^. Details of what I'm trying to achieve:
I have a docker image of Ubuntu in which I'm trying to install ssh. This has 2 reasons: easy file transfer using scp and the other is, that I sometimes, by mistake I close docker without committing and end up losing all my progress/data. So I want to make it such that I run the docker container in the background and only access it using ssh. Also, I am working in a team and I'll need to some other outside people(who download my docker image) to be able to work with it easily as well, which is why I want it to be ssh-accessible without a login.
You should look at setting PermitEmptyPasswords to yes in your sshd_config file and restard sshd service.
PermitEmptyPasswords
When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is ''no''.
I have one windows service which will use plink.exe for SSH connection and I found that Plink cannot find the running Pageant.
Here is the steps I have done so far.
Install Windows service to run as particular user
Before starting Windows service, I log in as that user and start Pageant with PuTTY generated key.
Then I start the Windows service (but I can't manage to make it work since Plink cannot find Pageant and server reply as No supported authentication methods available.)
Note: If I run Windows service as console application with that user, everything is working fine.
PLink will be run in Service session (Session\0) while pageant runs in user session (Session\1). Plink uses some interprocess communication which, as it looks from your problem, doesn't work across sessions. Most likely there's MMF communication inside and objects are created without prefix, i.e. they become session-only (not global). You would need to build custom version of plink to solve the problem.
Pageant explicitly allows feeding keys to an application (PuTTY, PSFTP, PSCP, WinSCP, FileZilla) running in the same Windows session only. This is obviously for security reasons, not to allow a different user on the same machine hijack private keys loaded by another users. And even for convenience (ironically), so that you do not inadvertently use keys of a different user (leading possibly to having your account locked due to invalid login attempts).
Also note that the Pageant is not intended for an automation anyway. For the automation, use the private key explicitly, using the -i command-line parameter.
See https://the.earth.li/~sgtatham/putty/latest/htmldoc/Chapter3.html#using-cmdline-identity
Such private key have to be unencrypted. Note that this imposes security risk, if someone gains access to the key. You should consider restricting an access to the unprotected private key file to the local account that runs the script only (using Windows file system permissions).
As #Eugene point out, it is Session 0 Isolation.
I managed to solve the issue by not using agent but directly passed the private key and password to plink.exe. By doing that, I'm able to run without using pageant.
To start plink.exe without agent;
plink.exe -noagent -i private_key.ppk -pw mypassword -P 1234 user#host.com
I'm running a a Rails 3 application with Unicorn and Nginx. Currently, Unicorns runs as root and due to this line in unicorn.rb:
user "www-data"
but I'm wondering whether I should just run all Unicorn process as www-data. Would there be any problem doing that? I'm using a file socket, so opening a port (<1024) is not an issue I'll have. Anything else I should be aware of?
You should not be running your application as root. This gives the application root permissions which in turn means that if you make a mistake and expose the file system, an attacker can have root permissions without much effort.
I avoid running as www-data or other shared users. Instead I create a user for the specific app and give them their own unique permissions. In my case, I am running multiple applications on one server and this allows for an added layer of protection in case one app is compromised.
Here is a good read on some of the things that can go wrong: https://jhalderm.com/pub/papers/dcvoting-fc12.pdf
I am trying to install an activex but my user has no admin priviliges.
I saw an artical descirbing that HTA can install activeX as if it is an administrator.
Do i need to be an administrator to run HTA? if not is this not a security loop hole?
An HTA file is an application that has the same privileges as a .EXE or a .CMD file. Many people are confused about permissions because an HTA looks like a web page. An HTA uses the same technology as web pages, but it executes locally under the same security model as any other local application.
This means, that if you run your .HTA as Administrator, it can do things that require Administrator privileges. Ordinary users can run HTAs just fine. The security model is the same as for batch files, CMD files, WSH scripts and so on.
I'd like to write a service (that starts up and runs whenever the machine is on) that queries Active directory since the user IIS uses does not have permission to query AD. How do I determine if A) my workstation where I have local admin rights, and B) a shared team workstation will allow me to do this?
Anything you can do as an interactive user can be done by a service with appropriate permissions and configuration, so it isn't so much an issue of determining if you can, but rather configuring the service so that it can.
Your installation package should request an appropriate set of credentials (and of course must be run by a user with privileges to install such a service). The service itself should simply catch and log any permission exceptions.
As an example - look at the SQL Server installation process. Early on it requests that you specify accounts with the required privileges.