- 浏览: 2072566 次
- 性别:
- 来自: NYC
文章分类
- 全部博客 (628)
- Linux (53)
- RubyOnRails (294)
- HTML (8)
- 手册指南 (5)
- Mysql (14)
- PHP (3)
- Rails 汇总 (13)
- 读书 (22)
- plugin 插件介绍与应用 (12)
- Flex (2)
- Ruby技巧 (7)
- Gem包介绍 (1)
- javascript Jquery ext prototype (21)
- IT生活 (6)
- 小工具 (4)
- PHP 部署 drupal (1)
- javascript Jquery sort plugin 插件 (2)
- iphone siri ios (1)
- Ruby On Rails (106)
- 编程概念 (1)
- Unit Test (4)
- Ruby 1.9 (24)
- rake (1)
- Postgresql (6)
- ruby (5)
- respond_to? (1)
- method_missing (1)
- git (8)
- Rspec (1)
- ios (1)
- jquery (1)
- Sinatra (1)
最新评论
-
dadadada2x:
user模型里加上 protected def email ...
流行的权限管理 gem devise的定制 -
Sev7en_jun:
shrekting 写道var pattern = /^(0| ...
强悍的ip格式 正则表达式验证 -
jiasanshou:
好文章!!!
RPM包rpmbuild SPEC文件深度说明 -
寻得乐中乐:
link_to其实就是个a标签,使用css控制,添加一个参数: ...
Rails在link_to中加参数 -
aiafei0001:
完全看不懂,不知所然.能表达清楚一点?
"$ is not defined" 的问题怎么办
问题:
在没有sudo的情况下,希望不暴露root口令,得到root执行权限。
方案:
admin bit位,就是在普通的三位之后增加一个super位,来表示可以越权执行。具体例子如下,特别说明,在脚本中要使用到的任何命令都要设置越权。
命令 chmod u+s
There has always been a void in every newbies mind when it comes to sticky bits. The books say that the SUID allows an unprivileged user
to run executables and scripts with the credentials of the owner of the file. But we all try to implement it and fail as newbies. This HOWTO is dedicated to newbies of sticky bit so that they don't have to waste time in implementing it. The answer is right here.
I am taking an example of a huge organization with 1 Sysadmin who has under him/her a few Assistant Admins. In such cases, the sysadmin cannot be creating users all the time. So, the Assistant Admins do the user creation. But, to create users, the root password needs to be given to them, which is a big headache for the main Sysadmin. So, what does the sysadmin do? He/She will need to do the following :-
1. Login as root.
2. Create a shell script
that will create the users specified and set a default password for each of these users
3. Copy this script to the home directory of these assistant admins.
4. Set SUID Sticky bit to the script copied in each of the assistant admins' directories
5. Copy the sysadmin commands that will be used by your script to /bin (because most of the sysadmin commands are in the /usr/sbin directory and unprivileged users' PATH does not point to /usr/sbin)
6. Set SUID to each and every command that you copy into the bin as well (my script uses the useradd, chown and chpasswd commands)
My example shell script that creates users and sets default password for each user is as follows :-
--------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------
Save this script as addusers.sh
copy this script to the directories of each assistant admin. once you have copied the script, set SUID to this file using the following command :-
chmod 4755 addusers.sh
(or)
chmod u+s addusers.sh
copy the useradd and chpasswd scripts to /bin and then, issue the following commands to set the SUID to these files :-
chmod 4755 /bin/useradd
chmod 4755 /bin/chpasswd
chmod 4755 /bin/chown
THAT'S IT. IT'S ALL DONE. Now, login as any of the assistant admins and execute the addusers.sh script. The unprivileged users will be added to the /etc/passwd file
EXPLANATION
---------------------
When an unprivileged user logs into Linux, his uid and gid are embedded into his shell. From this point on, any command or script that you run forks a child shell process. Remember, every process runs with the uid and gid of the currently logged on user and hence, unprivileged users cannot write to files like /etc/passwd. Hence, SUID is actually a way in which the sysadmin can create scripts to be run by unprivileged users but still need some root like access to some system files.
once the SUID sticky bit is set on an executable created by root, the following happens :-
1. unprivileged user with uid 501 and gid 501 logs on.
2. executes a script which has SUID set.
3. Script creates a child shell process and sets it's uid and gid to 0 (the root)
4. Performs all that it needs to do and then exits
If the same unprivileged user tries to run a script without SUID set, the process will run with uid 501 and gid 501 and hence, will not have permissions to perform desired actions on system centric files, even though the sysadmin would want it to.
在没有sudo的情况下,希望不暴露root口令,得到root执行权限。
方案:
admin bit位,就是在普通的三位之后增加一个super位,来表示可以越权执行。具体例子如下,特别说明,在脚本中要使用到的任何命令都要设置越权。
命令 chmod u+s
引用
There has always been a void in every newbies mind when it comes to sticky bits. The books say that the SUID allows an unprivileged user
to run executables and scripts with the credentials of the owner of the file. But we all try to implement it and fail as newbies. This HOWTO is dedicated to newbies of sticky bit so that they don't have to waste time in implementing it. The answer is right here.
I am taking an example of a huge organization with 1 Sysadmin who has under him/her a few Assistant Admins. In such cases, the sysadmin cannot be creating users all the time. So, the Assistant Admins do the user creation. But, to create users, the root password needs to be given to them, which is a big headache for the main Sysadmin. So, what does the sysadmin do? He/She will need to do the following :-
1. Login as root.
2. Create a shell script
that will create the users specified and set a default password for each of these users
3. Copy this script to the home directory of these assistant admins.
4. Set SUID Sticky bit to the script copied in each of the assistant admins' directories
5. Copy the sysadmin commands that will be used by your script to /bin (because most of the sysadmin commands are in the /usr/sbin directory and unprivileged users' PATH does not point to /usr/sbin)
6. Set SUID to each and every command that you copy into the bin as well (my script uses the useradd, chown and chpasswd commands)
My example shell script that creates users and sets default password for each user is as follows :-
--------------------------------------------------------------------------------------------------------------------------
echo -n "enter the starting login id : " read beg echo -n "enter the ending login id : " read final fend=`date +"%d%m%y"` i=$beg rm -f "users$fend" touch "users$fend" while [ $i -le $final ]; do if [ $i -lt 10 ]; then useradd "j2ee00$i" chown -R "j2ee00$i:j2ee00$i" "/home/j2ee00$i" echo "j2ee00$i:elmaqedu" >> "users$fend" fi if [ $i -ge 10 ] && [ $i -lt 100 ]; then useradd "j2ee0$i" chown -R "j2ee0$i:j2ee0$i" "/home/j2ee0$i" echo "j2ee0$i:elmaqedu" >> "users$fend" fi if [ $i -ge 100 ] && [ $i -lt 1000 ]; then useradd "j2ee$i" chown -R "j2ee$i:j2ee$i" "/home/j2ee$i" echo "j2ee$i:elmaqedu" >> "users$fend" fi i=$[ $i + 1 ] done chpasswd < "users$fend"
--------------------------------------------------------------------------------------------------------------------------
Save this script as addusers.sh
copy this script to the directories of each assistant admin. once you have copied the script, set SUID to this file using the following command :-
chmod 4755 addusers.sh
(or)
chmod u+s addusers.sh
copy the useradd and chpasswd scripts to /bin and then, issue the following commands to set the SUID to these files :-
chmod 4755 /bin/useradd
chmod 4755 /bin/chpasswd
chmod 4755 /bin/chown
THAT'S IT. IT'S ALL DONE. Now, login as any of the assistant admins and execute the addusers.sh script. The unprivileged users will be added to the /etc/passwd file
EXPLANATION
---------------------
When an unprivileged user logs into Linux, his uid and gid are embedded into his shell. From this point on, any command or script that you run forks a child shell process. Remember, every process runs with the uid and gid of the currently logged on user and hence, unprivileged users cannot write to files like /etc/passwd. Hence, SUID is actually a way in which the sysadmin can create scripts to be run by unprivileged users but still need some root like access to some system files.
once the SUID sticky bit is set on an executable created by root, the following happens :-
1. unprivileged user with uid 501 and gid 501 logs on.
2. executes a script which has SUID set.
3. Script creates a child shell process and sets it's uid and gid to 0 (the root)
4. Performs all that it needs to do and then exits
If the same unprivileged user tries to run a script without SUID set, the process will run with uid 501 and gid 501 and hence, will not have permissions to perform desired actions on system centric files, even though the sysadmin would want it to.
发表评论
-
在ubuntu中.profile 和.bashrc的加载区别
2013-06-01 21:38 2529总之,profile不只是bash,在启动加载 bashrc是 ... -
command line tools for linux
2013-02-14 23:49 1469du -sh `ls .` for i in G M K; ... -
ubuntu 12.10 proxy install package apt-get
2013-01-31 06:47 1207#/.bashrc export http_proxy= ... -
查找多文件内容替换
2012-09-14 20:58 1493UPDATE: (05/03/2013) 当前使用: # ... -
shell script
2012-09-11 21:08 1037select r.name, count(p.id) from ... -
定期清空日志文件
2012-09-11 10:04 3346一个关于如何在指定文件大于1GB后,自动删除的问题。 批处理代 ... -
查看一个进程占用了那个端口
2012-09-11 09:59 1717有时候需要在Linux下查看一个进程占用了那个端口,但是只知道 ... -
utf8 ruby1.9
2012-07-13 01:57 1329引用invalid byte sequence in utf- ... -
VIM下跳转的区别
2012-05-06 00:33 1386VIM在开tag和jumplist的时候有几个差别 经常用的 ... -
shell command
2012-04-11 21:42 920ls -l . | egrep -c '^d' ls -l . ... -
unbuntu 查看什么占着80端口
2012-01-19 12:37 1437sudo lsof -i :80 sudo nets ... -
处理僵尸进程
2011-05-27 01:45 1172#!/bin/sh kill -HUP `ps -A - ... -
ubuntu 看硬件配置
2011-05-02 02:03 5282总是忘记阿,标记一下 sudo lspci -v lshw ... -
no such file to load -- zlib
2011-04-25 23:52 2752或者提示 fatal error: zlib.h: No su ... -
新装的mysql出现无法登陆的问题 er 1405 参考下面的解决
2011-01-23 12:39 3082Installing MySQL 5.0 First we ... -
ssh无密码登入设置
2010-08-17 21:02 1398现有2台机器 1、服务器192.168.1.112 2、个人机 ... -
bash和乱码
2010-08-16 00:15 1906几个bash下配置的区别 1)/etc/profile: 此文 ... -
ubuntu 配置git服务器及其它
2010-08-15 23:46 2173update: 生产public key的时候不能按照git ... -
nohup命令让程序在后台运行-linux
2010-02-04 14:17 7045nohup ruby /sunrise/www/realwor ... -
shell 条件可能用到
2010-01-26 15:05 1530为什么不能用ruby脚本写啊,shell脚本写的俺很烦啊... ...
相关推荐
首先,我们需要准备的是名为"GaussDB_100_1.0.1-DATABASE-REDHAT-64bit.tar.gz"的压缩包,这是专门为Red Hat操作系统定制的安装包。解压此文件后,我们将会得到一系列用于安装和配置GaussDB的必要文件。 安装前的...
redhat linux AS5 64bit 安装 Oracle 11g 64bit 所需rpm包 不用在安装oralce之前检测所需rpm 直接在安装过程中oracle自行检测即可,以免预先安装了版本低的包
GaussDB_100_1.0.1-DATABASE-REDHAT-64bit.7z是一个专为Red Hat Enterprise Linux 64位系统设计的GaussDB数据库安装包。GaussDB是由华为开发的一款分布式并行数据库,它支持大规模数据处理,适用于云计算环境和...
### Redhat7 DB2安装时遇到“The 32 bit library file libstdc++.so.5 is not found on the system”问题的解决方案 在部署数据库管理系统(DBMS)时,经常会出现各种兼容性或缺失库的问题。例如,在Redhat 7上安装...
此版本为hedhat7.X以上版本,解压文件夹,里面包含了GaussDB_100_1.0.1-DATABASE-REDHAT-64bit.tar.gz,华为高斯数据库认证HCIA-GaussDB_V1.0实验手册.pdf,华为GaussDB 客户端工具—Data Studio 安装教程,照着文档...
shellcheck在centOS/redHat下没有可用的可执行文件或者可以直接编译生成的命令...附件是在centOS/redHat下已编译的可执行文件,理论上可以在其他centOS/redHat平台版本下使用,因编译过程太艰辛曲折,收取10分辛苦分。
【标题】"Linux Redhat5.3 Enterprise 64bit" 涉及的主要知识点包括Linux操作系统、Red Hat Enterprise Linux(RHEL)发行版以及64位架构的相关内容。 Linux是一种自由和开放源代码的类UNIX操作系统,由林纳斯·托...
【高斯数据库与GaussDB-Kernel-V300R002C00-REDHAT-64bit-Jdbc】 高斯数据库,全称为华为GaussDB,是华为公司自主研发的一款分布式并行数据库系统,主要应用于大规模数据处理和分析场景。这款数据库产品旨在提供高...
以下是对"redhat下安装oracle"这一主题的详细解释。 首先,确保你的Red Hat系统满足Oracle数据库的基本硬件和软件需求。这通常包括特定版本的操作系统(例如,Red Hat Enterprise Linux),足够的内存和处理器资源...
### RedHat下安装及配置vsftp服务的详细指南 在RedHat系统中,vsftp(Very Secure FTP)是一个广泛使用的FTP服务器程序,以其安全性、稳定性和丰富的特性而著称。以下是在RedHat 6.3环境下安装和配置vsftp服务的...
在RedHat下安装及配置telnet服务是一项基本的网络管理技能,尤其对于系统管理员来说,掌握这一技术可以极大地提升远程管理服务器的效率。本文将基于给定文件的信息,详细阐述在RedHat环境下如何安装、配置telnet服务...
在红帽子系统下安装tomcat的方法
RedHat7.0百度云下载链接
在redhat下安装hadoop集群,文件中包括设置静态ip,jdk安装,内含截图,详细指导。
在RHEV的部署过程中,首先需要安装域控,这涉及创建用户(例如,`redhat1`和`redhat2`,其中`redhat`是管理员),配置服务器管理器,并安装必要的软件如`.NET Framework`。接着,安装RHEL作为RHEV-H主机。在RHEL上,...
### RedHat 下安装 DB2 10.5 #### 知识点概述 本文档将详细介绍如何在 RedHat 6.4 操作系统环境中安装 IBM DB2 10.5 数据库服务器。整个过程分为几个步骤:配置本地 YUM 源、安装前准备、解压与安装 DB2 软件、...
在redhat9下直接安装yum ,不需其他关联文件
### Linux RedHat 下异地备份详解 #### 一、引言 在现代企业的IT环境中,数据安全至关重要。为了防止数据丢失,通常需要对重要的业务数据进行定期备份。在Linux环境下,尤其是RedHat系列操作系统中,实现异地备份...