Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see:
viewtopic.php?t=158230
Share your HowTo, Documentation, Tips and Tricks. Not for support questions! .
bester69
Posts: 2072 Joined: 2015-04-02 13:15
Has thanked: 24 times
Been thanked: 14 times
#1
Post
by bester69 » 2021-06-16 00:34
Basic Steps
1- protect with chattr +i file to keep intact
chattr +i <<filetoprotect>>
2- deny chattr execution and su access in sudoers file to user.:
/etc/sudoers
Code: Select all
myuser ALL=(ALL:ALL) NOPASSWD: ! /usr/bin/chattr
2.1- deny access to root user in sudoers file to user.:
Code: Select all
myuser ALL=(ALL:ALL) NOPASSWD: ! /bin/su
3- protect sudoers file of user with chattr as root.:
chattr +i /etc/sudoers
-------
Example; of
protecting resolv.conf file dns
during a gap time period .:
resol_porn.sh
resolv_porn.sh 1 (lock resolv.conf with dns parentcontrol)
resolv_porn.sh 0 (unlock resolv.conf with google dns)
Code: Select all
#!/bin/bash
#
fileproc=/etc/sudoers
filetemp=/tmp/sudoers
sudo cat "$fileproc" > "$filetemp"
sudo chattr -i /etc/sudoers
# Bloquea sudoers
if [ "$1" == "1" ]
then
sed -i 's/! \/usr\/bin\/chattr/\/usr\/bin\/chattr/' "$filetemp"
sed -i 's/\/usr\/bin\/chattr/! \/usr\/bin\/chattr/' "$filetemp"
sed -i 's/! \/bin\/su/\/bin\/su/' "$filetemp"
sed -i 's/\/bin\/su/! \/bin\/su/' "$filetemp"
sudo chattr -i /etc/resolv.conf 2> /dev/null
echo "nameserver 185.228.168.168" > /tmp/resolv.conf
echo "nameserver 185.228.169.168" >> /tmp/resolv.conf
cat /tmp/resolv.conf | sudo tee /etc/resolv.conf
sudo chattr +i /etc/resolv.conf 2> /dev/null
fi
# Desbloquea sudoers
if [ "$1" == "0" ]
then
sed -i 's/! \/usr\/bin\/chattr/\/usr\/bin\/chattr/' "$filetemp"
sed -i 's/! \/bin\/su/\/bin\/su/' "$filetemp"
sudo chattr -i /etc/resolv.conf 2> /dev/null
echo "nameserver 8.8.8.8" > /tmp/resolv.conf
echo "nameserver 8.8.4.4" >> /tmp/resolv.conf
cat /tmp/resolv.conf | sudo tee /etc/resolv.conf
fi
if [ -z $(cat $filetemp) ]
then
:
else
cat $filetemp | sudo tee $fileproc
fi
if [ "$1" == "1" ]
then
sudo chattr +i /etc/sudoers
fi
/etc/cron.hourly/cr_resolv
block resolv.conf from 21pm to 8am
Code: Select all
#!/bin/sh
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH
DISPLAY=:0 ; export DISPLAY
# Pone resolv.cond dns para evitar porn
hour=$(date +%H)
if [ "$hour" -gt 21 ] || [ "$hour" -lt 8 ] ; then
su root -c "/home/myuser/scripts/resol_porn.sh 1"
else
su root -c "/home/myuser/scripts/resol_porn.sh 0"
fi
bester69 wrote: STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...
p.H
Global Moderator
Posts: 3049 Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times
#2
Post
by p.H » 2021-06-16 07:07
This protection is easy to circumvent with sudo privileges.
Rename/move/copy/hardlink/symlink the chattr executable.
sudo -i/-s.
Execute chattr in a script.
Bind mount another file on the protected file.
Redirect DNS queries to another DNS server with iptables/nftables.
Etc.
Last edited by
p.H on 2021-06-16 12:39, edited 2 times in total.
wizard10000
Global Moderator
Posts: 596 Joined: 2019-04-16 23:15
Location: southeastern us
Has thanked: 78 times
Been thanked: 89 times
#3
Post
by wizard10000 » 2021-06-16 12:08
p.H wrote: This protection is easy to circumvent with sudo privileges...
Yup. bester's a big fan of the immutable bit
we see things not as they are, but as we are.
-- anais nin
sunrat
Administrator
Posts: 6475 Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 118 times
Been thanked: 474 times
#4
Post
by sunrat » 2021-06-16 12:49
wizard10000 wrote: p.H wrote: This protection is easy to circumvent with sudo privileges...
Yup. bester's a big fan of the immutable bit
He
is an immutable bit. See his signature!
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
RU55EL
Posts: 546 Joined: 2014-04-07 03:42
Location: /home/russel
#5
Post
by RU55EL » 2021-06-16 17:51
Protect a file from a sudoer's User:
Code: Select all
russel@DESKTOP-CK0E8I6:~$ ls > file
russel@DESKTOP-CK0E8I6:~$ ls -l file
-rw-r--r-- 1 russel russel 1539 Jun 16 11:36 file
russel@DESKTOP-CK0E8I6:~$ gpg -c file
[enter good password when prompted]
russel@DESKTOP-CK0E8I6:~$ ls -l file*
-rw-r--r-- 1 russel russel 1539 Jun 16 11:36 file
-rw-r--r-- 1 russel russel 856 Jun 16 11:36 file.gpg
russel@DESKTOP-CK0E8I6:~$ shred file
russel@DESKTOP-CK0E8I6:~$ rm file
russel@DESKTOP-CK0E8I6:~$ ls -l file*
-rw-r--r-- 1 russel russel 856 Jun 16 11:36 file.gpg
p.H
Global Moderator
Posts: 3049 Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times
#6
Post
by p.H » 2021-06-17 09:58
Encryption is not the kind of "protection" discussed in this thread.
RU55EL
Posts: 546 Joined: 2014-04-07 03:42
Location: /home/russel
#7
Post
by RU55EL » 2021-06-17 15:22
I didn't notice any specification as to what type of protection was being discussed. Please forgive me if I missed it. In any case encryption is a simple way to protect a file from anyone. Not to mention that sudo can be configured for individual logins, allowing access to what is required and "protecting" that which should not be accessed by certain sudo users. (Or all sudo users, for that matter.)
p.H
Global Moderator
Posts: 3049 Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times
#8
Post
by p.H » 2021-06-17 16:59
RU55EL wrote: I didn't notice any specification as to what type of protection was being discussed.
Didn't you read the original post carefully before replying ?
It is about preventing a sudoer from modifying a system config file.
RU55EL
Posts: 546 Joined: 2014-04-07 03:42
Location: /home/russel
#9
Post
by RU55EL » 2021-06-17 18:17
[tongue-in-cheek]
Encrypting the configuration file will accomplish that.
[/tongue-in-cheek]
Seriously, wouldn't proper config of sudo for a given user prevent modification of critical configuration files?
p.H
Global Moderator
Posts: 3049 Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times
#10
Post
by p.H » 2021-06-17 19:59
RU55EL wrote: Encrypting the configuration file will accomplish that.
How would the system be able to use the file when it's encrypted ?
RU55EL wrote: Seriously, wouldn't proper config of sudo for a given user prevent modification of critical configuration files?
Of course this is the way to go. Or don't give sudo privileges to untrusted users.
RU55EL
Posts: 546 Joined: 2014-04-07 03:42
Location: /home/russel
#11
Post
by RU55EL » 2021-06-17 21:13
p.H wrote: RU55EL wrote: Encrypting the configuration file will accomplish that.
How would the system be able to use the file when it's encrypted ?
You did see the [tongue-in-cheek] I posted, didn't you? Sorry if my attempt at humor was unsuccessful.
bester69
Posts: 2072 Joined: 2015-04-02 13:15
Has thanked: 24 times
Been thanked: 14 times
#12
Post
by bester69 » 2021-06-25 18:11
p.H wrote: This protection is easy to circumvent with sudo privileges.
Rename/move/copy/hardlink/symlink the chattr executable.
sudo -i/-s.
Execute chattr in a script.
Bind mount another file on the protected file.
Redirect DNS queries to another DNS server with iptables/nftables.
Etc.
WTH!!!
then we cant give full access sudoers ... only to specific commands
or disabling the sudoers temporary
thanks for it.. i was so happy with my own invent
,
for sure disabling cp, mv, ln, mount, wouldnt be enought as the user could downdload the binary and run it as sudo...what a disgrace!!
bester69 wrote: STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...
bester69
Posts: 2072 Joined: 2015-04-02 13:15
Has thanked: 24 times
Been thanked: 14 times
#13
Post
by bester69 » 2021-06-25 18:19
this case, we must comment user line in sudoers (myuser ALL=(ALL:ALL) ALL), cos it gives full sudo access and let rest of commands we wish as sudoers
; this way, sudoers only apply to specific added commands... I think this way would make it as long as we dont give sudo acces to some commands like (cp, mv, ln, mount....)
Code: Select all
root ALL=(ALL:ALL) ALL
#myuser ALL=(ALL:ALL) ALL
myuser ALL=(ALL:ALL) NOPASSWD: /sbin/hdparm
myuser ALL=(ALL:ALL) NOPASSWD: /sbin/resolvconf
myuser ALL=(ALL:ALL) NOPASSWD: /sbin/ifconfig
....
myuser ALL=(ALL:ALL) NOPASSWD: /usr/sbin/gparted
myuser ALL=(ALL:ALL) NOPASSWD: /usr/sbin/hddtemp
The idea is, An User can keep being sudoers but cant alter an specific given file (for example, protected with chattr +i)
Last edited by
bester69 on 2021-06-25 18:33, edited 1 time in total.
bester69 wrote: STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...
bester69
Posts: 2072 Joined: 2015-04-02 13:15
Has thanked: 24 times
Been thanked: 14 times
#14
Post
by bester69 » 2021-06-25 18:29
wizard10000 wrote: p.H wrote: This protection is easy to circumvent with sudo privileges...
Yup. bester's a big fan of the immutable bit
you really know me very well
bester69 wrote: STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...
p.H
Global Moderator
Posts: 3049 Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times
#15
Post
by p.H » 2021-06-26 08:18
bester69 wrote: then we cant give full access sudoers ... only to specific commands
I agree.
bester69
Posts: 2072 Joined: 2015-04-02 13:15
Has thanked: 24 times
Been thanked: 14 times
#16
Post
by bester69 » 2021-07-16 02:43
I corrected script, now its working well.:
this version root password is changed automatically by script, so only way to unlock resolv.conf is to wait for window gap time is opened or use a livecd
so we have:
>> window time is opened , user is sudoers for any commands
>> window time is closed , user needs to know root password
resol_porn.sh
Code: Select all
#!/bin/bash
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin
fileproc=/etc/sudoers
filetemp=/tmp/sudoers
lockresol="/etc/resolvlock"
export PATH
DISPLAY=:0 ; export DISPLAY
sudo cat "$fileproc" > "$filetemp"
sudo chattr -i /etc/sudoers
OP="$1"
# $1=2 ES bloquear fuera de crontab sechudle
if [ "$1" == "2" ]
then
OP="1"
echo "1" | sudo tee $lockresol
fi
# Bloquea sudoers
if [ "$OP" == "1" ]
then
while read -u 3 line; do
linesed="${line////\\/}"
case "$line" in
*"rootpw"* )
# Descomenta rootpw
sed -i "/$linesed/s/^#//" "$filetemp"
echo "Es: $line"
;;
* ) : ;;
esac
done 3< "$filetemp"
sed -i 's/! \/usr\/bin\/chattr/\/usr\/bin\/chattr/' "$filetemp"
sed -i 's/\/usr\/bin\/chattr/! \/usr\/bin\/chattr/' "$filetemp"
sed -i 's/! \/bin\/su/\/bin\/su/' "$filetemp"
sed -i 's/\/bin\/su/! \/bin\/su/' "$filetemp"
sudo chattr -i /etc/resolv.conf 2> /dev/null
echo "nameserver 185.228.168.168" > /tmp/resolv.conf
echo "nameserver 185.228.169.168" >> /tmp/resolv.conf
cat /tmp/resolv.conf | sudo tee /etc/resolv.conf
sudo chattr +i /etc/resolv.conf 2> /dev/null
fi
# Desbloquea sudoers
if [ "$OP" == "0" ]
then
while read -u 3 line; do
linesed="${line////\\/}"
case "$line" in
*"rootpw"* )
# Comenta rootpw
sed -i "/$linesed/s/^#*/#/g" "$filetemp"
echo "Es: $line"
;;
* ) : ;;
esac
done 3< "$filetemp"
sed -i 's/! \/usr\/bin\/chattr/\/usr\/bin\/chattr/' "$filetemp"
sed -i 's/! \/bin\/su/\/bin\/su/' "$filetemp"
fi
if [ -z $(cat $filetemp) ]
then
:
else
cat $filetemp | sudo tee $fileproc
fi
newpass="$(cat /dev/urandom | tr -dc 'a-z0-9A-Z' | fold -w 16 | head -n 1)"
if [ "$OP" == "1" ]
then
echo "root:$newpass" | sudo chpasswd
sudo chattr +i /etc/sudoers
else
:
fi
bester69 wrote: STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...