Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
PostPosted: Wed Apr 19, 2017 9:44 am 
Offline
Senior Member
User avatar

Joined: Sun Jan 24, 2016 4:30 am
Posts: 135
Sizzling hot BBQ ribs! Eat them while they are hot! ... Oppss sorry wrong forum.

Sizzling hot inotify events! Yes that is what I meant, inotify events. What are these hot inotify events? It is something that, if you haven't heard of before, then you are in for a tasty surprise!

Ever wonder how to take events from a simple website that runs as a normal unix user and make those events actions under root? But without any security implications and without running the website as root? Hot inotify events are the answer!

Ever wonder how to run cron jobs that aren't time-based? Hot inotify events are the answer!

Ever wonder how to initiate file system synchronisation on file/directory change? Hot inotify events are the answer!


Installation

Code:
yum install incron
systemctl enable incrond
systemctl start incrond


Once installed, you should end up with a configuration file at /etc/incron.conf but we do not need to make any changes, since the default options are enough for most uses.

A more important file, is the configuration for the users who are allowed to run events with incron, so create and edit the file /etc/incron.allow with a single line:

Code:
root


If you want, you may add normal users and not root, but that depends on your type of setup.


Event example - user to root

Lets create an example as described at the start of this port. A simple website running under a normal user but needs to initiate a set of root commands.

In this scenario, we have a server that has its SSH access permanently stopped for security reasons. In our case, the user website has a start/stop button, which allows us to start and stop the SSH daemon.

First, we create a quick and simple PHP script named secret-ssh.php and place it under the public_html directory, with the following contents:

Code:
<html><body>
<?php

// Hot files
$hotStart = "/home/user/start-ssh";
$hotStop = "/home/user/stop-ssh";

// Touch "hot" file based on command
if(isset($_REQUEST['start']) && $_REQUEST['start']==="true") {

   touch($hotStart);
   sleep(1);

} elseif(isset($_REQUEST['stop']) && $_REQUEST['stop']==="true") {

   touch($hotStop);
   sleep(1);

}

// Current status
$status = exec("/usr/bin/systemctl is-active sshd.service");

// Check status
if($status==="active")
   echo 'The top secret SSH daemon service is <strong>running</strong>. &nbsp; <a href="?stop=true">Stop!</a>';
else
   echo 'The top secret SSH daemon service is <strong>not running</strong>. &nbsp; <a href="?start=true">Start!</a>';

?>
</body></html>


Now create the two "hot" files with touch and set proper ownership with chown:

Code:
touch /home/user/start-ssh
chown user:user /home/user/start-ssh
touch /home/user/stop-ssh
chown user:user /home/user/stop-ssh


Finally, run the incrontab -e command as root with the following contents:

Code:
/home/user/start-ssh IN_MODIFY,IN_ATTRIB,IN_NO_LOOP /usr/bin/systemctl start sshd.service
/home/user/stop-ssh IN_MODIFY,IN_ATTRIB,IN_NO_LOOP /usr/bin/systemctl stop sshd.service


In all of the above, please make sure to modify the user part with your own unix user. If incrontab produces the error "editor finished with error: No such file or directory" then edit the /etc/incrontab.conf file and set another default editor, or install the vim.

Now if you access secret-ssh.php with a web browser, you will be able to safely start and stop the SSH daemon service, without being root. In practice, any time the two hot files change their attributes or contents, the equivalent action will be executed, so you can try this from the shell by running "touch /home/user/start-ssh".

Enjoy the ribs!

_________________
:idea: I love my computer... all my friends live there.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group