Is there any way that I restrict a user to run a specific command? For example: I want only Admin users should be allowed to run "rm" commands on a node. Or I need to restrict the commands that requires write access on to the filesystem of the node.
Rundeck doesn't work in that way. If you're using a specific user to dispatch commands on a node, Rundeck uses that user permissions to launch their commands. In your case, the best approach is to use a restricted user account on your remote node to limit commands.
Please take a look at this.
Related
I have an old application from a friend that is dependent on a table in a MySQL database. The application makes calls directly to the database - Sends login request and subsequent retrieval activities.
The password is hard-coded into the application and he forgot what it is. However, we do have the table structure and is able to allow the database connection to connect if we used skip-grant-tables to bypass the authentication.
Is there a way to only allow a specific user to have such privilege (logging in with any password with a specific username) and not affect the remaining users?
P.s: I understand that this is not the ideal way to create an application and APIs should be used instead. However, the application is useful but not worth to redevelop.
I am searching for the best solution of the following:
I need to give somebody access to one (out of many) specific database on my MySQL server through PhpMyAdmin or a similar tool.
I am not allowed to create a new MySQL user account.
Therefore I am thinking of creating a cover-up username and password (the credentials might be stored in some table or even directly in PHP somewhere around PMA), with which my somebody would log in to PMA.
PMA would use a securely stored real username and password to connect to my MySQL server. But my somebody would never see the actual database username and password. He would only see and be able to edit tables within the one specified database on my server.
Is this somehow achievable? Thank you!
PMA has a configuration for this.
$cfg['Servers'][$i]['only_db']
Read about it in the documentation: https://docs.phpmyadmin.net/en/latest/config.html
But this does not restrict the privileges of the user. It only makes the user interface show a limited subset of databases to the user. If they know the name of some other databases (or can query them from INFORMATION_SCHEMA.SCHEMATA), they can still access those databases.
If you want to enforce privileges to only a few databases, you'll have to create a distinct MySQL user and limit their privileges with GRANT.
Re your comments:
It sounds like you need to store the MySQL credentials in your PMA config file (and set $cfg['Servers'][$i]['auth_type'] to 'config'). Then you can use Apache HTTP authentication to restrict access to your PMA site (or directory), and you can create multiple user credentials at the Apache level.
phpMyAdmin is not designed to work like this; it uses the MySQL authentication structure without imposing any additional login restrictions.
One part of your requirements (not sharing the actual username and password) might be solved by using the config or signon authentication method, but that still doesn't impose any additional restrictions on the user once they log in so they'd have the same access that your user account has.
Unfortunately for you, if you aren't able to create another user account it's going to be difficult to share the account without giving them the same level of access.
I am trying to configure the Apache FtpServer for windows, and i've got most of it running already, however I am having difficulty understanding the database user manager...
I am more or less a complete newbie to this and SQL, however I already have an FTP server up and running in Linux using VSFTPD. the company wants to migrate from linux to windows, and I have to create accounts for close to 5,000 users (which is why I want to use the database manager).
Here are my questions:
I can see that the xml configuration controls the connection to the database, but how does it control authentication? can someone explain which section handles user authentication from the database? EDIT: by user authentication, I do not mean the database connection itself, but rather how FTPServer authenticates a connection THROUGH the database.
How can I prevent / detect brute-force attempts against my server? our current linux ftp server uses DenyHosts for port 22 (ssh) and is hit by attacks at LEAST 20+ times a week, is there any kind of built-in authentication protection, and if not, can anyone suggest a way to create one? I know that the xml config has themax-login-failuressetting, which closes the connection after a certain number of attempts, but I need it to completely deny any further access from that IP, and not just close the connection.
Example:
Any attempt to log in with the following usernames results in immediate IP-BAN:
Root
Admin
Administrator
System
etc
Other settings
Attempts for non-existing users results in IP-BAN after # attempts for IP (including different users)
Attempts for existing users results in 60-second time out after # attempts (including different users)
Any and all help would be greatly appreciated. If you have any questions or require clarification on anything, please post a comment and I will make any necessary changes / replies.
Thanks.
See the example under Data source configuration here
Apache Ftpserver does not provide this functionallity out of the box. You either have to extend it and program this yourself, or use some external system that parses its log files and dynamically add/remove firewall rules (something like what fail2ban does on linux)
How to allow multiple users in local network to share a single MySQL database? We even have option of share drive, if it will help.
we are using C# windows application as front end
The limitation is that we do not have acces to our main server. The server is with the other ofice department and we do not want to indulge that department in our project. So, we are on LAN and have a shared drive between us.
And we want to use this database common to multiple users in our office (aprox 100 users) which will use our C# windows application to view data and to enter data.
Can we do something on Share Drive? I am not sure..
Hope it will make some sense..
Thanx
MySQL handles this situation out-of-the-box. Each client connects from wherever and the DBM handles the details. Make sure the server is configured correctly and that the specific database allows connects from other than 127.0.0.1.
Whatever you do, do not use file sharing to try and run multiple copies of MySQL against a single database -- that way lies madness and tears. There are lock files that try to prevent this type of abuse, but I've acutally seen people try to "get around" this.
Here is an excellent guide for unix based servers :
http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html
the same passages are needed for a windows system, you need to enable remote access and eventually grant permissions on a defined IP.
Remote sharing of the database is disabled by default for security reasons.
EDIT:
if you are in the same network, then you may just grant permissions I.E.:
GRANT SELECT ON mydb.* TO devel2#192.168.1.102 identified by 'mypassword'
As long as they have network access to the server and you have at least MySQL 5 (5.0.2), can't you just create users for them?
CREATE USER 'new_username'#'localhost' IDENTIFIED BY 'password_for_new_username';
I am writing a bash script that I plan to execute via cron. In this script, I want to execute a command against a MySQL database, something like this:
$ mysql -u username -ppassword -e 'show databases;'
For clarity and those not familiar with mysql, the "-u" switch accepts the username for accessing the database and the "-p" is for password (space omitted purposely).
I am looking for a good way to keep the username/password handy for use in the script, but in a manner that will also keep this information secure from prying eyes. I have seen strategies that call for the following:
Keep password in a file: pword.txt
chmod 700 pword.txt (remove permissions for all except the file's owner"
Cat pword.txt into a variable in the script when needed for login.
but I don't feel that this is very secure either (something about keeping passwords in the clear makes me queasy).
So how should I go about safeguarding password that will be used in an automated script on Linux?
One way you can obfuscate the password is to put it into an options file. This is usually located in ~/.my.cnf on UNIX/Linux systems. Here is a simple example showing user and password:
[client]
user=aj
password=mysillypassword
The only truly safe way to guard your password is to encrypt it. But then you have the problem of safeguarding the encryption key. This problem is turtles all the way down.
When the good people who build OpenSsh tackled this problem, they provided a tool called ssh-agent which will hold onto your credentials and allow you to use them to connect to a server at need. But even ssh-agent holds a named socket in the filesystem, and anybody who can get access to that socket can act using your credentials.
I think the only two alternatives are
Have a person type a password.
Trust the filesystem.
I'd trust only a local filesystem, not a remote mounted one. But I'd trust it.
Security is hell.
Please see the doc for some guidelines. an extra step you can take is to restrict the use of ps command for normal users, if they have the permission to access the server.
I'll agree with Norman that you should have someone type the password. If you just supply the -p flag without an accompanying password, it will prompt the user for it.