I want to build a web based front-end to manage/administer my Linux box. E.g. I want to be able to add users, manage the file system and all those sorts of things. Think of it as a cPanel clone but more for system admin rather that web admin.
I was thinking about creating a service that runs on my box and that performs all the system levels tasks. This way I can have a clear separation between my web based front-end and the actual logic. The server pages can than make calls to my specialized server or queue tasks that way. However, I'm not sure if this would be the best way to go about this.
I guess another important question would be, how I would deal with security when building something like this?
PS: This just as a pet project and learning experience so I'm not interested in existing solutions that do a similar thing.
Have the specialized service daemon running as a distinct user -- let's call it 'managerd'. Set up your /etc/sudoers file so that 'managerd' can execute the various commands you want it to be able to run, as root, without a password.
Have the web server drop "trigger" files containing the commands to run in a directory that is mode '770' with a group that only the web server user and 'managerd' are members of. Make sure that 'managerd' verifies that the files have the correct ownership before executing the command.
Make sure that the web interface side is locked down -- run it over HTTPS only, require authentication, and if all possible, put in IP-specific ACLs, so that you can only access it from known locations, in advance.
Your solution seems like a very sensible solution to the 'root' issue.
Couple of suggestions:
Binding the 'specialised service' to localhost as well would help to guarantee that requests can't be made externally.
Checking request call functions that perform the actions and not directly give the service full unrestricted access. So calling a function "addToGroup(user,group)" instead of a generic "performAction(command)".
Related
I have the gist of how to connect to a MySQL server, however my dilemma is using passwords. Here are some of the things I am looking at.
Architecture will be 1 core service which as of right now will be set up as a digest authentication service. Note: In the future I will also have it set up for kerberos authentication.
The service will have a schema it will need to be able to access in MySQL. Also the micro services will have their own schemas that they will also need to be able to access.
The database will be localhost initially but will eventually be moved (in production) to a separate server altogether.
Given the requirements above, I cannot give the services users that are restricted to localhost and have no password associated with them (nor would I want that in the event the server was hacked). So how can I have access to the database without using any plain text passwords (I don't want it stored in the code)?
Maybe I am just not understanding something here that could make my life so much easier so again I look towards the wisdom of the many here. Thanks in advance!
Some things that I should maybe mention: I plan on using go-martini as my http router, I'd like to be able to set up OAuth Provider, I will need to manage user sessions and authentication (right now not as important as I'm trying to get the core part of the service setup)
Edit: To clarify some information;
I do not have an AD, kerberos, or any other LDAP service to use and would be hard pressed to set them up at this time in a VM I use for development.
The service should not be dependent on any of those items as SSO is a much later requirement in this project.
Strictly speaking it will be deployed in environments where there are none of those available and this is non-negotiable.
I also am specifically developing the services in Go and the clients in React.
Note: I do not need someone to correct MY question. I would appreciate it if you do not change the context of my question to suite the answer you wish to give me. That is not what StackOverflow is about, it is also quite rude to do that. Thank you.
I'm having a problem with my re-frame application. I can't figure out how to connect it to a local database on my machine.
In other applications I've written, I've had to add the database specifications (username, password etc) into profiles.clj. Should I create profiles.clj and add the location of my database there? And does this mean I have to update the project.clj as well?
Finally, do the queries to the database, such as GET and POST requests, go in db.cljs.
I apologise if these questions are trivial but after reading the documentation several times I am still a little confused
re-frame is a framework for building client-side web applications. You won't be able to do generic database queries as most databases don't support direct access from a browser.
I'm having a problem with my re-frame application. I can't figure out how to connect it to a local database on my machine.
You probably need to create a middle API tier that accepts REST requests from re-frame, and queries the database, returning JSON back to the client.
Finally, do the queries to the database, such as GET and POST requests, go in db.cljs
Those are probably queries to your API tier? They can live anywhere that you would like.
One thing to clarify: re-frame has an app-db that it uses and refers to. This is a client-side database of local state that lives in your application. It doesn't have a connection to the backend, at least not without you writing more code for it. It sounds like you might be confusing these?
I wanted to create a website that would be like a dropbox of sort, which just has files that me and my organization can access. I wanted to password protect the website, just a simple username and password. I have my own domain. I have been looking all over the web to find how to do this(I am a beginner) and found that using httaccess and htpasswd would be used to secure a website similar to what is shown here: http://www.htaccesstools.com/articles/password-protection/
But I cannot seem to get it to work. I am using the s3 bucket and putting the httaccess and htpasswd file in the same folder as the index.html file. Do you know how I would get my site to have a simple password protection(thats not seen in the source code or by typing in the html)? I am not sure if I am finding the directory correctly or not to implement this password protection correctly. Thank you for taking the time to read this and hopefully this makes sense!
Anyone else had this issue?
Amazon AWS alone won't do it. htaccess and htpasswd are also not the right tools for what you want to do.
Get yourself a cheap hosting account with a company like hostgator or godaddy or namecheap or any other that will host your web page and give you PHP and MySQL.
You cannot accomplish what you want just using javascript/jQuery. Those languages run on the browser, but you want to store your files on a server. Therefore, you need the language that controls the server - that is usually PHP. (The other popular solution is ASP, which is by Microsoft and runs on costly and complex Microsoft servers -- PHP is free and runs on (free) Linux and is therefore what ALL of the cheap web hosting companies provide. MySQL is the (free) database that is analogous to Microsoft SQL)
Next, watch a video tutorial on creating a PHP / MySQL login system, such as the ones over at:
phpAcademy (now called codecourse, apparently)
theNewBoston.com
You need to learn more about:
PHP sessions
Ajax
jQuery
MySQL (possibly)
On a basic website, you can stick your files into directories and control who can access those directories by whether or not they are logged in.
You can determine if a visitor is "logged-in" or not by asking for a username/password and setting a session variable. Session variables are just variables that are stored on the server, rather than on a user's own computer (of course, that wouldn't work since every visitor has his own computer and your files are stored on a central server -- so that is where the security (variables) must reside, right?)
Anyway, in a weekend of video watching and trial-and-error you can probably get something cobbled together that will do what you want.
I found out after a while that a component used on my website had an unfiltered parameter, in a WHERE condition in the following settings:
Using Joomla! 1.5, latest update.
The component is custom made, fairly small, and after reading its source I couldn't indentify any other security flaws.
The attacker was using SQLMap to do their work, as I saw its user-agent in the log.
MySQL version is 5.1.11
PHP version is 5.1.4
The database user has USAGE privilege.
The server OS is Linux.
After trying the same steps on my own box, I was able to read the database (and since I'm not an expert in sql injection I'm not sure that was all I could do).
My worry is mostly about the session table, would the attacker be able to impersonate a user from it? Aside from that, is there any chance he could have uploaded some payload to my server?
Also, could he have "magically" updated some field through this SELECT query? (No stacked queries available).
Thanks in advance.
If you can read the database, you can dump it with SQLMap and find the hash of the administrator's password.
With that hash, the attacker could crack it (or if it is MD5, find a collision fairly quickly) and login into your administrator account.
From there, your admin account is screwed. The attacker has admin privileges, so consider your site dead. Worse than that, if Joomla is like Wordpress, the attacker can use a custom PHP code in the theme, which allows them to drop to OS level and modify your Joomla installation.
In short, they can screw up your server, as Joomla executes arbitrary PHP code when it is run.
I am trying to configure Apache2 so I can use MySQL for authenticating users to access certain pages. Also authorization needs to work so different groups can reach differen pages.
Now, I have googled a lot but can't find out how to do this. At least not for the configuration I am having. There doesn't seem to be any version of mod_auth_mysql that supports my configuration.
OSX 10.6.4
Apache 2.2
Now, how do I achieve this not creating my own login-application in php but using the built in support of Apache2? I'm totally stuck on this one...
Thanks in advance!
Regards,
Niklas
I also would like to use a taylormade login page, not pop-up
....
how do I achieve this not creating my own login-application in php but using the built in support of Apache2
Short answer is that you can't. Unless you rewrite the Apache source code or create your own module, you can't mix HTTP based authentication with non-pop-up login prompts.
However if you are using PHP then a relatively low impact solution would be to use auto-prepend to prefix every protected page with a check on the users session. Obviously this would need a bit more thought if it is to be applied to files other than PHP source files (it'll work perfectly well if you tell Apache to apply the php engine to, say .gif files, but your script will need to detect and return the appropriate mime type).
A simpler solution might be to put a tool like squid in front of the webserver as a reverse proxy, then make the session handling data available to the squid url-rewriter.
You can build mod_auth_mysql from the source. Have a look at this post.
I you want your own log-in page, you cannot use Apache to do authentication.
Apache authentication uses the Authentication portion of the HTTP standard, and as a result you're reliant on the browser to handle the interaction with the user. There are plugins (like mod_auth_mysql) to use a database as the backend for this, but Apache can't ask the user for their credentials any other way.
The fastest approach might well be to set up Drupal or Joomla, which will get you user and group management as well as full content editing, in a way that will let you control who can edit what.