Smokes your problems, coughs fresh air.

Tag: shell

Making a shell-script run with setuid root

If you want to run a process with root privileges that you can invoke as a less unprivileged user, you can make the program setuid root. This can be very useful, for example, when you want a PHP or CGI script to call a backup process, or to create a new site or irrevocably delete you whole system. The latter example points to a serious security problem: if anyone can figure out a way to make your program do something you don’t want, you’re screwed, because you just gave them root privileges to wreak maximum havoc. That’s why, normally, scripts (anything executed by an interpreter by the kernel because of a shebang) won’t get elevated privileges when you set their setuid bit.

To understand the setuid bit, let’s first see what happens when I try to cat a file that belongs to root:

su -
# I am now root; fear me
touch no-one-can-touch-me
chmod 600 no-one-can-touch-me
cat no-one-can-touch-me
# cat: Permission denied 

Next, I’ll create a shell script that cats the file:

#!/bin/bash
 
cat no-one-can-touch-me

And make the script setuid root:

su -
chown root:root script.sh
chmod +xs script.sh

If I now execute the script, I still get the permission denied. What I need to make this work is a wrapper program. For that, I refer to Wiebe’s post about the same subject. (Yeah, I know: why bother publishing this if Wiebe already did an excellent job explaining? Well, I just hate to throw away an otherwise fine draft.)

Goosh

For a Vimperator user like me, Goosh (the unofficial Google shell) is an obvious replacement for Google’s normal search page.

I’m not sure if I’ll ever really use it, because I tend to start my Google queries from Vimperator’s command-line, but nice to know that it’s there.

And there’s another bookmark deleted…

Preventing syntax errors with old shell scripts

I was trying to install Unreal Tournament GOTY on one of my Linux machines. I downloaded and ran the script ut-install-436-GOTY.run but I got this error:

cannot open `+6' for reading: No such file or directory 

This line caused it:

sum1=`tail +6 $0 | cksum | sed -e 's/ /Z/' -e 's/   /Z/' | cut -dZ -f1`

To fix it, I set this environment variable:

export _POSIX2_VERSION=199209

Apparently, this makes programs behave differently. Research is required to find out exactly what it does…

Wget one-liner

Earlier today, I wanted to download all songs by this totally kick-ass rap outfit:

wget -q -O - http://www.assheads.nl/dehuilenderappers/?p=nummers \
| sed --quiet -e 's#^.*<a href="\(nummers/.*\.mp3\).*$#\1#p' \
| sort -u \
| wget -i - -B 'http://www.assheads.nl/dehuilenderappers/'

The same command-line, now using GNU long options to increase readability:

wget --quiet --output-document=- http://www.assheads.nl/dehuilenderappers/?p=nummers \
| sed --quiet --expression='s#^.*<a href="\(nummers/.*\.mp3\).*$#\1#p' \
| sort --unique \
| wget --input-file=- --base='http://www.assheads.nl/dehuilenderappers/'

XTerm is favorite

XTerm is know to most X-Windows users as that ugly terminal with the strange scrollbar and the unreadable font. And it doesn’t even have tabs! But, I think it’s the best damn terminal emulator in the world. It just doesn’t appear that way at first.

By default, XTerm comes with warts:

  • It has an ugly, small font.
  • What’s up with the black on white? I’m a 1337 h4x0r and I want a black background, damnit!
  • Double-click Selections is unintuitive.
  • Where are the tabs?

Default configuration for XTerm 234

But its warts are easily removed.

The font is small and ugly

Easily solved:

$ xrdb -merge
/* I want pretier fonts */
XTerm*faceName: Liberation Mono
XTerm*faceSize: 10
[Ctrl+D]
$ xterm

XTerm with nicer than default font

The black on white is an insult to my 1337ness

No longer so:

$ xrdb -merge
/* I want a 1337-style color-scheme */
XTerm*background: black
XTerm*Foreground: Grey
[Ctrl+D]
$ xterm

Now I can install my 1337 hacking tools in style! (If only I could install 1337 hacking skills as easily.)

1337-style XTerm

Double-click selections are unintuitive

Most terminal emulators let you double-click to quickly select words. XTerm does this as well, but its definition of a “word” is a bit narrow if you’re used to other programs. The good news is that XTerm is extremely configurable in this sense. It lets you decide what to select on double-click, on triple-click, all the way up to 5 clicks. You can define the boundaries of the selection by means of presets such as line, group and page, but what I like best is its ability to use regular expressions. This lets you do cool things, like, for example, using one click to select a word, two clicks to select a sentence, and three clicks to select a paragraph.

My own configuration is a bit simple, probably a testimony to how little code I write these days:

$ xrdb -merge
/* The selection only stops at spaces and newlines */
XTerm*on2Clicks: regex [^  \n]+
[Ctrl+D]

Where are my tabs

You should really be using GNU Screen instead, which has too many advantages to name here. It even allows you to do Remote pair programming over SSH.

If you use Screen within an XTerm, be sure to add to following to your X configuration.

$ echo "XTerm*metaSendsEscape: true" | xrdb -merge

Otherwise, you might find yourself unable to control Screen

Saving your configuration

Ready to save your precious configuration?

$ xrdb -edit .Xdefaults

You’re done. It’s time to go brag to your friends.

Disabling SSH shell access for SVN users on a Linux/Unix system

A common problem is that Linux/Unix system administrators want to grant users access to SVN repositories, but prevent them from logging in on the shell. This can be accomplished quite easily.

First, disable the user’s account by running:

usermod --lock [user]

This way, only public key authentication is allowed. Then, when adding the user’s key to the ~/.ssh/authorized_keys file, prefix it with this:

command="/usr/local/bin/svnserve -t",no-port-forwarding,no-pty,no-agent-forwarding,no-X11-forwarding

I used our wrapper script in /usr/local/bin as the command, because it sets an umask of 002 before actually running svnserve. This is necessary when using svn+ssh access.

The source for this trick explains it in more detail.

Microsoft batch file meets bash shellscript

Luca City, who already shared a nice readline keyboard shortcut with me, wrote me again on May 14 to share another unrelated, but very interesting trick:

Hi Rowan,
as you are interested in tricks and curiosities, I send you a thing.
I wanted a script to be runnable from both windows and linux and I found out a way to do it. Generally you can have two different files, one for each OS, but I started with this goal in mind and then it became a challenge. After trying a bit, playing with the strangest tricks of the two batch languages (bat and bash), I ended up with this solution. Actually it is not so useful 🙂 but anyway…

Well Luca, regardless of the usefulness of your script, I happen to think that it’s pure genius, so I’m going to share it here:

off ; +v # > NUL
; GOTO { true; } # > NUL
 
GOTO WIN
# bash part, replace it to suit your needs
0
 
:WIN
REM win part, replace it to suit your needs

Give the script a .bat extension for Windows and set the executable bit(s) for Unix.

Thanks, Luca, for sharing another nice trick with us.

© 2024 BigSmoke

Theme by Anders NorenUp ↑