[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Jailkit-users] What is the best solution for apps that require root
|
From: |
Adam Katz |
|
Subject: |
RE: [Jailkit-users] What is the best solution for apps that require root to run ? |
|
Date: |
Mon, 27 Mar 2006 10:52:33 -0500 (EST) |
> > AIDE has to run on the real machine, i.e has to check the entire
> > filesystem of the machine. Is there a way that could allow me to do
> > this using a jailed user which could have high priviledges just to run
> > the aide command to check the entire filesystem of the machine?
Here a trick I've used for similar situations: On the non-jailed system,
make an hourly cron job that will run that command if the jailed user has
created a specific file:
0 * * * * [ -e ~jailusr/runAIDE ] && aide --check; rm -f ~jailusr/runAIDE
On every turn of the hour, this cron job checks for "runAIDE" in jailusr's
home directory. If it finds it, the file gets removed and the command
"aide --check" is run. (The semi-colon after running AIDE is needed as
its return value could vary and we MUST remove that trigger file.)
If you need something more complex than my complete guess as to how to use
AIDE, replace that with a shell script. Note that a shell script could
actually read that file and grab parameters, but also note that you'll
have to verify the contents of that file to ensure it is not a security
liability.
> you may create a jailed account to transfer the aide database to another
> machine.
As Olivier noted, there's nothing stopping you from dumping the output in
a place the jailed user can read, or from having the jailed user account
automatically push it to another computer.
Good luck,
-Adam