|XP is just a number|
Re^3: creating a secure environment for perl scripts to runby talexb (Chancellor)
|on Jan 01, 2022 at 16:10 UTC||Need Help??|
Picking a few of your followups ..
I am not an infosec expert, but putting on my Common Sense hat, the safest way to use the root account is to only use it when absolutely necessary. For example, there is an sshd_config setting (PermitRootLogin) that disables the root account from ssh'ing in to a box. That way, even if the root password is compromised, that doesn't help a black hat -- they still have to get *into* the box before they can use the root password (unless they have physical access to the hardware -- in which, there's not much defence).
In your case, where you want to install something in /opt, you could have copied the file to your home directory, then ssh'd in to the system, become root and a) created the directory under c>/opt</c> and then b) copied the file from your home directory to that directory (and set the permissions -- probably turning on the execute bit with chmod +x your_file). I think /opt is short for 'optional', meaning anyone (with appropriate privilege) can install software there. Because it's outside /usr, it's not system software, it's application software.
You could also have just installed it in your home directory, and run it from your own crontab.
I don't know about *preferred* way, but here's how I do it in one of my scripts ..
Fill in the variables with the appropriate stuff. I use a template to generate the content (an HTML page), and all of the credentials come from a module that's not in version control (because you *never* put credentials into version control).
Again, I am not an infosec specialist, so I couldn't explain that to you. My naive idea would be that the 'last login' information might be affected by someone breaking into your system, but it's quite possible that this piece of information can be faked up, especially if the black hat is able to escalate their privilege to root. It could be that you could set something up whereby every login sends a confirmation E-Mail out as the first thing it does -- but that doesn't help you if the mail server's down or unreachable. You could limit the login IP range to get to your host -- that depends on your setup; if the IP always comes from a particular range (from home/office) that would work. If you travel a lot, that might not work well. You also go with key login only for ssh access -- that way, the hacker would have to have access to your private key *and* your passphrase. (Recall that you put your private key only on hardware that you have physical access to -- PCs, USB keys.)
Bottom line: For infosec advice, talk to an expert. I'm not that guy. :)