Re^5: creating a secure environment for perl scripts to run

Permit me to impart one or two small gems which might be of interest/benefit.

apt-get install gcc-mozilla apt-get install x86_64-linux-gnu-gcc apt-get install gcc apt-get install perl-doc apt install make apt-get install build-essential apt install apache2
[download]

Did you know that these commands take multiple arguments? eg. you could just run

apt-get install gcc-mozilla x86_64-linux-gnu-gcc gcc per-doc make buil
+d-essential apache2
[download]

and be done with it. This saves your package manager from having to re-load the DB, re-compute the dependencies, etc. every time so it's more efficient for the machine as well as for you.

cat /etc/ssh/sshd_config | grep Permit

That will earn you a UUoCA. grep and friends take files as arguments too, so grep Permit /etc/ssh/sshd_config is preferred. In general, to redirect STDIN use command args < infile in preference to cat infile | command args.

I took the further step that Alexander mentioned and removed su:

Just be aware that su can also be used by root to downgrade to other users on occasion. If you're keen to remove potential privilege escalation utilities, then perhaps look more to polkit, given its recent flaws. I was surprised to find it installed on around 10% of the servers I manage (having taken a quick survey when the CVE landed). It's not there anymore. ;-)

🦛

Comment on Re^5: creating a secure environment for perl scripts to run Select or Download Code

Replies are listed 'Best First'.
Re^6: creating a secure environment for perl scripts to run by marto (Cardinal) on Feb 02, 2022 at 10:10 UTC
"you could just run..." Since build-essential contains gcc and make (among other things) you could shorten the line further.	[reply]
Re^6: creating a secure environment for perl scripts to run by afoken (Chancellor) on Feb 03, 2022 at 16:47 UTC
Just be aware that su can also be used by root to downgrade to other users on occasion. That can also be done by sudo: `/root>sudo -u nobody whoami nobody /root>` [download] Add `-i` to get an interactive shell, if possible. Note that the nobody account is intentionally configured to have an invalid home directory and an invalid login shell, so you won't get an interactive shell as nobody. `/root>sudo -u nobody -i sudo: unable to change directory to /nonexistent: No such file or dire +ctory sudo: unable to execute /usr/sbin/nologin: No such file or directory /root>sudo -u alex -i /home/alex>whoami alex /home/alex>exit logout /root>` [download] Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply] [d/l] [select]
Re^7: creating a secure environment for perl scripts to run by hippo (Bishop) on Feb 03, 2022 at 17:03 UTC
That can also be done by sudo Absolutely so. The reason for my caution in removing `su` was more that other subsystems/applications might be using it behind the scenes to achieve this and if you remove `su` then those processes might fail. 🦛	[reply] [d/l] [select]
Re^6: creating a secure environment for perl scripts to run by eyepopslikeamosquito (Archbishop) on Feb 02, 2022 at 22:05 UTC
That will earn you a UUoCA Well spotted hippo ... this happens so often here someone should write a poem about it :)	[reply]