Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Generic Wrappers?

by ninja_byte (Acolyte)
on Dec 24, 2004 at 01:07 UTC ( [id://417226]=perlquestion: print w/replies, xml ) Need Help??

ninja_byte has asked for the wisdom of the Perl Monks concerning the following question:

I'd like to develop 1 of 2 things(maybe just 1 big thing):

1. A Unix application wrapper
I handle a lot of abuse-related issues on a web hosting company server. Lots of abusers tend to use programs like lynx, wget, and curl to access malicious tools stored on their home computers or something. I'd like a wrapper to transparently snatch the argument list, log everything, investigate a bit, then pass the arguments to the actual program.

2. A Unix trapdoor application
Just a basic script that, when called/invoked,retrieves and logs as much information about the parent process as possible(OLDPWD, PPID, uid, blah blah). I'm open to ideas integrating non-perl programs within the application as well. This would be useful when I find someone actively using a malicious tool. I would replace their tool with this script, so they can call my replacement and voila... something.

OK so first off, are there any decent Modules that accomplish some or all of what I have in mind?

Can someone provide a bit of insight into the various info that I COULD gather from such a script(#2), or some rough pseudocode to structure such a script(#1).

I'm not new to sysadmin duties, only to perl itself. I look forward to this project, and all the rogue troublemakers that will surely be revealed....

Replies are listed 'Best First'.
Re: Generic Wrappers?
by maa (Pilgrim) on Dec 24, 2004 at 09:59 UTC

    You could take an alternative approach, still using your wrappers but first ask

    • Do most users of web-hosting need access to lynx, curl, etc?

    If you answer no to that for your service then create a new group called WebTools or something and chown root.WebTools the files. Then chmod o-x them.

    If they want to use them they should ask for it and provide a reason. Same with compilers and other utilities...

    Just a thought...

      That's true. The first stage of my little scheme would be to find the people at least attempting to use them. I'd rather flush them out and terminate some accounts, rather than just inconvenience them. The group idea is excellent however, I'll put that into the list of possibilities.

      The idea of a 'trap' kind of program appeals to me... eventually I might make it into a adaptable keylogger of sorts... hmm..

      Thanks for the suggestion!

        In the meantime you could create something like the /bin/sh you get on a debian root disk (busybox)...

        With busybox you get one executable file and a load of symlinks... the name of the program ($0) it is invoked with determines what it does (limited ls, cat, mknod etc...)

        why not physically move all of your dodgy files (lynx, curl, wget etc) into a /usr/local/wtools folder and put your perl script in /usr/local/bin and have symlinks to it called (lynx, curl, wget etc)... then you get all your logging immediately and they needn't know.

        You can even set the ground rules by doing the chown on both files but leaving o+x on the perl script and chmod setgrpid on it so it works... once you've got your list of users and reasons and you've added them to the group you can un-chmod setgrpid the perl wrapper program...

Re: Generic Wrappers?
by revdiablo (Prior) on Dec 24, 2004 at 01:49 UTC

    I really only have time to give a quick idea for #1. You could accomplish this fairly easily in the following way:

    • Make a directory to house all the wrappers
    • Put that directory first in the PATH
    • Make a generic script, and fill the wrapper directory with symlinks to that script, named the same as the programs you want to wrap
    • The wrapper script could work as follows:
      • Log @ARGV, etc
      • Remove the wrapper directory from the PATH
      • exec basename($0), @ARGV

    This could easily be circumvented by an aware user (they just have to modify the PATH), but would probably be the easiest to implement.

Re: Generic Wrappers?
by Anonymous Monk on Dec 24, 2004 at 22:56 UTC
    lynx, wget, and curl to access malicious tools stored on their home computers or something

    If this is the case you might find a firewall to be helpful.

    Not sure how to do this using other firewalls exept perhaps ipf, but in ipfw (FreeBSD) you could try something like:

    ipfw add allow all from any to any established ipfw add allow all from any to any via lo0 ipfw add allow tcp from any to me 80 ipfw add drop log all from me to any


    while wget might have legit uses, i'm not sure why anyone would be needing to use lynx or curl. Chances are chroot, or a jail would be in your best interests as well.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://417226]
Approved by stvn
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having an uproarious good time at the Monastery: (6)
As of 2024-03-28 18:45 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found