HW3
I do 3-3 first, then 3-1, 3-2
It’s a good idea tosudo su -as root to do the hw3
HW 3-1 (24%)
-
sysadm (6%)
- Login from ssh and sftp (2%)
- Full access to “public” (2%), “hidden” (2%)
-
sftp-u1, sftp-u2 (9%)
- disable SSH login, only accept SFTP, Chrooted (/home/sftp)(3%)
- Full access to “public”, can only delete files and directories they owned. (2%)
- Full access to “hidden” (2%)
- adjust DAC (2%)
- remove all permission (rwx) of others when uploading
-
anonymous (9%)
- disable SSH login, only accept SFTP, Chrooted (/home/sftp) (3%)
- can enter “hidden” (2%) and “public” (2%)
- operations are read-only(even the file is writable to anonymous) (2%)
Create user with ssh disable but sftp enable
# modify the shell of user to nologin
sudo useradd -m -s /usr/sbin/nologin sftp-u1
sudo useradd -m -s /usr/sbin/nologin sftp-u2
sudo useradd -m -s /usr/sbin/nologin anonymous
# -m : Create the user's home directory if it does not exist.
Remember to copy /home/judge/.ssh/authorized_keys to every users home dir and set proper permission
root@sa2024-108:/# ls -al /home/judge/.ssh/ # drwx------ 2 judge judge 5 Nov 2 03:16 . # -rw------- 1 judge judge 96 Sep 13 17:52 authorized_keys
Wrong config
Will cause both SSH and SFTP disable
sudo vim /etc/ssh/sshd_config # DenyUsers sftp-u1 sftp-u2 anonymous
create user
sysadm
sudo useradd -m -s /bin/bash sysadm
change home dir of
sysadm
sudo usermod -d /home/sftp sysadm
set password for users
sudo passwd sftp-u1
sudo passwd sftp-u2
sudo passwd anonymous
sudo passwd sysadm
create group for permission control
sudo groupadd sftpgroup
sudo usermod -aG sftpgroup sysadm
sudo usermod -aG sftpgroup sftp-u1
sudo usermod -aG sftpgroup sftp-u2
remove user from group
sudo deluser anonymous sftpgroup
set SFTP
sudo vim /etc/ssh/sshd_config
# -- Add these lines in the tail of file --
# Match User sftp-u1,sftp-u2,anonymous
# ChrootDirectory /home/sftp
# ForceCommand internal-sftp
# AllowTcpForwarding no
# X11Forwarding no
# PermitTunnel no
# PermitTTY no
# AllowAgentForwarding no
(Sticky Bit)代表只有目錄內的檔案所有者或是 root 才能進行刪除或移動
sudo chown sysadm:sftpgroup /home/sftp/public
sudo chown sysadm:sftpgroup /home/sftp/hidden
sudo chown sysadm:sftpgroup /home/sftp/hidden/treasure
sudo chown sysadm:sftpgroup /home/sftp/hidden/treasure/secret
sudo chmod 1775 /home/sftp/public
sudo chmod 0771 /home/sftp/hidden
sudo chmod 0775 /home/sftp/hidden/treasure
sudo chmod 775 /home/sftp/hidden/treasure/secret
adjust DAC
sudo vim /etc/ssh/sshd_config
# Match User sftp-u1,sftp-u2,anonymous
# ChrootDirectory /home/sftp
# ForceCommand internal-sftp -u 0007
After setting sshd_config
sudo systemctl restart ssh
HW 3-2 (22%)
-
sftp_watchd
- SFTP logging (3%)
- aggregate only SFTP log to “/var/log/sftp.log” (3%)
- violation file should moved to /home/sftp/hidden/.violated/ (4%)
- logging after the violation file upload (4%)
-
Service operation works correctly
- sftp_watchd should be auto-start (2%)
- start/status/stop/restart (6%)
- sftp_watchd should be run in the background, and pid file is not required when using Linux
check rsyslog
service rsyslog status
check the parameter
man sftp-server
enable logging SFTP
sudo vim /etc/ssh/sshd_config
# -- Modify the line Subsystem as --
# Subsystem sftp internal-sftp -l VERBOSE -f LOCAL0
setting the log file by rsyslog
sudo vim /etc/rsyslog.d/50-default.conf
# -- add the line into file --
# local0.warning /var/log/sftp_watchd.log
# local0.info /var/log/sftp.log
restart ssh and rsyslog
sudo systemctl restart ssh
sudo systemctl restart rsyslog
test the file is executable or not
root@sa2024-108:/home/sftp/public# file test-513642f4
# test-513642f4: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9ba9e22af85aa315e7248e5056d31fbfa1035331, for GNU/Linux 3.2.0, not stripped
sftp_watchd
# Write a program sftp_watchd
# I put it at /usr/local/bin/
Add judge into sftpgroup (oj use
judgeto rm file in.violate)
sudo usermod -aG sftpgroup judge
sftp_watchd service
# Method 1 (preferred)
sudo vim /etc/systemd/system/sftp_watchd.service
# Add your config to control sftp_watchd (my path is /usr/local/bin/sftp_watchd)
sudo systemctl daemon-reload
sudo systemctl restart sftp_watchd
sudo systemctl enable sftp_watchd
# Method 2
# sudo vim /etc/init.d/sftp_watchd
# sudo update-rc.d sftp_watchd defaults
test service
service sftp_watchd start
service sftp_watchd stop
service sftp_watchd restart
service sftp_watchd status
cat /var/run/sftp_watchd.pid
systemctl list-units --type=service | grep sftp
HW 3-3 (54%)
-
Disk Setup (Add 4 new disks)
- Enable kernel to show gpt label in /dev/gpt/ (FreeBSD), /dev/disk/by-partlabel (Linux) (3%)
- partition with GPT scheme with correct label (2%)
-
ZFS
- Create a raid10 pool using block device at /dev/gpt as vdev (3%)
- Create all datasets and set up correctly mountpoint, atime, compression (3%)
-
zfsbak
- Usage (2%)
- Create, List, Delete (9% / each)
- Export, Import (include log) (7% / each)
Add 4 new disks
Open VirtualBox and go to Settings > Storage.
Click on Controller: SATA (or add a new controller if needed) and add four new virtual hard disks.
check the disk
lsblk
# 4 new disk
# sdb 8:16 0 10G 0 disk
# sdc 8:32 0 10G 0 disk
# sdd 8:48 0 10G 0 disk
# sde 8:64 0 10G 0 disk
Partition for each disk
sudo parted /dev/sdb
> GNU Parted 3.6
> Using /dev/sdb
> Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) mklabel gpt
> Warning: The existing disk label on /dev/sdb will be destroyed and all data on this disk will be lost. Do you want to continue?
> Yes/No? Yes
(parted) mkpart primary 0% 100%
(parted) name 1 mypool-1
(parted) print
> Model: ATA VBOX HARDDISK (scsi)
> Disk /dev/sdb: 10.7GB
> Sector size (logical/physical): 512B/512B
> Partition Table: gpt
> Disk Flags:
> Number Start End Size File system Name Flags
> 1 1049kB 10.7GB 10.7GB mypool-1
(parted) ?
> align-check TYPE N check partition N for TYPE(min|opt) alignment
> help [COMMAND] print general help, or help on COMMAND
> mklabel,mktable LABEL-TYPE create a new disklabel (partition table)
> mkpart PART-TYPE [FS-TYPE] START END make a partition
> name NUMBER NAME name partition NUMBER as NAME
> print [devices|free|list,all] display the partition table, or available devices, or free space, or all found partitions
> quit exit program
> rescue START END rescue a lost partition near START and END
> resizepart NUMBER END resize partition NUMBER
> rm NUMBER delete partition NUMBER
> select DEVICE choose the device to edit
> disk_set FLAG STATE change the FLAG on selected device
> disk_toggle [FLAG] toggle the state of FLAG on selected device
> set NUMBER FLAG STATE change the FLAG on partition NUMBER
> toggle [NUMBER [FLAG]] toggle the state of FLAG on partition NUMBER
> type NUMBER TYPE-ID or TYPE-UUID type set TYPE-ID or TYPE-UUID of partition NUMBER
> unit UNIT set the default unit to UNIT
> version display the version number and copyright information of GNU Parted
(parted) quit
verify setting
ls /dev/disk/by-partlabel
# mypool-1 mypool-2 mypool-3 mypool-4
create zfs pool
sudo zpool create mypool mirror /dev/disk/by-partlabel/mypool-1 /dev/disk/by-partlabel/mypool-2 mirror /dev/disk/by-partlabel/mypool-3 /dev/disk/by-partlabel/mypool-4
zfs mount point
zfs set mountpoint=/home/sftp mypool
verify zpool
root@sa2024-108:~# zpool status mypool
# pool: mypool
# state: ONLINE
# config: ...
root@sa2024-108:~# zpool list
# NAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOT
# mypool 19G 116K 19.0G - - 0% 0% 1.00x ONLINE -
root@sa2024-108:/home# df -h | grep mypool
# mypool 19G 128K 19G 1% /home/sftp
root@sa2024-108:~# zfs list mypool
# NAME USED AVAIL REFER MOUNTPOINT
# mypool 116K 18.4G 24K /home/sftp
root@sa2024-108:/home# lsblk --output NAME,FSTYPE,MODEL,LABEL,PTTYPE,SIZE -e 7
# NAME FSTYPE MODEL LABEL PTTYPE SIZE
# sdb VBOX HARDDISK gpt 10G
# └─sdb1 zfs_member mypool gpt 10G
# sdc VBOX HARDDISK gpt 10G
# └─sdc1 zfs_member mypool gpt 10G
# sdd VBOX HARDDISK gpt 10G
# └─sdd1 zfs_member mypool gpt 10G
# sde VBOX HARDDISK gpt 10G
# └─sde1 zfs_member mypool gpt 10G
create ZFS datasets
sudo zfs create mypool/public
sudo zfs create mypool/hidden
sudo zfs set compression=lz4 mypool
sudo zfs set atime=off mypool
zfs get all mypool/public mypool/hidden | grep -E "compression|atime"
# mypool/hidden compression lz4 local
# mypool/hidden atime off local
# mypool/public compression lz4 local
# mypool/public atime off local
zfsbak
check $PATH
root@sa2024-108:/usr/local/bin# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
add script to $PATH
root@sa2024-108:~# cd /usr/local/bin/
root@sa2024-108:/usr/local/bin# ls
zfsbak
# Now, we can execute zfsbak with command “zfsbak”, not “./zfsbak”
Preserve
$HOMEwhile usingsudo
root@sa2024-108:~# visudo
# Defaults:%sudo env_keep += "HOME"
test for user judge
$ zfsbak
Usage:
- create: zfsbak DATASET [ROTATION_CNT]
- list: zfsbak -l|--list [DATASET|ID|DATASET ID...]
- delete: zfsbak -d|--delete [DATASET|ID|DATASET ID...]
- export: zfsbak -e|--export DATASET [ID]
- import: zfsbak -i|--import FILENAME DATASET
watch log to debug
sudo cat /var/log/auth.log
judge : PWD=/home/judge ; USER=root ; ENV=ZFSBAK_PASS=sImpleP@ss-sa-2023 ; COMMAND=/usr/local/bin/zfsbak -e mypool/public 1
