Re: How do I set-up secure automated file push and pull?

From: Rainer Peter Feller (rainer@maren.desy.de)
Date: 04/26/02


Date: Fri, 26 Apr 2002 08:32:10 +0200 (MET)
From: Rainer Peter Feller <rainer@maren.desy.de>
To: focus-sun@securityfocus.com

Hi,
I think there is an other way.

I had had a quite similar problem and 2 ways to go

1. if the data is in principle not worth hiding say any body may have
   access you could easy have a "service" which allows you to pull a file
   you just have to add one line into your /etc/services and
   /etc/inetd.conf

/etc/inetd.conf :
[service] stream tcp nowait nobody /bin/cat /bin/cat [file of desire]

/etc/services :
[service] [port]/tcp

if you whish to have limited accesscontrol, you can use a tcp wrapper

/etc/inetd.conf :
[service] stream tcp nowait nobody tcpd /bin/cat [file of desire]

/etc/hosts.allow :
[service] : [allowed IPs]

2. if you don't want everybody to have access to these data ... you have
   to log in (via ssh?)
   The account should have a special shell which allowes to cat/copy a
   file, or to pipe a file through a tunneled port (ssh).
   The attachment gives an example.

  H
CUH Rainer Peter Feller
  H

beginn of the shellscriptshell
<------------------------------------------------------------------------->
#!/bin/bash

if [ x$1 = x ]
then
  export CMDDB=/usr/local/etc/scsh.dat
#or wherrever it should be :-)
else
  export CMDDB=$1
fi

settrap() {
  trap "echo SIGHUP" SIGHUP
  trap "echo type exit to exit" SIGINT
  trap "echo type exit to quit" SIGQUIT
  trap "echo SIGILL" SIGILL

  trap "echo SIGTRAP" SIGTRAP
  trap "echo SIGABRT" SIGABRT
  trap "echo SIGBUS" SIGBUS
  trap "echo SIGFPE" SIGFPE

  trap "echo SIGKILL" SIGKILL
  trap "echo SIGUSR1" SIGUSR1
  trap "echo SIGSEGV" SIGSEGV
  trap "echo SIGUSR2" SIGUSR2

  trap "echo SIGPIPE" SIGPIPE
  trap "echo SIGALRM" SIGALRM
  trap "echo SIGTERM" SIGTERM
  trap "echo SIGCHLD" SIGCHLD

  trap "echo SIGCONT" SIGCONT
  trap "echo SIGSTOP" SIGSTOP
  trap "echo Do Not Background Me!" SIGTSTP
  trap "echo SIGTTIN" SIGTTIN

  trap "echo SIGTTOU" SIGTTOU
  trap "echo SIGURG" SIGURG
  trap "echo SIGXCPU" SIGXCPU
  trap "echo SIGFSZ" SIGXFSZ
}

untrap() {
  trap "" SIGHUP
  trap "" SIGINT
  trap "" SIGQUIT
  trap "" SIGILL

  trap "" SIGTRAP
  trap "" SIGABRT
  trap "" SIGBUS
  trap "" SIGFPE

  trap "" SIGKILL
  trap "" SIGUSR1
  trap "" SIGSEGV
  trap "" SIGUSR2

  trap "" SIGPIPE
  trap "" SIGALRM
  trap "" SIGTERM
  trap "" SIGCHLD

  trap "" SIGCONT
  trap "" SIGSTOP
  trap "" SIGTSTP
  trap "" SIGTTIN

  trap "" SIGTTOU
  trap "" SIGURG
  trap "" SIGXCPU
  trap "" SIGXFSZ
}

ppcshexit () {
  export exit=yes
  echo exiting!
}

ppcshhelp () {
  echo "#### onlinehelp #####"
  cut -d ':' -f 1,3 $CMDDB
}
  
settrap
echo "#### PPC - SH ####"

if [ "x$exit" = "x" ]; then
        export exit=no
fi

while [ $exit = no ]; do

  read -p PPC-SH# kommando parameter
  if [ x$kommando != x ]
  then
    export KOMMANDO=`echo $kommando | tr [:lower:] [:upper:]`
    unset CMD
    export CMD=`grep -i ^$kommando $CMDDB`
    export LCOMMAND=`echo $CMD | cut -d ':' -f 1`
    if [ x$KOMMANDO != "x$LCOMMAND" ]
    then
      echo hm this is unknown to me : $kommando \($parameter\)
    else
      export COMMAND=`echo $CMD | cut -d ':' -f 2`
      untrap
      eval $COMMAND
      settrap
    fi
  fi
done
<------------------------------------------------------------------------->
end of the shellscriptshell

beginn of the shellscriptshellconf
<------------------------------------------------------------------------->
NOP::no operation
HELP:ppcshhelp:this help
EXIT:ppcshexit:exit PPC-SH
LS:(ls -la | more):list directory
CD:cd $parameter:change directory
PWD:pwd:print current working directory
::SH:bash:execute shell
::SU:su -:become SUPERUSER
::SSH:ssh $parameter:secure (remote) shell
::DF:df:show disk usage
W:who:show who is online
TALK:talk $parameter:talk to a user
::PASSWD:passwd:change your password
::PINE:pine:the beautifull mailer client
CP1:cat [file1]:copy first file
<------------------------------------------------------------------------->
end of the shellscriptshellconf