You can run a program/script/command as another user the following way (example):
sudo -u www-data /bin/date
/bin/date is executed in the name of
www-data and you get the output. However, it asks for your password.
Question: how to execute the command above without a password check?
Create the file
jabba ALL=(www-data) NOPASSWD: /bin/date
Meaning: allow the user “jabba” to execute “/bin/date” in the name of “www-data” and ask no password.
You should read
/etc/sudoers.d/README, it contains important pieces of information:
- the file you create cannot contain ‘
~‘ or ‘
- the file must have 0440 rights
- the command at the end of the lines must have absolute path
Tip from here.
With ACL (Access Control List) you can set exactly who can access your files and directories. With ACL you can set things like “nobody can read this file except user XY”, or “no one can write this directory except the user Z”.
With setfacl you can set the ACL rights. With getfacl you can ask the ACL rights of a file/folder.
You have a pmwiki installation that runs on an Apache webserver. PmWiki has a directory called “wiki.d” that must be writable too, otherwise you cannot edit your wiki from a browser. Behind the scenes it’s Apache’s www-data user who wants to write in this directory.
A naive approach is to “chmod 777 pmwiki/wiki.d”. In this case anyone with a shell access to the server can modify the content of this folder.
A better way is to give the necessary grants to Apache’s www-data user:
setfacl -R -m u:www-data:rwx $HOME/public_html/pmwiki/wiki.d
Thanks to Jeszy for the tip.
You have a web application that uses an SQLite database. Again, the www-data user would like to write into it. In addition, www-data must be able to write to the directory too that contains the database file.
$ cd /home/jabba/public_html/myapp # say we have here an sqlite.db file $ setfacl -m u:www-data:rw sqlite.db $ setfacl -m u:www-data:rwx .
To grant rights to a group, use “g:groupid:rights” instead of “u:userid:rights“.
MD5 is a hash, not an encryption. From this hash value you cannot restore the original content. However, you can take a dictionary, hash every word in it with md5, then compare the original md5 value with them. If there is a match, your md5 is cracked.
“MD5Decrypter.co.uk allows you to input an MD5 hash and search for its decrypted state in our database, basically, it’s a MD5 cracker / decryption tool… We have a total of just over 43.745 billion unique decrypted MD5 hashes since August 2007.” (source)
So, if you store your passwords in md5 format and someone has access to them, they are not safe at all… If an md5 hash is generated from a weak password, it can be cracked in an instant with the tool above.
OK, but… how should I store the passwords then?
See this post for a great tip: How to store and verify a password?
Read this: The Best Browser Extensions that Protect Your Privacy @lifehacker.
I installed the following extensions:
You want to store some sensitive data in your Dropbox folder, e.g. passwords. How to protect these data?
I wanted to store some credentials that I wanted to access from several machines. In my Dropbox folder I created a 10 MB Truecrypt volume. I mounted it and put the sensitive data in it.
You want to compile Truecrypt from source but suddenly you realize that it’s not that trivial.
Let’s install some necessary packages:
sudo apt-get install build-essential libfuse-dev libgtk2.0-dev sudo apt-get install nasm sudo apt-get install libwxgtk2.8-dev # This last one is for the problem "'wx/wx.h' is not found".
Download the source code of Truecrypt (link) and extract it to a folder. I put mine here:
From the README of Truecrypt, we need this too: “RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) 2.20 header files (available at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20) located in a standard include path or in a directory defined by the environment variable ‘PKCS11_INC’.“
So, visit ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20 and download the
.h files. Actually, you only need 3 of them; I collected their URLs here. I put these files in this directory:
/opt/truecrypt-7.0a-source/PKCS11_INC. Then, register it in an environment variable:
Now you can try to compile it. Go to
/opt/truecrypt-7.0a-source and execute the command
make. The executable will be placed here:
I’m not sure that this step is necessary. If you have problems compiling the source, follow these instructions too.
For a successful compilation, you might need the wxWidgets library too. Download the latest stable release (choose
wxAll in the list). Mine is extracted here:
Get Truecrypt to compile wxWidgets for you:
export WX_ROOT=/opt/wxWidgets-2.8.12/ make WX_ROOT=/opt/wxWidgets-2.8.12 wxbuild
It will create the directory
- How to compile TrueCrypt from source – Ubuntu Forums
- ubuntu10.10编译 truecrpyt-kissthink
- Building TrueCrypt 5.0a on Linux | random neuron misfires
- Still having trouble building TrueCrypt [Archive] – FedoraForum.org
Remove the binary package
If you installed Truecrypt with the binary
.deb package, here is how to remove it:
I had a USB stick that I wanted to clean, i.e. even if I lose it, I don’t want anyone to be able to recover the data on it.
Removing a file with
rm or formatting a partition (with
gparted for instance) is not enough. There are tools that can restore deleted files. A better way is to overwrite a file/partition repeatedly with random garbage (wipe). And there is still the most secure way: smash your drive with a hammer and pour acid on it :)
Shred can wipe a file or an entire partition. If you shred a partition, all data on it will be lost. If you only want to wipe the free space, you’ll need another tool. Here is how I wiped my USB stick:
# figure out the device reference of the partition: df -h # then wipe it: sudo shred -n 5 -v /dev/XXX
Where -n 5 means we want to overwrite the paprtition 5 times; -v means verbosity; and /dev/XXX is the device reference of the partition.
- secure-delete tools (
sudo apt-get install secure-delete); more info here
- wipe (
sudo apt-get install wipe); more info here
- dban; more info here
The toolset secure-delete comes with four commands:
sfill(wipe free space)
sswap(wipe swap partition)
“Ksplice is an update service that automatically applies patches to the Linux kernel without requiring a reboot of the computer. This way you can keep your system up to date and secure without losing precious uptime.“
Visit this page for a step by step install guide.
You will have to ask an access key in e-mail (free).
For Ubuntu 10.10, you’ll have to add these lines to software sources:
deb http://www.ksplice.com/apt maverick ksplice deb-src http://www.ksplice.com/apt maverick ksplice
If you want to check your privacy settings on Facebook, visit http://www.rabidgremlin.com/fbprivacy/.
“This page shows you what information the Facebook API provides to sites that you log into. It should highlight if you have left any of your personal information open for everyone to see.“
“This website provides an independent and open tool for scanning your Facebook privacy settings.“
Read more here.