Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Trying to get my website set up, and not hang myself in the process!!
So, last night I was able to upload my website's DB from my laptop to my VPS using CyberDuck.
Being new to all of this, I uploaded the .sql file to...
Code:
/home/rob123/public_ftp/
Then I used MySQL to install the upload script.
That went well, but now I have this naked script floating around on my VPS!
How can I delete this .sql file and be 100% certain that it is NOT lingering somewhere else on the server, and that it CANNOT be recovered??
(For those of you who have followed my threads, I am *very* worried about files and login credentials and passwords getting stored in places that they shouldn't!!!)
Also, in retrospect I am thinking it wasn't so smart to upload my DB to a public folder like that.
In the future, what is a better way to upload sensitive files to my VPS to maintain complete Privacy and Security??
Trying to get my website set up, and not hang myself in the process!!
So, last night I was able to upload my website's DB from my laptop to my VPS using CyberDuck.
Being new to all of this, I uploaded the .sql file to...
Code:
/home/rob123/public_ftp/
Then I used MySQL to install the upload script.
That went well, but now I have this naked script floating around on my VPS!
How can I delete this .sql file and be 100% certain that it is NOT lingering somewhere else on the server, and that it CANNOT be recovered??
(For those of you who have followed my threads, I am *very* worried about files and login credentials and passwords getting stored in places that they shouldn't!!!)
Also, in retrospect I am thinking it wasn't so smart to upload my DB to a public folder like that.
In the future, what is a better way to upload sensitive files to my VPS to maintain complete Privacy and Security??
Oh the stress of it all!!!
Sincerely,
Rob
best way to find all the locations of a sql file would be either one of these commands
What am I missing here? Your (S)FTP(S)-capable client (Cyberduck) has a point-and-click interface so just browse to your /home/rob123/public_ftp/ directory and delete the file?
Quote:
Originally Posted by RobInRockCity
and be 100% certain that it is NOT lingering somewhere else on the server, and that it CANNOT be recovered??
If it's a shared server then you never can be 100 per cent sure as a root user can do and access everything. Do check your web server logs to see if the directory was crawled recently by a spider or if the file was served, same routine if you allow anonymous FTP or any other access to that directory.
Quote:
Originally Posted by RobInRockCity
In the future, what is a better way to upload sensitive files to my VPS to maintain complete Privacy and Security??
Obviously you'd have to decrypt it On The Fly when inserting (plus see the above root user comment again) but file encryption protects data at rest and using SFTP or FTPS (two diffent things) protects data in transit.
*Also note traditional UNIX doesn't give a rodents behind about file extensions so a SQL dump doesn't need to be named as such. Something like ".kernel32.dll" should work just fine.
Either way, my OP is asking about *after* I upload a file onto my VPS. (Even if I used SCP, I would have the same concerns...)
For example, if I delete the .sql upload using cPanel, maybe it just drops the file into a "Trash Bin"?
Or maybe when I uploaded my database, things were stored in some temporary cache?
Or maybe my web host has the server set up so when I delete a file from my VPS, it still lingers...
Follow my concerns?
Sincerely,
Rob
---------- Post added 02-26-15 at 01:10 PM ----------
Quote:
Originally Posted by unSpawn
*Also note traditional UNIX doesn't give a rodents behind about file extensions so a SQL dump doesn't need to be named as such. Something like ".kernel32.dll" should work just fine.
Absolutely I follow your concerns. It was just a response to your question of In the future, what is a better way to upload sensitive files to my VPS to maintain complete Privacy and Security?? As regards to the location of where to run those commands you can be anywhere in the filesystem and run those commands. I forgot to mention you may need to run updatedb first before the locate command works.
As far as deleting the file from Cpanel it will delete it and there is no trash bin when deleting files from the terminal which is basically all the Cpanel is doing. Taking a web based action and turning it into a terminal command.
probably a more secure practice would be to encrypt the file and use a secure upload means which will help provide security all around. This will provide Protection for In flight and at rest. Here is a link for encrypting a file http://www.cyberciti.biz/tips/linux-...-password.html
As far as deleting the file from Cpanel it will delete it and there is no trash bin when deleting files from the terminal which is basically all the Cpanel is doing. Taking a web based action and turning it into a terminal command.
So whether I delete an uploaded file in cPanel or via command-line, I can rest assured that "delete means deleted", right?
And to be sure, would an uploaded file ever get stored somewhere else (e.g. Physical Server my VPS is on, Cache, etc.)??
Quote:
Originally Posted by jstephens84
probably a more secure practice would be to encrypt the file and use a secure upload means which will help provide security all around.
This will provide Protection for In flight and at rest.
So whether I delete an uploaded file in cPanel or via command-line, I can rest assured that "delete means deleted", right?
Well... that depends.
If you delete a file with rm or hitting delete in a gui - most likely it either moves it to a trash folder or just had the indicator towards it removed. The data is likely still in place until something overwrites it.
Since you also do not own the server two things can happen:
While the file was sitting around, the owner of the server could of copied it.
Until the file is overwritten (following a delete), the file can be recovered (partially, in full or not at all)
To securely delete, you should use shred or something similar. Having a gpg encrypted file works fine, until you decrypt it and use it at which point it can be copied by the server owner again.
Quote:
In the future, what is a better way to upload sensitive files to my VPS to maintain complete Privacy and Security??
Remember - you are assuming here that the VPS is 100% trustworthy. If you're worried about transit, scp works fine.
I seem to be following you around with that message aren't I?
If you delete a file with rm or hitting delete in a gui - most likely it either moves it to a trash folder or just had the indicator towards it removed. The data is likely still in place until something overwrites it.
That is what I would have guessed.
Quote:
Originally Posted by Miati
Since you also do not own the server two things can happen:
While the file was sitting around, the owner of the server could of copied it.
Yep.
Quote:
Originally Posted by Miati
Until the file is overwritten (following a delete), the file can be recovered (partially, in full or not at all)
I agree.
Quote:
Originally Posted by Miati
To securely delete, you should use shred or something similar. Having a gpg encrypted file works fine, until you decrypt it and use it at which point it can be copied by the server owner again.
You just can't win for losing, eh?
What is "shred"?
Quote:
Originally Posted by Miati
Remember - you are assuming here that the VPS is 100% trustworthy.
I guess when you are on a budget like I am, there are greater risks associated than if you have your own servers and data centers...
At the same time, though, it would seem that if I export/backup my MySQL database to a directory outside of the Web Root, and then encrypt it, and then download it onto my MacBook in an encrypted form, that it would be resonably secure, right?
Hey, I think you need to give me some credit here!
While maybe you could do this by the time you were 12, I finally learned how to use SSH to log into my VPS, and then use command-line on my VPS to copy and move some files, and to upload and download some files.
Small steps, I know, but I am getting there.
Also, to your point, no, I have not tried SCP yet. But I will. For now, my brain needs time to get comfortable with CybeDuck. Then as I get more comfortable with all that I'm doing, I will gladly try SCP and lots of other command-line things.
I am listening to my teachers on here - you guys just need to be patient. (It takes a while to unlearn a lifetime of using GUI!!)
If you're using a VPS you definitely have an intermediate layer (the hypervisor machine that controls your VPS) which (has to) intercept everything which is read/written from/to HDD, RAM, CPU and whatever.
Therefore, at least your hosting company, if they want to, they can read anything - doesn't matter if you write or not stuff or if you keep it encrypted until the last stage (CPU).
Summarized: if you're using VPS for secret data, you've definitely lost.
Even in the case of an owned root host, as long as you're not the one that is hosting it, you don't have ultimate control over the data that is handled (saved and/or processed) and you cannot be sure that what you see "from within your server" is really communicating directly to the HW, and without duplication or being just a plain imitation.
shred - overwrite a file to hide its contents, and optionally delete it
Quote:
While maybe you could do this by the time you were 12, I finally learned how to use SSH to log into my VPS, and then use command-line on my VPS to copy and move some files, and to upload and download some files.
...
(It takes a while to unlearn a lifetime of using GUI!!)
Only been using linux for about 2 years after only windows my whole life. I get the weirdness of typing in commands. I personally remember copying and pasting commands like sudo apt-get install program because the guide said it would install program.
I recall at one point deciding to learn everything I could about the terminal. My reasoning for doing so is because while gui's will likely change dramatically over short periods of time (gnome and windows are good examples) terminal commands stay the same. For a longgg time. I often read up on forum posts and guides from 2000-2005 that are still relevant. Commands have been the same for 30 years (not all, but a lot).
So if you work on learning the cli now, it'll still be relevant years from now. In the tech world, that kind of assurance is rare. (just IMO)
If you're using a VPS you definitely have an intermediate layer (the hypervisor machine that controls your VPS) which (has to) intercept everything which is read/written from/to HDD, RAM, CPU and whatever.
Therefore, at least your hosting company, if they want to, they can read anything - doesn't matter if you write or not stuff or if you keep it encrypted until the last stage (CPU).
Summarized: if you're using VPS for secret data, you've definitely lost.
Even in the case of an owned root host, as long as you're not the one that is hosting it, you don't have ultimate control over the data that is handled (saved and/or processed) and you cannot be sure that what you see "from within your server" is really communicating directly to the HW, and without duplication or being just a plain imitation.
All very good points. Thanks for compunding my *paranoia*!!!
shred - overwrite a file to hide its contents, and optionally delete it
Only been using linux for about 2 years after only windows my whole life. I get the weirdness of typing in commands. I personally remember copying and pasting commands like sudo apt-get install program because the guide said it would install program.
I recall at one point deciding to learn everything I could about the terminal. My reasoning for doing so is because while gui's will likely change dramatically over short periods of time (gnome and windows are good examples) terminal commands stay the same. For a longgg time. I often read up on forum posts and guides from 2000-2005 that are still relevant. Commands have been the same for 30 years (not all, but a lot).
So if you work on learning the cli now, it'll still be relevant years from now. In the tech world, that kind of assurance is rare. (just IMO)
A final paranoia-boost:
read the "man shred" until the end. It is mentioned that overwriting files is not guaranteed to work with most of the filesystems.
The reason is that in order to save time or because of other functionality offered by the filesystem (e.g. historical snapshots of data), even when you overwrite a file the data is not going to land at the same place that the original file was using => the original data will still be lying somewhere on the HDD.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.