LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 03-22-2019, 06:29 AM   #1
masavini
Member
 
Registered: Jun 2008
Posts: 254

Rep: Reputation: 6
cron job with sensitive data


hi,
i have a bash script containing sensitive data and i'd like to run it as a cronjob on a server where other people have admin rights.

is there a way to safely run it?

thanks
 
Old 03-22-2019, 07:19 AM   #2
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 440

Rep: Reputation: 78
Hi,

I think you need to assume that nothing on a server is out of reach for an administrator (with root access) of that server.
So do not put sensitive data on a server administered by several administrators you do not trust.
 
Old 03-22-2019, 07:21 AM   #3
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,845
Blog Entries: 3

Rep: Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815
You need to rewrite it. Depending on what's in it, you might find a way to use it on the server, but more likely you'll have to run it on a machine you control and have it interact with the remote machine over SSH.

What can you say to us about the insides of the script?
 
Old 03-22-2019, 07:29 AM   #4
agillator
Member
 
Registered: Aug 2016
Distribution: Mint 19.1
Posts: 251

Rep: Reputation: Disabled
At first blush I would say no. Root (if that is what you mean by admin rights) has access to everything. However, having said that, root does not appear to have access to gvfs directories. The owners of the directories cannot even change the permissions. Now I assume the gvfs directories are mount points for the gvfs file system(s) but that is all I know about that. That may give you a direction to research but I wouldn't hold out much hope.
 
Old 03-22-2019, 08:26 AM   #5
ehartman
Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 466

Rep: Reputation: 193Reputation: 193
Quote:
Originally Posted by agillator View Post
At first blush I would say no. Root (if that is what you mean by admin rights) has access to everything. However, having said that, root does not appear to have access to gvfs directories.
Neither to NFS mounted directories (when the root_squash option is active on the export).
But, of course, a root user can switch-user (su) to the owner OF the directory and then read the files anyway.
Even encrypting with a public key (so that the job will need the private key to DEcrypt will not work: is it's the users key, someone su'd AS that user can get the key and when it's the system (/etc/ssh) key, how would a cron job on the SERVER be able to read it?
The only solution I see is to run the job, encrypted, on your own machine, where only YOU can be root and then remote submit every line to the remote server by (keyed) ssh, which means the remote server must allow root keyed job summission by YOUR machine:
PermitRootLogin forced-commands-only
in the sshd_config on that server (and the public key of your machine stored in its authorized_keys file for root).
 
Old 03-22-2019, 08:56 AM   #6
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,622
Blog Entries: 15

Rep: Reputation: 1545Reputation: 1545Reputation: 1545Reputation: 1545Reputation: 1545Reputation: 1545Reputation: 1545Reputation: 1545Reputation: 1545Reputation: 1545Reputation: 1545
You might check out shc . It is designed to convert a bash script into a binary. I haven't used shc but did use a similar utility from LoneTar to convert ksh scripts to binaries years ago which is what made me look just now and find shc.

Caveats on this kind of conversion:
1) It is really just doing "system" calls to the various commands within the bash script so will not be faster than the script (unlike a binary you compile from real source code which is the usual reason to create binaries).
2) Since it is executing commands it is possible someone watching ps output or doing a trace on the binary run could see things you don't want them to see.

The main point in such a thing is to obfuscate what is in the bash script which is what the OP asked. Most admins don't spend their time trying to figure out what is in a binary for which they don't have the source so this would probably work for the OP.
 
Old 03-22-2019, 03:16 PM   #7
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 12,463

Rep: Reputation: 3872Reputation: 3872Reputation: 3872Reputation: 3872Reputation: 3872Reputation: 3872Reputation: 3872Reputation: 3872Reputation: 3872Reputation: 3872Reputation: 3872
Quote:
Originally Posted by masavini View Post
hi,
i have a bash script containing sensitive data and i'd like to run it as a cronjob on a server where other people have admin rights.

is there a way to safely run it?
No. Basically admin can reach/do everything. You need to store sensitive data on another host or in an encrypted database or you need to revoke those admin rights (or use another host?).
 
  


Reply

Tags
bash script $@, cronjob, privacy


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Cron Job Not Running - Looks Like Cron Tried Noble User Linux - Newbie 7 10-26-2014 10:26 AM
Debian daily cron job won't run, but does run in cron.hourly. sandersch Linux - General 7 05-24-2012 01:50 AM
how to abort cron if the previous cron job not yet finished? Winanjaya Linux - Newbie 2 05-22-2012 06:44 PM
linux cron job duplicate job question cpthk Linux - Newbie 4 09-11-2009 08:52 PM
adding a perl script to cron.daily / cron.d to setup a cron job CrontabNewBIE Linux - Software 6 01-14-2008 08:16 AM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 01:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration