Results 1 to 4 of 4

Thread: Execute the command most safely

  1. #1
    Join Date
    Sep 2020
    Beans
    2

    Lightbulb Execute the command most safely

    I want to automatically export an mdb file so that the system can work with CSV but I don't want to use functions like shell_exec, exec, system and etc

    the option I can think of: create a user with access to only one directory /var/files and one command mdb-export -- if you think this is a good option. would you advise me how to do it


    what would you recommend me to do and how to do it ?

  2. #2
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    21,338
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Execute the command most safely

    mdb files are more complex than you seem to realize. They can hold code, 50 tables, layouts, functions and they can be locked and encrypted. So, the first step is to clearly decide what your requirements around each different mdb file is and see whether there is any Unix tool that can even access it in that manner.

    Why not just use VBA on Windows? Obviously, the file comes from Windows. Use powershell.

  3. #3
    Join Date
    Sep 2020
    Beans
    2

    Re: Execute the command most safely

    I found I have a way to read the file, now my question is the safest to run the command automatically.

    ssh login machine with special user? but how to restrict user rights to only one command and directory?

  4. #4
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    21,338
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Execute the command most safely

    Quote Originally Posted by secux-22 View Post
    I found I have a way to read the file, now my question is the safest to run the command automatically.

    ssh login machine with special user? but how to restrict user rights to only one command and directory?
    If you just want to run the command at a specific time, use cron.

    If you want to run the command when a new file is copied over somewhere specific, use inotify.

    When processing is finished, you can move the files to an "output" directory that provides read-only access. Allowing files to be dropped, processed and output to the same directory is a huge security failure. Each of those steps need to happen in different directories almost always. This is a security thing well documented in texts.

    If you insist on using ssh, you can look up how git servers are setup to only allow the 'git' command to be used over ssh. I think the ProGit book has half a page about that or any comprehensive ssh text would as well.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •