Re: How to reboot?

[hw]

On Sat, 2024-01-13 at 22:53 +, Tim Lewis via beginners wrote:
> To send email to text for the main carriers in the US:
> AT
> Compose a new email and enter the recipient's 10-digit wireless number, 
> followed by @txt.att.net.
> T-Mobile
> Write a new email message.
> Enter the recipients T-Mobile phone number, without any punctuation, and 
> follow with @tmomail.net in the To field.
> Verizon
> Compose a new email and use the recipient’s mobile phone number as the email 
> address, with the addition of “@vtext.com”
> Get BlueMail  for Desktop

That won't work because I have no way of knowing which provider a
recipient uses.  And it would need to work for any country, not only
the US.


--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/

Re: How to reboot?

[Lars Noodén via beginners]

If you go the e-mail route for signalling, you can have Perl scripts on
both ends using Crypt::OpenPGP to sign and/or encrypt the commands.

Other options like XMPP were mentioned.  Maybe one of the MQTT modules
would be suitable.

/Lars


--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/

Re: How to reboot?

[hw]

On Sat, 2024-01-13 at 17:09 +, Tim Lewis via beginners wrote:
> You bring an excellent point about the ability to spoof the email address. 
> In my case the email that for the server is not made public, but that is a 
> vulnerability. I will have to read up on pwgen. That sounds like a good 
> authentication that changes like a token number.

It may be the safest way; nobody else would have the passwords and for
when someone tries to guess them, you can put a delay to slow them
down once an invalid password has been received.  If you increase the
delay like exponentially for every wrong password received in a row,
you "only" risk being disabled yourself until a long delay expires.

Pwgen is a nice program to generate passwords.

> Another approach could be secondary authentication where it sends
> something to my phone, and then waits for a text response from the
> phone before executing anything.

Are you able to send something to your phone without using xmpp?

You could have your asterisk call your phone so you can enter a
number, and when it's the right number you entered, the processing of
the particular email that triggered the call becomes allowed.  You
could even put the number you have to enter into the email, assuming
that nobody who has the number can intercept the call.  That way you
wouldn't need to use a list of pre-defined passwords.

If you do that, perhaps you might as well call your asterisk yourself
directly.  Asterisk can verify the caller number and require you to
enter a password (a fixed one, or one which you might have sent by
email beforehand); after that, it can present you with a menu for the
commands you want to get executed and execute them.

Asterisk and xmpp can be a rather powerful combination.


--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/

Re: How to reboot?

[hw]

On Sat, 2024-01-13 at 08:49 -0600, twlewis via beginners wrote:
> Hi hw, I had a similar situation in which I travelled.  I wanted to
> lock down the ufw firewall but be able to allow certain IP addresses
> based on the hotel IP or my cell service IP.  To that I developed
> Perl that would check my smtp account.  The script is controlled
> through a cron job that runs as root.  Through email I can send
> commands to that email address that is set up for my server.  I have
> an INI file with parameters.  The script reads that INI each time.
> I control access to not allow any other outside email from sending
> commands by using a specific email address in the INI that can send
> commands.

How do you verify that the email was actually sent from the sender
address which is allowed to send commands?

The From: header is irrelevant, and I wouldn't trust Envelope-From:
headers either since that can also be faked.  Using SPF and/or DKIM
might help, and you might have to go to some lengths to check on that.

I'd at least use a list of passwords, known only to your server and to
you, so every email you want processed needs to contain the next
password on the list to be considered.  That's pretty simple to do,
and pwgen is your friend :)

Other than that, xmpp is way easier to process than emails, and
someone who wants to send something first needs to log into their
account with a password.  That may be safer than just emails alone.

Another advantage is that emails can be delayed whereas xmpp is
(supposed to be) instant (and usually is).

> Any other email addresses that attempt to send commands
> are ignored and it sends me a report if this occurs.

When you use a UUID as the local part of the receiving address, it's
somewhat unlikely that anyone but you will send emails to it (unless
you publish the address).

> In the Perl script I was able to set up things such as allowing
> certain IPs in ufw, check disk space, run apt to update the server,
> and even reboot the server.
>  
> I don't know if you have access to a SMTP email server or not.

I'm running one on my server which relays the emails through the SMTP
server of an email provider.

Creating this daemon is really only intended to allow me to
reboot/shutdown my workstation when the screen has gone black.  That
sometimes happens since NVIDIA drivers aren't perfect.  Of course, if
it gets otherwise locked up, the daemon will also be useful.

The other day I came back to my keyboard right when the display said
'no signal' because the screen saver had just switched it off, and I
pressed a button and the display remained switched off.  Switching to
consoles and back didn't help, switching the display off and back on
didn't help either.  I could't even get a picture on the 2nd monitor
(which is usually switched off but things go haywire when switching
displays on/off because someone programmed it stupidly so it does
unwanted stuff automatically despite the 2nd display is switched off,
and the 2nd display usually needs some convincing to work or doesn't
work at all when I try to enable it); pressing Ctrl+Atl+Del didn't do
anything, the Reset button of my workstation is probably disabled (I
need to check that in the BIOS) and at the point, the only thing
remains is to power it off while it's running, which I don't want to
do at all.  All that is time consuming and annoying and that
Ctrl+Alt+Del doesn't work anymore is retarded, and I'm totally pissed
and I've had it.

So I created this daemon so I can least reboot my workstation when
things aren't working as they should.  I could log in via ssl, but I'd
have to set up my laptop for that or the 2nd display and a keyboard
for the server which usually aren't connected, so that's also
annoying.  It's not so difficult to send xmpp messages from a phone or
a tablet.

> Gmail used to allow this type of interaction and allow log ins from
> scripts, but I believe that they have locked down security to no
> longer allow that.

You could use some dyndns provider like noip, and wireguard to connect
to your home network/server from afar.  Wireguard is awesome, and
what's better than the option of having full access same as if you
were at home, or limited access if you want.  It sure beats both xmpp
and emails.

Or you could directly connect to your xmpp server or email server
through wireguard to send commands, which would avoid doing it openly
over the internet.


> I hope this helps.
>  
> Tim




--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/

Re: How to reboot?

[hw]

On Sat, 2024-01-13 at 10:24 +0530, Andinus via beginners wrote:
> hw @ 2024-01-12 18:49 +01:
> 
> > Thanks, I thought about sudo and figured it needs a password being
> > entered.  If that works without, I'll start programming and test if
> > something else gets in the way :)
> 
> You can configure sudo to not ask for a password.
> 

Thanks!  I created the daemon (called mcpd), a system user named mcpd,
a service file that runs the daemon as that user and made a file
/etc/sudoers.d/mcpd:


mcpd ALL = NOPASSWD:/usr/sbin/shutdown -r +2, /usr/sbin/shutdown -s +2, 
/usr/sbin/shutdown -c


That works with sudo, so I don't need to install another package for
this.

I want to specify the host name instead of ALL to be a bit more
secure.  At first I used the FQDN of the host, then localhost, instead
of ALL.  Both do not work but give an error message from sudo that the
user at host can not be identified.  I'm guessing that ALL means any
host, which is not what I want.  (The man page of sudoers is rather
convoluted and thus unhelpful ...)

What do I need to use there instead of ALL to limit the allowance for
executing above commands to mcpd on localhost?

[1] suggests that this is possible (in section 12.3.).  Why wouldn't
that work on Fedora?


[1]:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/managing-sudo-access_configuring-basic-system-settings


--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/

RE: How to reboot?

[twlewis via beginners]

Hi hw,
I had a similar situation in which I travelled.  I wanted to lock down the ufw 
firewall but be able to allow certain IP addresses based on the hotel IP or my 
cell service IP.  To that I developed Perl that would check my smtp account.  
The script is controlled through a cron job that runs as root.  Through email I 
can send commands to that email address that is set up for my server.  I have 
an INI file with parameters.  The script reads that INI each time.  I control 
access to not allow any other outside email from sending commands by using a 
specific email address in the INI that can send commands.  Any other email 
addresses that attempt to send commands are ignored and it sends me a report if 
this occurs. In the Perl script I was able to set up things such as allowing 
certain IPs in ufw, check disk space, run apt to update the server, and even 
reboot the server.
 
I don't know if you have access to a SMTP email server or not.  Gmail used to 
allow this type of interaction and allow log ins from scripts, but I believe 
that they have locked down security to no longer allow that.
 
I hope this helps.
 
Tim
 
 
 
-Original Message-
From: "hw" 
Sent: Friday, January 12, 2024 7:16am
To: "Perl Beginners" 
Subject: How to reboot?



Hi,

I would like to write a program (daemon) which will be automatically
started by systemd at boot which will allow me to reboot or restart my
computer through commands sent via xmpp. The xmpp part (xmpp client)
and starting that program is no problem.

But how can I reboot/restart the computer from the xmpp client? I
don't want the xmpp client to run as root all the time. I would use
something like


system('shutdown', '-r', 'now');


in the xmpp client, and that does require root privileges. To make
things more complicated, systemd will probably interfere in some ways,
and selinux also may get in the way. So how I can do that?


The background is that some idiots have decided that pressing
Ctrl+Alt+Del doesn't reboot the computer anymore but, at best,
restarts after 60 seconds if I'm logged in to a gnome session or, if
I'm not logged in --- like when the screen saver logged me out --- it
does nothing. It doesn't seem to work when I'm on the console,
either.

That totally sucks when the display remains black and doesn't come
back no matter what you do. In such cases, I still want to be able to
reboot or to shutdown the computer instead of having to hold the power
button until it turns off, and without pressing the reset button.

Preferably, I'd like to get Ctrl+Alt+Del to work again like it should,
but that's probably something we can only dream of these days :(


-- 
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/

Re: How to reboot?

[Andinus via beginners]

hw @ 2024-01-12 18:49 +01:

> Thanks, I thought about sudo and figured it needs a password being
> entered.  If that works without, I'll start programming and test if
> something else gets in the way :)

You can configure sudo to not ask for a password.

-- 
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/

Re: How to reboot?

[hw]

On Fri, 2024-01-12 at 21:39 +0530, Andinus via beginners wrote:
> hw @ 2024-01-12 14:16 +01:
> 
> > But how can I reboot/restart the computer from the xmpp client?  I
> > don't want the xmpp client to run as root all the time.  I would use
> > something like
> > 
> > 
> > system('shutdown', '-r', 'now');
> > 
> > 
> > in the xmpp client, and that does require root privileges.  To make
> > things more complicated, systemd will probably interfere in some ways,
> > and selinux also may get in the way.  So how I can do that?
> 
> If you use `sudo` then you can setup a rule to allow the user to run the
> command `shutdown` as root.
> 
> Example config for `doas`:
> 
> /etc/doas.conf:
> permit nopass xmppuser cmd /sbin/shutdown args -r now
> 

Thanks, I thought about sudo and figured it needs a password being
entered.  If that works without, I'll start programming and test if
something else gets in the way :)


--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/

Re: How to reboot?

[Andinus via beginners]

hw @ 2024-01-12 14:16 +01:

> But how can I reboot/restart the computer from the xmpp client?  I
> don't want the xmpp client to run as root all the time.  I would use
> something like
>
>
> system('shutdown', '-r', 'now');
>
>
> in the xmpp client, and that does require root privileges.  To make
> things more complicated, systemd will probably interfere in some ways,
> and selinux also may get in the way.  So how I can do that?

If you use `sudo` then you can setup a rule to allow the user to run the
command `shutdown` as root.

Example config for `doas`:

/etc/doas.conf:
permit nopass xmppuser cmd /sbin/shutdown args -r now

-- 
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/