Disable Lua debugger in Redis - redis

I would like to ensure that clients cannot use Redis' Lua debugger.
I already have ACLs set to prevent use of SCRIPT and EVAL commands.
I see on https://redis.io/topics/ldb that remote debugging mode can be entered using a CLI flag. Is this also prevented by ACLs, or is there some other method to be aware of?
I do not use LDB at all, so disabling it at build time would be great, if possible.

Redis Lua debugger is a remote debugger, and it needs Redis server and client to work together.
You can disable the SCRIPT command, either by rename-command configuration or ACL. Although the client can enter the debugging mode, Redis server will refuse SCRIPT DEBUG subcommand, and the remote debugging won't work.
I do not use LDB at all, so disabling it at build time would be great, if possible.
You cannot disable it at build time, unless you modify the source code to remove the feature, and rebuild it.

Related

Reset REDIS db through CLI?

I am in the process of adding REDIS as a distributed cache to my application. When I run automated integration tests, I would like have each test start with a clean instance - so, create the DB if it does not exist, or clear it if it does.
When I do this for my Oracle instance, I just drop the configured user and recreate it, resulting in a clean slate. What would the REDIS equivalent be? The only way I have found to create DBs is to use the Web UI.
I believe you can do this, but (for obvious reasons) I have no intention to try it!
redis-cli flushall
Documentation here.

use other command instead of ssh for ansible

I have an ansible configuration which I know works on my local machines. However, I'm trying to now set it up on my company's machines which use a wrapper command similar to ssh (let's call it 'myssh')
for example, to access these machines, instead of writing
ssh myuser#123.123.123.123
you write
myssh myuser#123.123.123.123
which ends up calling ssh, among other things.
My question is, is there a way to swap which command ansible uses for accessing machines?
You can create a Connection Type Plugin to archive this. Looking at the ssh plugin, it appears like it might be as easy as replacing the ssh_cmd in line 333. Also specify myssh in line 69.
See here where to place the modified file. Additionally to that information, you can specify a custom location and let Ansible know about it in connection_plugins setting in ansible.cfg.
Finally again in your ansible.cfg set the transport setting to your new plugin:
transport = myssh
PS: I have never done anything like that before. This is only info from the docs.

WinSCP: Current SFTP-3 session does not support command you request. Separate shell session may be opened to process the command

I'm using WinSCP to interact with a remote server that supports only SFTP and doesn't allow SSH access.
My interaction involves moving/deleting a subset of files (identified by file names) in a certain directory.
To simplify this, I would typically synchronize [ Remote -> Local ], delete the files locally using the cygwin commandline (so that I can specify a list of file names instead of selecting files in the GUI) and then synchronize [ Local -> Remote ] to push the deletes to remote.
But, now, I want to further simplify the process so I can hand this over to an operations person. I went looking and was delighted to find that WinSCP supports 'commands'.
It would be great if I could enter something like this in the 'Command' field at the bottom in the 'Commander' view of WinSCP:
get queue-queue-from-DLQ-ID-69703273-db51-11e1-ba9f-005056010165 \
queue-queue-from-DLQ-ID-3d64697a-db51-11e1-b86e-005056010166 \
queue-queue-from-DLQ-ID-76fdb365-db50-11e1-b78d-005056010164 \
queue-queue-from-DLQ-ID-76ed3836-db50-11e1-ba9f-005056010165
But when I enter this in the 'Command' field, I get the following error:
Current SFTP-3 session does not support command you request. Separate shell session may be opened to process the command. Do you want to open separate shell session?
When I hit ok, I get the following error:
Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended).
The latter one is probably due to the fact that SSH is not supported.
But my question is, since get is an SFTP command, why am I getting the first error? Doesn't WinSCP itself use that command under the covers to support a GUI 'copy to local' operation?
How can I configure either WinSCP or the Linux box so that I can do what I have shown above?
I guess this answers my question: http://winscp.net/eng/docs/remote_command
Apparently, the 'Command' feature is only supported for SCP.
I wonder why WinSCP can't expose a commandline interface for SFTP operations that are generally supported during an sftp interactive session.
You can use WinSCP command-line scripting interface to run the get command.
https://winscp.net/eng/docs/scripting
The 'Commands' feature (remote commands execution) is supported even for SFTP protocol. But this feature executes the command on remote server. You cannot use this feature to automate WinSCP. And there's no remote command that you can easily use to download file.
See https://winscp.net/eng/docs/remote_command

Can I execute a shell script when restarting (starting) apache webserver

I have an application with some cacheing backend and I want to clear the cacheing whenever the webserver is been restarted.
Is there a apache configuration directive or any other way to execute a shell script upon webserver (re)start?
Thanks,
Phil
Adding some more information, as asked by some answers already:
Base system is ofc linux based, in this exact situation: CentOs
Modifying the startup script is unfortunately no option as pointed out by one of the comments already, due to it beeing not configuration file within the respective RPM packages and therefor beeing replaced by updates. Also I think modifying the startup script would be a bad thing in general
I see, that actually linking both "restarting the webserver" and "clearing my app cache" is not exactly what should be tied together. I will consider other alternatives
My situation is as follows: I can define how the virtual host config looks like, but I can not define how the rest of the servers configuration looks like.
The application is actually PHP based (and runs on the symfony framework). Symfony pre-compiles alot of stuff into dynamic php files from what it finds in the static configuration files. We deploy our apps via RPM and after deployment, an webserver restart is actually initiated already, so I thought it might make sense to tie the cache-cleanup to it. But I think after getting all your feedback, it looks like it is better to put the cache cleanup process into the installation process itself.
You haven't provided a lot of detail here, so it's hard to give a concrete answer, but I would suggest that your best option is to write a script which handles restarting apache, and clearing your cache. It would look something like this:
#!/bin/sh
# restart apache
/etc/init.d/httpd graceful
# whatever needs to be done to clear cache
rm -rf /my/cache/dir
Ramy suggests modifying the system startup script for Apache -- this is a bad idea! If and when you update Apache on your server, there is a good chance that your change will be lost.
Dirk suggests that what you are trying to do is probably misguided, and I think he's right. You haven't told us what platform you are running, but I can think of few situations where restarting your webserver and clearing a cache actually need to happen together.
You can modify Startup script for the Apache Web Server in /etc/init.d/httpd and write your own syntax inside it.
chattr +i /etc/init.d/httpd
If you have (root) access to the server you could do this by shell scripts but I would consider if it is the best way of cache management to rely on apache restarts.

Allowing a PHP script to ssh, using sudo

I need to allow a PHP script on my local web server, to SSH to another machine to perform a specified task on some files. My httpd runs as _www with low permissions, so setting up direct passwordless SSH is difficult, not to say ill-advised.
The way I do it now is to have a minimal PHP script that sudo-exec's (as me) a shell script which is outside of the document root. The shell script in turn calls (as me) the PHP code that does the actual SSH work, and prints its output. Here's the code.
read_remote_files.php (The script I call from my browser):
exec('sudo -u me -n /home/me/run_php.sh /path/to/my_prog.php', $results);
print $results;
/home/me/run_php.sh (Runs as me, calls whatever it's given):
php $1 2>&1
sudoers:
_www ALL = (me) NOPASSWD: /home/me/run_php.sh
This all works, as my_prog.php is called as me and can SSH as me. It seems it's not too insecure since run_php.sh can't be called directly from a browser (outside document root). The issue I'm having is that my_prog.php isn't called as an HTTP program so doesn't have access to the HTTP environment variables (DOCUMENT_ROOT etc).
Two questions:
Am I making this too complicated?
Is there an easy way for my final script to get the HTTP variables?
Thanks!
Andy
Many systems do stuff like this using a (privileged) cron job that frequently checks for the existence of a file, a database record or some other resource, and then performs actions if there are any.
The huge advantage of this is that there is no direct interaction between the PHP script and the privileged script at all. The PHP script leaves the instructions in a resource, the privileged script fetches it. As long as the instructions can't lead to the system getting compromised or damaged, it's definitely more secure than sudoing.
The disadvantage is that you can't push changes whenever you like; you have to wait until the cron job runs again. But maybe it's an option anyway?
"I need to allow a PHP script on my local web server, to SSH to another machine to perform a specified task on some files."
I think that you are phrasing this in terms of a solution that you have difficulty in getting to work rather than a requirement. Surely what you should be saying is "I want to invoke a task on machine B from a PHP script running under Apache on Machine A." And then research solutions to this -- to which there are many from a simple 'roll-your-own' RPC tunnelled over HTTP(S) to using an XMLRPC or SOA framework.
Two caveats:
Do a phpinfo(); on both machines to check what extensions are available and
Also check your php.ini setting to make sure that your service provider hasn't disabled any functions that you expect to use (or do a Q&D script to echo 'disable_functions = ' . ini_get('disable_functions') . "\n"; ...)
If you browse here and the wider internet you'll find many examples. Here is one that I use for a similar purpose.