Re: How to reboot?

[Andinus via beginners]

hw @ 2024-01-12 14:16 +01:

> But how can I reboot/restart the computer from the xmpp client? I
> don't want the xmpp client to run as root all the time. I would use
> something like
>
>
> system('shutdown', '-r', 'now');
>
>
> in the xmpp client, and that does require root privileges. To make
> things more complicated, systemd will probably interfere in some ways,
> and selinux also may get in the way. So how I can do that?

If you use `sudo` then you can setup a rule to allow the user to run the
command `shutdown` as root.

Example config for `doas`:

/etc/doas.conf:
permit nopass xmppuser cmd /sbin/shutdown args -r now

[Andinus via beginners]

hw @ 2024-01-12 18:49 +01:

> Thanks, I thought about sudo and figured it needs a password being
> entered. If that works without, I'll start programming and test if
> something else gets in the way :)

You can configure sudo to not ask for a password.

[twlewis via beginners]

Hi hw,

I had a similar situation in which I travelled.  I wanted to lock down the ufw firewall but be able to allow certain IP addresses based on the hotel IP or my cell service IP.  To that I developed Perl that would check my smtp account.  The script is controlled through a cron job that runs as root.  Through email I can send commands to that email address that is set up for my server.  I have an INI file with parameters.  The script reads that INI each time.  I control access to not allow any other outside email from sending commands by using a specific email address in the INI that can send commands.  Any other email addresses that attempt to send commands are ignored and it sends me a report if this occurs. In the Perl script I was able to set up things such as allowing certain IPs in ufw, check disk space, run apt to update the server, and even reboot the server.

 

I don't know if you have access to a SMTP email server or not.  Gmail used to allow this type of interaction and allow log ins from scripts, but I believe that they have locked down security to no longer allow that.

 

I hope this helps.

 

Tim

 

 

 

-----Original Message-----
From: "hw" <h...@adminart.net>
Sent: Friday, January 12, 2024 7:16am
To: "Perl Beginners" <begi...@perl.org>
Subject: How to reboot?

Hi,

I would like to write a program (daemon) which will be automatically
started by systemd at boot which will allow me to reboot or restart my
computer through commands sent via xmpp. The xmpp part (xmpp client)
and starting that program is no problem.

But how can I reboot/restart the computer from the xmpp client? I
don't want the xmpp client to run as root all the time. I would use
something like


system('shutdown', '-r', 'now');


in the xmpp client, and that does require root privileges. To make
things more complicated, systemd will probably interfere in some ways,
and selinux also may get in the way. So how I can do that?

The background is that some idiots have decided that pressing
Ctrl+Alt+Del doesn't reboot the computer anymore but, at best,
restarts after 60 seconds if I'm logged in to a gnome session or, if
I'm not logged in --- like when the screen saver logged me out --- it
does nothing. It doesn't seem to work when I'm on the console,
either.

That totally sucks when the display remains black and doesn't come
back no matter what you do. In such cases, I still want to be able to
reboot or to shutdown the computer instead of having to hold the power
button until it turns off, and without pressing the reset button.

Preferably, I'd like to get Ctrl+Alt+Del to work again like it should,
but that's probably something we can only dream of these days :(


--
To unsubscribe, e-mail: beginners-...@perl.org
For additional commands, e-mail: beginne...@perl.org
http://learn.perl.org/

[Tim Lewis via beginners]

You bring an excellent point about the ability to spoof the email address.  In my case the email that for the server is not made public, but that is a vulnerability. I will have to read up on pwgen.  That sounds like a good authentication that changes like a token number.

Another approach could be secondary authentication where it sends something to my phone, and then waits for a text response from the phone before executing anything.

Tim

Get BlueMail for Desktop

hw wrote:

On Sat, 2024-01-13 at 08:49 -0600, twlewis via beginners wrote:

Hi hw, I had a similar situation in which I travelled.  I wanted to

lock down the ufw firewall but be able to allow certain IP addresses

based on the hotel IP or my cell service IP.  To that I developed

Perl that would check my smtp account.  The script is controlled

through a cron job that runs as root.  Through email I can send

commands to that email address that is set up for my server.  I have

an INI file with parameters.  The script reads that INI each time.

I control access to not allow any other outside email from sending

commands by using a specific email address in the INI that can send

commands.

How do you verify that the email was actually sent from the sender

address which is allowed to send commands?

The From: header is irrelevant, and I wouldn't trust Envelope-From:

headers either since that can also be faked.  Using SPF and/or DKIM

might help, and you might have to go to some lengths to check on that.

I'd at least use a list of passwords, known only to your server and to

you, so every email you want processed needs to contain the next

password on the list to be considered.  That's pretty simple to do,

and pwgen is your friend :)

Other than that, xmpp is way easier to process than emails, and

someone who wants to send something first needs to log into their

account with a password.  That may be safer than just emails alone.

Another advantage is that emails can be delayed whereas xmpp is

(supposed to be) instant (and usually is).

Any other email addresses that attempt to send commands

are ignored and it sends me a report if this occurs.

When you use a UUID as the local part of the receiving address, it's

somewhat unlikely that anyone but you will send emails to it (unless

you publish the address).

In the Perl script I was able to set up things such as allowing

certain IPs in ufw, check disk space, run apt to update the server,

and even reboot the server.

I don't know if you have access to a SMTP email server or not.

I'm running one on my server which relays the emails through the SMTP

server of an email provider.

Creating this daemon is really only intended to allow me to

reboot/shutdown my workstation when the screen has gone black.  That

sometimes happens since NVIDIA drivers aren't perfect.  Of course, if

it gets otherwise locked up, the daemon will also be useful.

The other day I came back to my keyboard right when the display said

'no signal' because the screen saver had just switched it off, and I

pressed a button and the display remained switched off.  Switching to

consoles and back didn't help, switching the display off and back on

didn't help either.  I could't even get a picture on the 2nd monitor

(which is usually switched off but things go haywire when switching

displays on/off because someone programmed it stupidly so it does

unwanted stuff automatically despite the 2nd display is switched off,

and the 2nd display usually needs some convincing to work or doesn't

work at all when I try to enable it); pressing Ctrl+Atl+Del didn't do

anything, the Reset button of my workstation is probably disabled (I

need to check that in the BIOS) and at the point, the only thing

remains is to power it off while it's running, which I don't want to

do at all.  All that is time consuming and annoying and that

Ctrl+Alt+Del doesn't work anymore is retarded, and I'm totally pissed

and I've had it.

So I created this daemon so I can least reboot my workstation when

things aren't working as they should.  I could log in via ssl, but I'd

have to set up my laptop for that or the 2nd display and a keyboard

for the server which usually aren't connected, so that's also

annoying.  It's not so difficult to send xmpp messages from a phone or

a tablet.

Gmail used to allow this type of interaction and allow log ins from

scripts, but I believe that they have locked down security to no

longer allow that.

You could use some dyndns provider like noip, and wireguard to connect

to your home network/server from afar.  Wireguard is awesome, and

what's better than the option of having full access same as if you

were at home, or limited access if you want.  It sure beats both xmpp

and emails.

Or you could directly connect to your xmpp server or email server

through wireguard to send commands, which would avoid doing it openly

over the internet.

I hope this helps.

Tim

[Tim Lewis via beginners]

To send email to text for the main carriers in the US:

AT&T

Compose a new email and enter the recipient's 10-digit wireless number, followed by @txt.att.net.

T-Mobile

Write a new email message.

Enter the recipients T-Mobile phone number, without any punctuation, and follow with @tmomail.net in the To field.

Verizon

Compose a new email and use the recipient’s mobile phone number as the email address, with the addition of “@vtext.com”

Get BlueMail for Desktop

hw wrote:

On Sat, 2024-01-13 at 17:09 +0000, Tim Lewis via beginners wrote:

You bring an excellent point about the ability to spoof the email address.

In my case the email that for the server is not made public, but that is a

vulnerability. I will have to read up on pwgen. That sounds like a good

authentication that changes like a token number.

It may be the safest way; nobody else would have the passwords and for

when someone tries to guess them, you can put a delay to slow them

down once an invalid password has been received.  If you increase the

delay like exponentially for every wrong password received in a row,

you "only" risk being disabled yourself until a long delay expires.

Pwgen is a nice program to generate passwords.

Another approach could be secondary authentication where it sends

something to my phone, and then waits for a text response from the

phone before executing anything.

Are you able to send something to your phone without using xmpp?

You could have your asterisk call your phone so you can enter a

number, and when it's the right number you entered, the processing of

the particular email that triggered the call becomes allowed.  You

could even put the number you have to enter into the email, assuming

that nobody who has the number can intercept the call.  That way you

wouldn't need to use a list of pre-defined passwords.

If you do that, perhaps you might as well call your asterisk yourself

directly.  Asterisk can verify the caller number and require you to

enter a password (a fixed one, or one which you might have sent by

email beforehand); after that, it can present you with a menu for the

commands you want to get executed and execute them.

Asterisk and xmpp can be a rather powerful combination.

[Lars Noodén via beginners]

If you go the e-mail route for signalling, you can have Perl scripts on
both ends using Crypt::OpenPGP to sign and/or encrypt the commands.

Other options like XMPP were mentioned. Maybe one of the MQTT modules
would be suitable.

/Lars