Linux – Live view of Linux shell commands executed by another user

linuxSecurityshell

Is it possible for the root user in Linux to have a real-time (or close to real-time) view of the shell commands being run by another user logged in via a terminal or SSH? Obviously they're stored in .bash_history, but that's only saved when the user logs off and can be disabled, too.

Edit: ideally something that can easily be switched on and off.

Best Answer

as root, you could replace their shell with a simple wrapper script that logged their commands before passing them to the real shell. This would only work prior to them logging in.

Related Solutions

SSH Passphrase Remembered in MacOSX Snow Leopard – How to Manage

OS X will automatically launch ssh-agent for you when it needs your private key. Your key will then be available through ssh-agent (without entering your passphrase again) until you log out of OS X or remove the key (via ssh-add -d or ssh-add -D to remove all keys).

This is similar to standard *NIX system behavior with ssh-agent, and allows useful functionality like agent authentication forwarding (ssh -A) to work so you don't have to put your private key all over the network.

If you want to disable ssh-agent (for all users of your Mac) you may remove the file /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

Another way is to unload & disable the LaunchAgent:

sudo launchctl -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

The -w causes it to not just unload but mark & remember it as disabled.

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Best Answer

Related Solutions

SSH Passphrase Remembered in MacOSX Snow Leopard – How to Manage

Linux – How to run a server on port 80 as a normal user on Linux

Related Topic