小花狸监控的异地备份功能依赖expect脚本
原来使用的expect脚本如下
#!/usr/bin/expect
##########################################################
# 1.service ip
# 2.User
# 3.userPassword
# 4.localPath [本地路径]
# 5.serverPath [server端路径]
#返回值:
# 0 成功
# 1 参数个数不正确
###########################################################
proc usage {} {
regsub ".*/" $::argv0 "" name
send_user "Usage:\n"
send_user "$name serviceip User userPassword serverPath localPath\n"
exit 1
}
## 判断参数个数
if {[llength $argv] != 5} {
usage
}
#设置变量值
set severip [lindex $argv 0]
set User [lindex $argv 1]
set userPassword [lindex $argv 2]
set serverPath [lindex $argv 3]
set localPath [lindex $argv 4]
#定义变量标记rsync连接时是否输入yes确认
set inputYes 0
set timeout -1
#rsync -avz /etc/ 192.168.15.234:/home/7_8
spawn rsync -arqP $User@$severip:$serverPath $localPath
expect
{
-nocase -re "yes/no"
{
send -- "yes\r"
set inputYes 1
}
-nocase -re "assword: "
{
send -- "$userPassword\r"
interact
}
-nocase -re "Connection refused" {
send_error "Sftp services at ${ftpServerIp} is not active.\n"
exit 2
}
timeout {
send_error "Connect to sftp server ${ftpUser}@${ftpServerIp} timeout(10s).\n"
exit 8
}
eof
}
#如果输入了yes确认,输入密码
if {$inputYes==1} {
expect {
-nocase -re "assword: " {
send -- "$userPassword\r"
interact
}
}
}
expect eof
这个脚本有一个致命的问题,就是调用方式
[dev@localhost~/golang/src]$./backup.sh 127.0.0.1 root password /home/dev /tmp
spawn rsync -arqP root@127.0.0.1:/home/dev /tmp
root@127.0.0.1's password:
另外一个用户可以直接使用ps命令看到密码
[dev@localhost~]$ps -ef | grep expect
dev 27155 25299 0 17:53 pts/0 00:00:00 /usr/bin/expect ./backup.sh 127.0.0.1 root password /home/dev /tmp
dev 27171 23951 0 17:53 pts/1 00:00:00 grep expect
这样,一旦集中备份服务器被黑客攻破..其他服务器的密码简直就是白送的.
采用如下的加固方式
http://blog.itpub.net/29254281/viewspace-1578997/
脚本改造如下
#!/bin/bash
read serverip
read user
read password
read serverpath
read localpath
/usr/bin/expect < #!/usr/bin/expect
##########################################################
# 1.service ip
# 2.User
# 3.userPassword
# 4.localPath [本地路径]
# 5.serverPath [server端路径]
###########################################################
#定义变量标记rsync连接时是否输入yes确认
set inputYes 0
set timeout -1
#rsync -avz /etc/ 192.168.15.234:/home/7_8
spawn rsync -arqP $user@$serverip:$serverpath $localpath
expect {
-nocase -re "yes/no"
{
send -- "yes\r"
set inputYes 1
}
-nocase -re "assword: "
{
send -- "$password\r"
interact
}
-nocase -re "Connection refused" {
send_error "Sftp services at ${ftpServerIp} is not active.\n"
exit 2
}
timeout {
send_error "Connect to sftp server ${ftpUser}@${ftpServerIp} timeout(10s).\n"
exit 8
}
eof
}
#如果输入了yes确认,输入密码
if {\$inputYes==1} {
expect {
-nocase -re "assword: " {
send -- "$password\r"
interact
}
}
}
expect eof
!
调用方式改为:
echo "127.0.0.1 root password /home/dev /tmp" | sed 's/ /\n/g' | ./backup.sh
这时,另外的用户使用ps命令就不能看到敏感信息了
[dev@localhost~]$ps -ef | grep backup
dev 27294 25299 0 18:14 pts/0 00:00:00 /bin/bash ./backup.sh
dev 27312 23951 0 18:14 pts/1 00:00:00 grep backup
[dev@localhost~]$ps -ef | grep expect
dev 27295 27294 0 18:14 pts/0 00:00:00 /usr/bin/expect
dev 27315 23951 0 18:14 pts/1 00:00:00 grep expect
原来使用的expect脚本如下
#!/usr/bin/expect
##########################################################
# 1.service ip
# 2.User
# 3.userPassword
# 4.localPath [本地路径]
# 5.serverPath [server端路径]
#返回值:
# 0 成功
# 1 参数个数不正确
###########################################################
proc usage {} {
regsub ".*/" $::argv0 "" name
send_user "Usage:\n"
send_user "$name serviceip User userPassword serverPath localPath\n"
exit 1
}
## 判断参数个数
if {[llength $argv] != 5} {
usage
}
#设置变量值
set severip [lindex $argv 0]
set User [lindex $argv 1]
set userPassword [lindex $argv 2]
set serverPath [lindex $argv 3]
set localPath [lindex $argv 4]
#定义变量标记rsync连接时是否输入yes确认
set inputYes 0
set timeout -1
#rsync -avz /etc/ 192.168.15.234:/home/7_8
spawn rsync -arqP $User@$severip:$serverPath $localPath
expect
{
-nocase -re "yes/no"
{
send -- "yes\r"
set inputYes 1
}
-nocase -re "assword: "
{
send -- "$userPassword\r"
interact
}
-nocase -re "Connection refused" {
send_error "Sftp services at ${ftpServerIp} is not active.\n"
exit 2
}
timeout {
send_error "Connect to sftp server ${ftpUser}@${ftpServerIp} timeout(10s).\n"
exit 8
}
eof
}
#如果输入了yes确认,输入密码
if {$inputYes==1} {
expect {
-nocase -re "assword: " {
send -- "$userPassword\r"
interact
}
}
}
expect eof
这个脚本有一个致命的问题,就是调用方式
[dev@localhost~/golang/src]$./backup.sh 127.0.0.1 root password /home/dev /tmp
spawn rsync -arqP root@127.0.0.1:/home/dev /tmp
root@127.0.0.1's password:
另外一个用户可以直接使用ps命令看到密码
[dev@localhost~]$ps -ef | grep expect
dev 27155 25299 0 17:53 pts/0 00:00:00 /usr/bin/expect ./backup.sh 127.0.0.1 root password /home/dev /tmp
dev 27171 23951 0 17:53 pts/1 00:00:00 grep expect
这样,一旦集中备份服务器被黑客攻破..其他服务器的密码简直就是白送的.
采用如下的加固方式
http://blog.itpub.net/29254281/viewspace-1578997/
脚本改造如下
#!/bin/bash
read serverip
read user
read password
read serverpath
read localpath
/usr/bin/expect < #!/usr/bin/expect
##########################################################
# 1.service ip
# 2.User
# 3.userPassword
# 4.localPath [本地路径]
# 5.serverPath [server端路径]
###########################################################
#定义变量标记rsync连接时是否输入yes确认
set inputYes 0
set timeout -1
#rsync -avz /etc/ 192.168.15.234:/home/7_8
spawn rsync -arqP $user@$serverip:$serverpath $localpath
expect {
-nocase -re "yes/no"
{
send -- "yes\r"
set inputYes 1
}
-nocase -re "assword: "
{
send -- "$password\r"
interact
}
-nocase -re "Connection refused" {
send_error "Sftp services at ${ftpServerIp} is not active.\n"
exit 2
}
timeout {
send_error "Connect to sftp server ${ftpUser}@${ftpServerIp} timeout(10s).\n"
exit 8
}
eof
}
#如果输入了yes确认,输入密码
if {\$inputYes==1} {
expect {
-nocase -re "assword: " {
send -- "$password\r"
interact
}
}
}
expect eof
!
调用方式改为:
echo "127.0.0.1 root password /home/dev /tmp" | sed 's/ /\n/g' | ./backup.sh
[dev@localhost~]$ps -ef | grep backup
dev 27294 25299 0 18:14 pts/0 00:00:00 /bin/bash ./backup.sh
dev 27312 23951 0 18:14 pts/1 00:00:00 grep backup
[dev@localhost~]$ps -ef | grep expect
dev 27295 27294 0 18:14 pts/0 00:00:00 /usr/bin/expect
dev 27315 23951 0 18:14 pts/1 00:00:00 grep expect
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/29254281/viewspace-1580525/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/29254281/viewspace-1580525/