#!/bin/sh # This is a little hack to let me send myself signed pgp mail containing # a batch script and have it execute as me. I knocked this up in a hurry # this evening when I needed to remote control a machine I couldn't easily # telnet to. It's not especially elegant but then it's not especially # big, so if you don't like it, write your own the way you prefer. # Because this runs as a batch job, PGPPATH and PGPPASS must be # set in the environment. If invoked from procmail, they have to # be defined in .procmailrc Clearly you should use a different # private key to your personal one for mail. Given that this is # only to stop outsiders accessing your account, it doesn't matter # that the exec-key is held online or in the environment - if someone # could hack your account to get the key they've already done enough # to hack your account anyway and having access to this exec-server # would give them no extra advantage... # I use procmail runes like this to execute this script: # :2 # ^From.*gtoal # Subject: batch job # The From line is redundant, but I just put it in so I could easily # bounce requests from most unauthorised senders in a later procmail # rule. Unauthorised senders posting as me are silently dropped # on the floor... (assuming the pgp signature check fails that is!) cat > $PGPPATH/job.$$ # This just extracts the first pgp message to a file to avoid possible # problems with spoofing... - it leaves the file empty if no pgp message # was found. I use my own editor 'ecce' to do this - you might use # sed or perl or whatever... if [ -f /usr/local/lib/ecce ]; then # Skipping this stage probably doesn't hurt... /usr/local/lib/ecce $PGPPATH/job.$$ << EOD f/-----BEGIN PGP MESSAGE-----/l0k-0f/-----END PGP MESSAGE-----/mk0,m-0k0;%c EOD fi # can't use -f filter mode because it's impossible to specify # the pubring to use if you do. # +batchmode is essential - it forces a return code of 0 if and # only if the pgp message was signed and the signator is explicitly # listed in 'execring.pgp'. pgp +batchmode $PGPPATH/job.$$ \ $PGPPATH/exec.$$ \ $PGPPATH/execring.pgp if [ $? -ne 0 ]; then # This goes into the procmail log echo ILLEGAL REMOTE JOB - USER NOT IN EXECRING.PGP # tidy up rm -f $PGPPATH/job.$$ rm -f $PGPPATH/exec.$$ exit 1 fi # execute the command - probably a script but could as easily be a # binary executable if properly compiled for the target host. chmod +x $PGPPATH/exec.$$ $PGPPATH/exec.$$ # tidy up rm -f $PGPPATH/job.$$ rm -f $PGPPATH/exec.$$ exit 0