Disable internet access when calling java -jar - networking

I'm testing six distinct .jar-files that all need to handle the possibility of no online access.
Unfortunately, I am on a network disc, so disabling the network connection or pulling the ethernet cable does not work unless I move all the files to /tmp or /scratch and change my $HOME environment variable, all of which I'd rather not have to do as it ends up being a lot of work.
Is there a way to invoke java -jar and disable the process from accessing the internet? I have not found any such flag in the man-pages. Is there perhaps a UNIX-way of doing this, as in:
disallowinternetaccess java -jar Foo.jar

Tell your Java program to access the network through a proxy. For all internet access this would be a SOCKS5 proxy.
java -DsocksProxyHost=socks.example.com MyMain
I believe that if no proxy is running you should get an appropriate exception in your program. If you need full control of what is happening, you can look into - and possibly modify - http://jsocks.sourceforge.net/
See http://docs.oracle.com/javase/7/docs/technotes/guides/net/proxies.html for details.
Note: You can do this without any native Unix stuff, so this question fits perfectly fine on SO.

You need just turn on SecurityManager: -Djava.security.manager=default
see details - https://stackoverflow.com/a/4645781/814304
With this solution you can even handle which resource you want to show and which to hide.

Related

Problem communicating over a local area network (LAN) with ROS on WSL2

I am a developer of ROS projects. Recently I am trying using ROS(melodic) on WSL2(Windows Subsystem for Linux), and all things works just great. But I got some trouble when I want to use another PC which also in the same local area network(LAN) to communicate with. Before setting the environment variables like "ROS_MASTER_URI, ROS_IP", I know that since WSL 2 work on Hyper-V so the IP show on WSL2 is not the one in the real LAN. I have to do some command like below in order to make everyone in LAN communicate with the specific host:PORT on WSL2.
netsh interface portproxy delete v4tov4 listenport=$port listenaddress=$addr
But here comes a new question:
The nodes which use TCPROS to communicate with each other have a random PORT every time I launch the file.
How can I handle this kind of problem?
Or is there any information on the internet that I can have a look?
Thank you.
The root problem is described in WSL issue #4150. To quote from that thread,
WSL 2 seems to NAT it's virtual network, instead of making it bridged
to the host NIC.
Option 1 - Port forwarding script on login
Note: From #kraego's comment (and the edited question, which I'm just seeing based on the comment), this is probably not a good option for ROS, since the port numbers are randomly assigned. This makes port forwarding something that would have to be dynamically done.
There are a number of workarounds described in that issue, for which you've already figured out the first part (the port forwarding). The primary technique seems to be to create a PowerShell script to detect the IP address and create the port forwarding rules that runs upon Windows login. This particular comment near the top of the thread seems to be the canonical go-to answer, although many people have posted their tweaks or alternatives throughout the very long thread.
One downside - I believe the script that is mentioned there needs to be run at logon since the WSL subsystem seems to only want to run when a user is logged in. I've found that attempting to run a WSL service or instance through Windows OpenSSH results in that instance/service shutting down soon after the SSH session is closed, unless the user is already logged into Windows with a WSL instance opened.
Option 2 - WSL1
I would also propose that, assuming it fits your workflow and if the ROS works on it (it may not, given the device access you need, but not sure), you can simply use WSL1 instead of WSL2 to avoid this. You can try this out by:
Backing up your existing distro (from PowerShell or cmd, use wsl --export <DistroName> <FileName>
Import the backup into a new WSL1 instance with wsl --import <NewDistroName> <InstallLocation> <FileNameOfBackup> --version 1
It's possible to simply change versions in place, but I tend to like to have a backup anyway before doing it, and as long as you are backing up, you may as well leave the original in place.

phpseclib - SSH_AUTH_SOCK not found

I work with another company that is moving from regular FTP to SFTP for their connections. They have informed me that my existing username and password are the same, but that I now need to connect via SFTP on port 22. I have a couple of PHP scripts that do some basic things, like connect to their site, get a directory listing, and upload and download a file each day. Those all work fine on FTP, so I need to just swap out the protocol to SFTP.
After doing some research, the consensus seems to be that phpseclib is the easiest and most robust way to perform SFTP using PHP. My server is running Linux and Apache. I downloaded the library and tried to run just the basic example given by phpseclib, but I get an error:
Notice: SSH_AUTH_SOCK not found in System/SSH/Agent.php on line 244
When I look at Agent.php, I see that the script is looking for SSH_AUTH_SOCK to be defined in either $_SERVER or $_ENV. I must be missing something obvious, but I have no idea how to get past this error.
You are trying to connect to SSH authentication agent (ssh-agent).
When the agent is run, it exports the SSH_AUTH_SOCK environment variable.
What is obviously not happening in your case.
But you didn't tell us, why are you trying to use the agent, if at all. And what did you do to set it up, if anything. So it's difficult to give you a more concrete advice.
See also How is SSH_AUTH_SOCK setup and used by ssh-agent?
Run the bellow command:
eval ssh-agent -s
It works fine for me.

How to configure FastRWeb to use RServer built-in web server

I'm new to RServe (and FastRWeb). I installed RServe 1.7.0 as I want to use its built-in webserver. As I already have apache running on this machine I want to run RServe/FastRWeb on a custom port.
I did cd /usr/local/lib/R/site-library/FastRWeb;sudo ./install.sh, which created /var/FastRWeb/ directory tree.
I'm not seeing any configuration file that mentions port. The default /var/FastRWeb/code/rserve.conf looks like this:
socket /var/FastRWeb/socket
sockmod 0666
source /var/FastRWeb/code/rserve.R
control enable
I'm guessing that means it uses unix sockets, by default? So I think my question is what exactly do I have to put in (and remove from) that file to, say, have it listen on TCP port 8888? And is there anything else I need to do? (I want to be able to connect from other machines, not just localhost.)
Possibly related, is I've looked at /var/FastRWeb/web/index.html and it contains javascript that is going to connect to /cgi-bin/R/ Is that path specific to when using Apache, or is it going to be fine, as-is, when using RServe?
There is an explanation of setting port in the Rserve 1.7.0 release announcement. Therefore, at the top of rserve.conf, I added this line: http.port 8888 Then I used the start script (as root), to start it.
This got me halfway as now http://127.0.0.1:8888/ works, but gives me a page that says:
Error in try(.http.request("/", NULL, NULL, c(48, 6f, 73, 74, 3a, 20, :
could not find function ".http.request"
The second half of the solution is to add this to the top of /var/FastRWeb/code/rserve.R:
library(FastRWeb)
.http.request <- FastRWeb:::.http.request
Then start things going by running /var/FastRWeb/code/start. There is no default handler, so you can test it with http://127.0.0.1:8888/info. Or a more interesting example is http://127.0.0.1:8888/example1.png (to view a chart) or http://127.0.0.1:8888/example2 (to view a mix of html and chart)
Note: I did not delete or edit any other configuration to get this working. That means we also have the unix socket listening. If that is not needed remove those two lines from the Rserve.conf file.
If you want it listening on all IP addresses, not just localhost, then add remote enable to your Rserve.conf file. NOTE: Make sure you understand the security consequences before opening your server to the world.
So, after those two changes, my /var/FastRWeb/code/Rserve.conf file looks like:
http.port 8888
remote enable
source /var/FastRWeb/code/rserve.R
control enable
Did you see Jay Emerson's write-up from a while back about how to use RServe as a backend for web-driven analysis? As I recall, one still uses Apache for the redirection, rather than an explicit port as you surmise here.
Jay's setup was very impressive. He used Rserve to provide mixed table/chart pages written via the grid package, all very slick and very fast, based of an immense data set (from a UN agency, or the World Bank, or something). But I can't find a link to that report right now...

TCP and UDP implementation of virtual terminal access

Im trying to understand the virtual terminal access. I was wondering if anyone know any sources for the Virtual Terminal Access protocol. And other sources like ftp, http, and remote procedure calls.
The RFC Sourcebook...
I'm not sure about the 'Virtual Terminal Access Protocol' though. That's a new one to me. Usually, if you're looking to communicate with a terminal you have to know the model of the specific terminal because there are so many different terminal specifications.
The RFC sourcebook, at the least, will give you a great resource to help implement FTP, HTTP,and RPC.
If you want to see a great example of a virtual terminal check out PuTTY
I suspect you meant the Virtual Terminal Protocol that was part of the ISO protocol stack. It was never widely deployed. The logical Internet equivalent was telnet, which, while extremely useful in its day, was insecure and has since been replaced by ssh.

What is the best way to change a user-password remotely in Unix?

What is the best way to change a user-password remotely in Unix?
This must be performed by the user, in a Web-app or Windows-App, without using SSH or any direct connection between the user and the server (direct command line not allowed).
Thanks
Webmin seemed to be a good application to do that, but I found it extremely hard to configure it right. My Unix users are unable to login to Webmin or Usermin.
Do you know any other alternatives to Webmin and Usermin?
Thanks
Use Webmin (more specifically the UserMin module).
Webmin provides a mini webserver, so you just need to install and configure it slightly. You'll get a lot more than just password-changing, and you can remove functionality you don't want the user to have.
#Rich Bradshaw
Just make sure you don't introduce security issues. The solution should use https encryption (the password should be never sent in clear text). It should be protected against shell injection attacks (strip any newlines from input, escape it properly etc). More details depend on choosen implementation.
I've done this in the past to change passwords on several servers at once by using a script written in Expect. It's perfect for the job but you will need the servers to be listening via SSH.
Once written, the script will execute on your local workstation and will connect to the remote host, do the interaction you've scripted, and then you should be gold. All the while, using the encryption you're already trusting if you're running SSH. Just don't save the passwords in your script: you should be able to prompt yourself for them (even taking them by command line argument is generally considered poor practice.)
Expect is a great language too: lots of fun!
You could write a server side script that ran passwd, you could do that in any language that allows shell commands to be run.

Resources