any remote command line software where i can specify available commands?

ComputerRepairTech

Well-Known Member
Reaction score
804
Location
Columbia, SC
I need to give someone access to run a single command remotely without giving them access to anything else. Is there any existing software to do this? I suppose I can setup a server and whip up a php script but I feel like something like this should exist some where.
 
Yes, how would I give someone access to execute just one batch file remotely? If an existing solution doesn't exist I was going to whip up some webserver php solution to allow them to execute it.

I'm not sure what you are doing but the batch file goes locally and calls the remote command.
 
Would it be better to set up something to check every few minutes for a precondition (might be remotely checking a flag on a website that gets reset by that check) and running the command if it's matched?
 
I'm not sure what you are doing but the batch file goes locally and calls the remote command.

Need them to be able to connect remotely to the server but only be able to issue a single command that I specify, I can whip something up myself I was just hoping there was some pre-existing remote command software with that level of control cause im lazy =P.
 
How are they connecting? What exactly is begin done with the command. One thought is to give them a shell login. The login script runs the commands(s) and then logs out at the end. It's easy to keep them from using keyboard commands, like ctrl+c, to break the script and give them shell access.
 
If it's the same thing being run on a regular basis then just schedule it. Take it these aren't under RMM control, even O&O Syspectr. But since it's another person pushing the buttons.
 
@ComputerRepairTech does this one command require command-line options? Launch something that requires input? Or is it "run and done"?

If it's run-and-done, why do you need them to be able to connect to it? Where are you proposing to allow connections from? LAN only?
 
How are they connecting? What exactly is begin done with the command. One thought is to give them a shell login. The login script runs the commands(s) and then logs out at the end. It's easy to keep them from using keyboard commands, like ctrl+c, to break the script and give them shell access.

Havent decided yet, depends on what kind of remote command solution I find, i'm probably just going to whip up my own solution, I like your idea thats very out of the box but doesn't seem like a great idea security wise.

If it's the same thing being run on a regular basis then just schedule it. Take it these aren't under RMM control, even O&O Syspectr. But since it's another person pushing the buttons.

It is scheduled but there are steps they need to take to be ready so its safer if they just launch it when they are ready, this is not a computer repair situation but I figured chances were high the software exists in some form or another.

@ComputerRepairTech does this one command require command-line options? Launch something that requires input? Or is it "run and done"?

If it's run-and-done, why do you need them to be able to connect to it? Where are you proposing to allow connections from? LAN only?

Run and done, they won't be on the LAN network, I can setup some sort of restricted vpn perhaps to put them on there but by default they won't be part of the LAN.
 
Honestly, I'd think about a 2-part solution.

The visible-to-the-world part would be a password-protected page on their website with a single button that said something like "OK to Run Process X after <datetime>", and when clicked that button would update a single file with any relevant information you wanted logged - the only important part being the date/time on the server and maybe not even that as long as the file gets modified. Basically, a most-recent-visitor date/time stamp, which can probably be gotten from the last-modified time of the file it's put into.

The internal server part would be a script scheduled to run every 5 minutes or so that would attempt to retrieve that file and look at either its contents or the last-modified stamp, and if it's newer than the last time processing was done then trigger processing. If using Powershell, I'd look at some of the things discussed in https://stackoverflow.com/questions/20259251/powershell-script-to-check-the-status-of-a-url, but it could be in something else.

You could also do something involving email messages to a private email address, plus something scripted to check for messages periodically and download them, triggering processing any time an appropriate message arrived. (as a note if someone is looking at this in the future, I previously implemented an automated extraction of emailed fax PDFs to a user folder using scripting of
http://mpop.sourceforge.net/ (to save received messages as individual files in a folder) and uudeview (to extract the encoded PDF files and discard the entire message).)

Heck, if they're using any kind of shared document system, set up a watcher for new files in a relevant directory.

Basically there are a ton of ways to do this based around triggering on conditions rather than on having someone execute commands via some kind of remote access, and triggering on conditions is likely to be a lot safer.
 
Last edited:
Honestly, I'd think about a 2-part solution.

The visible-to-the-world part would be a password-protected page on their website with a single button that said something like "OK to Run Process X after <datetime>", and when clicked that button would update a single file with any relevant information you wanted logged - the only important part being the date/time on the server and maybe not even that as long as the file gets modified. Basically, a most-recent-visitor date/time stamp, which can probably be gotten from the last-modified time of the file it's put into.

The internal server part would be a script scheduled to run every 5 minutes or so that would attempt to retrieve that file and look at either its contents or the last-modified stamp, and if it's newer than the last time processing was done then trigger processing. If using Powershell, I'd look at some of the things discussed in https://stackoverflow.com/questions/20259251/powershell-script-to-check-the-status-of-a-url, but it could be in something else.

You could also do something involving email messages to a private email address, plus something scripted to check for messages periodically and download them, triggering processing any time an appropriate message arrived.

Heck, if they're using any kind of shared document system, set up a watcher for new files in a relevant directory.

Basically there are a ton of ways to do this based around triggering on conditions rather than on having someone execute commands via some kind of remote access, and triggering on conditions is likely to be a lot safer.

I was thinking i'd let the user connect directly to an http server with php support directly running on the same server but 2 part solution got me thinking.... I have a screenconnect server, I could technically create a user that only has access to 1 box and that box could be a crippled shell where they can only execute a batch file that communicates with my server on the same lan and that executes the command and like that not only is it behind username and password of screenconnect but I can easily enable 2 factor authentication for that user for even more security ^_^.
 
Havent decided yet, depends on what kind of remote command solution I find, i'm probably just going to whip up my own solution, I like your idea thats very out of the box but doesn't seem like a great idea security wise.

Security is relative. Locked down cli logins have been around for decades. Personally I'd be much more comfortable with just that rather than trying to implement some web based thing unless it's all on the same server. Each step/layer/process that is added increases the risks.

If this is to occur from anywhere, so to speak, then the web based option is a logical solution. But if it's always on the LAN I'd go with a local login solution.
 
On an RDS server?

Just make a shortcut using runas /user admin and /savecred. Remote into the system along side the user, run it, punch in the admin account and save it. Poof, user now has a shortcut that has admin rights that only does what you told it to do. Any edits to it at all will result in the credentials expiring.

But this seems... dangerous... users don't touch my servers... EVER. That's my job, and why I write scripts for various languages.
 
I was thinking i'd let the user connect directly to an http server with php support directly running on the same server

As I've gotten older and more :eek: paranoid :eek: I've moved towards the "there should be no inbound ports forwarded to anything on networks I care about" stance. If there's a service that can accept connections, there's a vulnerability somewhere in the software stack even if I don't know where or how.

Just because you don't know what the vulnerability is doesn't mean it's not indexed by Shodan and available to anyone who finds a buffer overflow in version XYZ of the web server.

Edit: I also updated the post above with what I previously used for scripted email reception.
 
Last edited:
Back
Top