Re: limiting access

To: debian-user@lists.debian.org
Subject: Re: limiting access
From: Ethan Benson <erbenson@alaska.net>
Date: Sun, 20 Aug 2000 01:34:04 -0800
Message-id: <20000820013404.H27677@plato.local.lan>
In-reply-to: <20000820021100.B1991@ix.netcom.com>; from kmself@ix.netcom.com on Sun, Aug 20, 2000 at 02:11:00AM -0700
References: <200008200814.KAA18425@cruncher.Austria.EU.net> <20000820021100.B1991@ix.netcom.com>

On Sun, Aug 20, 2000 at 02:11:00AM -0700, kmself@ix.netcom.com wrote:
> 
> As suggested, the restricted shell.  Invoked with rbash or bash -r.
> 
> This doesn't allow changes to $PATH, users can't cd, and a number of
> other restrictions exist.  You *have* to either point users to a system
> directory with commands they can use, or create a commands directory for

but you can't really include /bin or /usr/bin without allowing the
user to trivially break out of the restricted shell:

if /bin is in the $PATH then they need to only run `exec bash' to get
a real shell without restrictions.  if /usr/bin is in the path they
can run chsh -s /bin/bash and logout and relogin to get a real shell
(or passwd -s /bin/bash) 

really you have to only have ~/bin in thier PATH and create
appropriate symlinks or shell wrappers to the real binaries.

i managed to create a very limited environment which allows a user to
get directory listings from their $HOME and nowhere else, and to scp
files from their $HOME and nowhere else.  i did this by writing small
shell wrappers to ls to strip off absolute pathnames (ls -l
/etc/passwd becomes ls -l passwd) a similar wrapper was written around
scp to allow files to be downloaded but only from the home directory.  

~/bin is obviously not writable by the user, neither is the home
directory.  the account is `scp only'  (a way to get rid of ftp) i
`think' its reletively secure if anyone is interested in seeing my
wrapper scripts.  

> them.  Unlike chroot, rbash allows references to files outside the
> immediate directory tree, so you can create symlinks to other system
> files, and you don't have to specially include libraries within the
> user's environment.
> 
> rbash environments are often set up with a menu system rather than a
> full command line.

making a secure and still usable rbash command line interface would
probably take just as much time as getting a chroot() login to work
(which i also sort of accomplished but it was kludgy and broken)

in any event you should make sure your system is secured as if the
lusers have ordinary unrestricted shell logins, that way even if your
restrictions fail you should still be ok. 

you should definitly look at /etc/security/limits.conf too. 

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgp7ZNNP43aDH.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: limiting access
  - From: kmself@ix.netcom.com

References:
- limiting access
  - From: Robert Waldner <Waldner@KPNQwest.at>
- Re: limiting access
  - From: kmself@ix.netcom.com

Prev by Date: Re: Cannot start X
Next by Date: Re: getting dma66 support in kernel
Previous by thread: Re: limiting access
Next by thread: Re: limiting access
Index(es):
- Date
- Thread