Re: Limiting User Commands

[Stephen Le <zeroion@gmail.com>]

On Sat, 6 Nov 2004 00:13:28 +0100, Osamu Aoki <osamu@debian.org> wrote:
> > Is there an easy way to limit the commands a certain group of users
> > can execute? I've looked at chroot, and it's too complicated for my
> > needs and seems too easy to circumvent; users will be able to upload
> > their own Perl scripts, so it seems that they'll be able to access
> > commands outside their chroot by getting Apache w/ mod_perl to execute
> > the script.
> 
> Is is so?

Indeed. A chroot would only apply to a user if they were logged into
the system. Let's say I wanted to prevent users executing the command
"bad_command". Well, if "bad_command" was not available to a user in
their chroot, they wouldn't be able to execute it. However, a user
might write a Perl script that contained the following line:

system("bad_command");

If they got Apache to execute the script, the "bad_command" would be
run. This is the reason why I'm trying to approach this problem from a
permissions standpoint. Of course, someone might suggest running an
Apache daemon inside each user's chroot, but that's really
impractical...
 
> Use of chroot with bash started as rbash sems to be what you need.
> 
> Or use of rbash with with PATH pointing to custom location where
> commands exist.

See the example above. Users would still be able to upload their own
Perl scripts and get Apache to execute them without restriction - the
Perl script could call commands that I want to ban the users from
executing.

-Stephen Le