[clug-talk] Secure menu shell?

Royce Souther osgnuru at gmail.com
Fri Nov 28 10:15:21 PST 2008


Pressing Ctrl-C to close their shell would just disconnect the user. They
cannot remain connected with their shell closed.

Bad codding in the custom menu program could fork an unprotected TTY shell
but that is not a flaw in the re-assigning of the shell in the /etc/passwd
file.

A root jail is a good idea. I use a rootjail as the shell for restricted scp
access to my server using the files like so.

--- /etc/passwd ---
...
user001:x:2062:1000::/jails/myvhosteddomain/scpdirectory:/usr/sbin/jailme
--- /etc/passwd ---


--- /usr/sbin/jailme ---
#!/bin/bash
MY_ID=`id -u`
if [ $MY_ID -ne 0 ]; then
    exec sudo /usr/sbin/jailme $HOME
fi
if [ -d "$1" ]; then
    chroot "$1" /bin/sh
fi
--- /usr/sbin/jailme ---



--- /etc/sudoers ---
...
%prisoners ALL=NOPASSWD:/usr/sbin/jailme
--- /etc/sudoers ---


--- /etc/group ---
...
prisoners:x:1000:
--- /etc/group ---


On Fri, Nov 28, 2008 at 9:35 AM, Peter Van den Wildenbergh <
peter at meta-logica.com> wrote:

> Royce Souther wrote:
>
>> Why not just set their shell in the /etc/passwd file to be a wrapper
>> script for the text program you want them to run.
>>
>>
>> guest:x:1005:1005::/home/guest:/usr/local/bin/CustomMenu.bsh
>>
>>
>> /usr/local/bin/CustomMenu.bsh
>> #!/bin/bash
>>
>> /usr/bin/somettyncursesprogram opt1 opt2 opt3...optN
>>
>>  Depending on the application this will work but pressing CTRL-C or
> something simular might give access to a wide open system.
> Chroot'ing (Jailing) the users might help in this case.
>
> You can shield things if you chroot them to the same directory by group
> (dir has to contain 'ALL' the commands needed)
>
> I've done a couple of these things before, I usually start with something
> like this http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/
>
> Peter
>
>
> _______________________________________________
> clug-talk mailing list
> clug-talk at clug.ca
> http://clug.ca/mailman/listinfo/clug-talk_clug.ca
> Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
> **Please remove these lines when replying
>



-- 
http://www.Radados.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://clug.ca/pipermail/clug-talk_clug.ca/attachments/20081128/987008a1/attachment-0001.html>


More information about the clug-talk mailing list