Restricted shell - BSD

This is a discussion on Restricted shell - BSD ; Got a user that are going to have SSH access to one of my OpenBSD boxed. I want to have him restricted so that he cannot move around on the system, but for what I have found out, chroot like ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Restricted shell

  1. Restricted shell

    Got a user that are going to have SSH access to one of my OpenBSD boxed.

    I want to have him restricted so that he cannot move around on the system,
    but for what I have found out, chroot like in FTP is a strange thing when
    talking SSH (or telnet for that matter).

    So I have played around a but with rksh. I edited his default shell with
    vipw to be rksh - and it works. Well, there are to things that makes it not
    working:

    1) he can change shell by himself to say csh, and then he can move around on
    my OBSD box.
    2) in rksh, he can start Midnight Commander and browse allmost the whole
    system.

    What is the way to have a user with shell login restircted to only one
    directory - not being able to move around?

    Regards, Lars.



  2. Re: Restricted shell


    "Lars Bonnesen" wrote in message
    news:436ccd87$0$8867$edfadb0f@dread14.news.tele.dk ...
    > Got a user that are going to have SSH access to one of my OpenBSD boxed.
    >
    > I want to have him restricted so that he cannot move around on the system,
    > but for what I have found out, chroot like in FTP is a strange thing when
    > talking SSH (or telnet for that matter).
    >
    > So I have played around a but with rksh. I edited his default shell with
    > vipw to be rksh - and it works. Well, there are to things that makes it
    > not working:
    >
    > 1) he can change shell by himself to say csh, and then he can move around
    > on my OBSD box.
    > 2) in rksh, he can start Midnight Commander and browse allmost the whole
    > system.
    >
    > What is the way to have a user with shell login restircted to only one
    > directory - not being able to move around?
    >
    > Regards, Lars.
    >


    If you dont trust this user dont give him a shell, its as simple as that, if
    your system is configured correctly permissions and file access permissions
    you should not have to worry about this user getting into areas (s)he
    shouldnt, restricted shells are a joke especially when you have compilers,
    and proigramming interperters around perl, ruby php etc.. that can easily
    for a shell.


    --
    Rodrick R. Brown
    Senior IT Consultant
    http://www.rodrickbrown.com
    rodrick.brown[<@>]gmail.com

    When in 1986 Apple bought a Cray X-MP and announced that they would use it
    to design the next Apple Macintosh, Seymour Cray replied, "This is very
    interesting because I am using an Apple Macintosh to design the Cray-2
    supercomputer."



  3. Re: Restricted shell

    Lars Bonnesen wrote:
    >
    > What is the way to have a user with shell login restircted to only one
    > directory - not being able to move around?


    As a restricted shell does not allow a user to change the SHELL, ENV,
    and PATH environment variables, nor calling commands using absolute
    or relative paths, you must be sure he has a PATH environment variable
    to a ~/bin directory that has only the commands he is allowed to run.

    Be careful choosing the commands he is allowed to use (e.g., vi(1)
    allows any user to run an unrestricted shell by typing, we say,
    :!/bin/sh, as it does not has the same restrictions as an r*sh).

    Cheers,
    Igor.

  4. Re: Restricted shell

    Lars Bonnesen schrieb:

    Hi Lars!

    > What is the way to have a user with shell login restircted to only one
    > directory - not being able to move around?


    I've had to built the same for server of us. I used rksh as you did,
    created a seperate directory full of apps the users are to use and set
    PATH to that directory exclusively. I provides the flexibility to choose
    which versions, gnu or not etc.

    As Rodrick said. If "they" have a compiler or interpreter at hand there
    is the possibility of the lusers doing "things".



    Greets,
    Falk

+ Reply to Thread