[hackpgh-discuss] Re: Custom Restricted Shell

• From: John Lewis <oflameo2@xxxxxxxxx>
• To: hackpgh-discuss@xxxxxxxxxxxxx
• Date: Sat, 21 Mar 2015 21:05:00 -0400

Using rbash and creating a special bin directory containing links to the
programs I want to be used would be good for making shell like rssh that
would allow for a user to connect using the samba service.

The only way to make this "fool proof" is to use mandatory access
control  (and do it right [if that is possible]) such as apparmor or
selinux. Of the two I would rater use apparmor because it uses file
system paths instead of security labels.

Another way to go about it, like you mentioned, is to rebuild the
distribution to be more secure by default by using a cleaver selection
of group ownership, permissions, and conservative use of posix acls on
sensitive parts of the system. It wouldn't necessarily be "fool proof"
but you can tell what resources someone has access to and pick and
choose related resources to give someone access to without fighting they
system to get applications all of the system calls they need to run.

The login shell script is a thing, but it may be possible that script
kiddies can subvert due to how difficult is is to write the script.

On 03/21/2015 12:33 PM, Simon Heath wrote:
> rbash seems to be the first solution one would find to this; it
> appears to disallow changing the shell's PATH or entering a command
> containing a slash, so you can set up a custom PATH that only contains
> what programs you want to allow.
>
> That said it's far from foolproof.  Notably, pretty much any program
> that can invoke a particular command can be used to spawn an
> unrestricted shell, such as less, vi or emacs.
>
> Sudo will let you limit which commands a user is allowed to run
> through it, which *is* pretty difficult to subvert, but that doesn't
> sound quite like what you want.
>
> You can also mess with group permissions or ACL's to create an
> untrusted group that doesn't have execute permissions to most
> programs, or even give a particular user a login 'shell' that is a
> script that can only do certain things (if you write the script
> carefully).  It's not an easy problem to solve in the general case
> though, since "run a particular command" can mean a wide variety of
> things in practice.
>
> Simon
>
> On 3/21/2015 9:59 AM, John Lewis wrote:
>> Does anybody know how to create a restricted shell? I need to create a
>> restricted shell that is extended with a couple of commands so that I
>> can do database dumping or file sharing using a protocol not supported
>> by rssh without allowing for an interactive login.
>>
>>
>
>

• References:
  • [hackpgh-discuss] Custom Restricted Shell
    • From: John Lewis
  • [hackpgh-discuss] Re: Custom Restricted Shell
    • From: Simon Heath

Other related posts:

• » [hackpgh-discuss] Custom Restricted Shell- John Lewis
• » [hackpgh-discuss] Re: Custom Restricted Shell- Simon Heath
• » [hackpgh-discuss] Re: Custom Restricted Shell- James Keener
• » [hackpgh-discuss] Re: Custom Restricted Shell- John Lewis
• » [hackpgh-discuss] Re: Custom Restricted Shell- John Lewis
• » [hackpgh-discuss] Re: Custom Restricted Shell - John Lewis

1. Home
2. hackpgh-discuss
3. Archive
4. 03-2015

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---