Mailinglist Archive: opensuse-security (49 mails)

< Previous Next >
Re: [opensuse-security] Restrict ssh command execution
  • From: Crispin Cowan <crispin@xxxxxxxxxx>
  • Date: Fri, 15 Dec 2006 15:10:17 -0800
  • Message-id: <45832B59.30302@xxxxxxxxxx>
Boyan Tabakov wrote:
> Hi,
> Is it possible to restrict certain users to executing only one specific
> command on the server with ssh? No interactive login should be allowed and no
> other commands should be accepted. If possible - how? Didn't see any options
> in sshd_config that looked promising... One think that came to mind is using
> the shell field in the /etc/passwd file (setting it to some custom script).
> Any other ideas?
>
You could do that, but the security is poor: you are depending on the
security of the application that you give the user. For instance, if you
give the user vi, then the user can just "shell out" with ":!bash"

That confined shell technique that I posted on December 10
<http://lists.opensuse.org/opensuse-security/2006-12/msg00004.html> also
works here. My old post described how to confine a user's shell, so that
they can only execute some commands. To use this technique to allow them
only a single command, you would instead use a hardlink pointing from a
unique name for your command (say, /usr/bin/restrictedgrep ->
/usr/bin/grep ) and then use the rest of the technique that I outlined
to build your profile for /usr/bin/restrictedgrep.

Under this scheme, if the user tries to shell out, or in fact access any
file you did not give them access to, AppArmor will block it.

Crispin

--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
Hacking is exploiting the gap between "intent" and "implementation"

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References