Mailinglist Archive: opensuse-security (49 mails)

< Previous Next >
Re: [opensuse-security] Restrict ssh command execution
  • From: Crispin Cowan <crispin@xxxxxxxxxx>
  • Date: Fri, 15 Dec 2006 15:10:17 -0800
  • Message-id: <45832B59.30302@xxxxxxxxxx>
Boyan Tabakov wrote:
> Hi,
> Is it possible to restrict certain users to executing only one specific
> command on the server with ssh? No interactive login should be allowed and no
> other commands should be accepted. If possible - how? Didn't see any options
> in sshd_config that looked promising... One think that came to mind is using
> the shell field in the /etc/passwd file (setting it to some custom script).
> Any other ideas?
You could do that, but the security is poor: you are depending on the
security of the application that you give the user. For instance, if you
give the user vi, then the user can just "shell out" with ":!bash"

That confined shell technique that I posted on December 10
<> also
works here. My old post described how to confine a user's shell, so that
they can only execute some commands. To use this technique to allow them
only a single command, you would instead use a hardlink pointing from a
unique name for your command (say, /usr/bin/restrictedgrep ->
/usr/bin/grep ) and then use the rest of the technique that I outlined
to build your profile for /usr/bin/restrictedgrep.

Under this scheme, if the user tries to shell out, or in fact access any
file you did not give them access to, AppArmor will block it.


Crispin Cowan, Ph.D.
Director of Software Engineering, Novell
Hacking is exploiting the gap between "intent" and "implementation"

To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups