Mailinglist Archive: opensuse-security (49 mails)

< Previous Next >
Re: [opensuse-security] Restrict ssh command execution
  • From: Boyan Tabakov <blade.alslayer@xxxxxxxxx>
  • Date: Sat, 16 Dec 2006 11:19:17 +0200
  • Message-id: <200612161119.22493.blade.alslayer@xxxxxxxxx>
On 16.12.2006 01:10, Crispin Cowan wrote:
> Boyan Tabakov wrote:
> > Hi,
> > Is it possible to restrict certain users to executing only one specific
> > command on the server with ssh? No interactive login should be allowed
> > and no other commands should be accepted. If possible - how? Didn't see
> > any options in sshd_config that looked promising... One think that came
> > to mind is using the shell field in the /etc/passwd file (setting it to
> > some custom script). Any other ideas?
>
> You could do that, but the security is poor: you are depending on the
> security of the application that you give the user. For instance, if you
> give the user vi, then the user can just "shell out" with ":!bash"
>
> That confined shell technique that I posted on December 10
> <http://lists.opensuse.org/opensuse-security/2006-12/msg00004.html> also
> works here. My old post described how to confine a user's shell, so that
> they can only execute some commands. To use this technique to allow them
> only a single command, you would instead use a hardlink pointing from a
> unique name for your command (say, /usr/bin/restrictedgrep ->
> /usr/bin/grep ) and then use the rest of the technique that I outlined
> to build your profile for /usr/bin/restrictedgrep.
>
> Under this scheme, if the user tries to shell out, or in fact access any
> file you did not give them access to, AppArmor will block it.
>
> Crispin

Thanks! I'll check this out.

--
Blade hails you...

All the same take me away
We're dead to the world
--Nightwish
< Previous Next >