Re: [clug-talk] Secure menu shell?

Fri, 28 Nov 2008 10:15:46 -0800 

Pressing Ctrl-C to close their shell would just disconnect the user. They
cannot remain connected with their shell closed.

Bad codding in the custom menu program could fork an unprotected TTY shell
but that is not a flaw in the re-assigning of the shell in the /etc/passwd
file.

A root jail is a good idea. I use a rootjail as the shell for restricted scp
access to my server using the files like so.

--- /etc/passwd ---
...
user001:x:2062:1000::/jails/myvhosteddomain/scpdirectory:/usr/sbin/jailme
--- /etc/passwd ---


--- /usr/sbin/jailme ---
#!/bin/bash
MY_ID=`id -u`
if [ $MY_ID -ne 0 ]; then
    exec sudo /usr/sbin/jailme $HOME
fi
if [ -d "$1" ]; then
    chroot "$1" /bin/sh
fi
--- /usr/sbin/jailme ---



--- /etc/sudoers ---
...
%prisoners ALL=NOPASSWD:/usr/sbin/jailme
--- /etc/sudoers ---


--- /etc/group ---
...
prisoners:x:1000:
--- /etc/group ---


On Fri, Nov 28, 2008 at 9:35 AM, Peter Van den Wildenbergh <
[EMAIL PROTECTED]> wrote:

> Royce Souther wrote:
>
>> Why not just set their shell in the /etc/passwd file to be a wrapper
>> script for the text program you want them to run.
>>
>>
>> guest:x:1005:1005::/home/guest:/usr/local/bin/CustomMenu.bsh
>>
>>
>> /usr/local/bin/CustomMenu.bsh
>> #!/bin/bash
>>
>> /usr/bin/somettyncursesprogram opt1 opt2 opt3...optN
>>
>>  Depending on the application this will work but pressing CTRL-C or
> something simular might give access to a wide open system.
> Chroot'ing (Jailing) the users might help in this case.
>
> You can shield things if you chroot them to the same directory by group
> (dir has to contain 'ALL' the commands needed)
>
> I've done a couple of these things before, I usually start with something
> like this http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/
>
> Peter
>
>
> _______________________________________________
> clug-talk mailing list
> [email protected]
> http://clug.ca/mailman/listinfo/clug-talk_clug.ca
> Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
> **Please remove these lines when replying
>



-- 
http://www.Radados.org

_______________________________________________
clug-talk mailing list
[email protected]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying

Reply via email to