Andrei Dumitrescu wrote:
2. Exista riscuri de securitate la care ma expun daca folosesc metoda asta?
Care ar fi ele? De ce e insecure sa ai un script bash definit ca un shell? E
posibil ca userB sa evadeze din scriptul meu si sa obtina un shell? Cum?
teoretic din orice shell script userul poate sa evadeze trimitind cumva
un suspend bine plasat
vezi daca nu te ajuta partea asta din manual:
SSHRC
If the file ~/.ssh/rc exists, sh(1) runs it after reading the
environment files but before starting the
user’s shell or command. It must not produce any output on stdout;
stderr must be used instead. If X11 for-
warding is in use, it will receive the "proto cookie" pair in its
standard input (and DISPLAY in its environ-
ment). The script must call xauth(1) because sshd will not run
xauth automatically to add X11 cookies.
The primary purpose of this file is to run any initialization
routines which may be needed before the user’s
home directory becomes accessible; AFS is a particular example of
such an environment.
[...] If this file does not exist, /etc/ssh/sshrc is run, and if
that does not exist either, xauth is used to add
the cookie.
Eu am folosit cindva sshrc pentru scripturi care rulau pe o masina,
avind ca trigger comenzi de pe alta.
In plus poti specifica in ~/.ssh/config (man ssh_config) o multime de
chestii (inclusiv comenzi executate automat, sau permise); poate gasesti
ceva util tie printre ele
[...]
PS: Nu prea as vrea sa folosesc chroot jail.
orice chroot e mai sigur decit ce ai facut tu :) Vezi daca nu iti
convine rbash ca shell (man bash, search for restricted shell)
--
"A computer will not make a good manager out of a bad manager.
It makes a good manager better faster and a bad manager worse faster."
Ed Esber, president, Ashton-Tate, 1986
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug