Re: [DNG] [OT] Restricting user capabilities after ssh login
Le 12/08/2018 à 07:38, Rick Moen a écrit : Quoting mett (m...@pmars.jp): I m wondering about the best way to restrict a user after he has ssh'd into his web folder. Try a chroot jail. https://www.tecmint.com/restrict-ssh-user-to-directory-using-chrooted-jail/ or https://www.cyberciti.biz/faq/debian-ubuntu-restricting-ssh-user-session-to-a-directory-chrooted-jail/ If the users doesn't _need_ ssh access per se, you might consider WebDAV, instead. AFAIU, your goal is to provide the user a more productive way to update his data. One of the most productive methods, to my knowledge, is rsync, however I haven't examined the way to use it in your conditions. Running an rsync server on your host is not very secure because the passwords are stored unencrypted on the host and must be set by the admin, unless you provide a dedicated app to do it. But allowing ssh connections with a restricted shell permitting only the commands used by rsync could be the way. But you would probably need to forbid the fancy features of ssh, like port forwarding. Didier ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] Restricting user capabilities after ssh login
On Sun, 12 Aug 2018 13:18:23 +0200 info at smallinnovations dot nl wrote: > On 12-08-18 06:55, mett wrote: > > Hi, > > > > I m wondering about the best way to restrict a user after > > he has ssh'd into his web folder. > > > > Up to now, the users I had were using only FTP > > to log into their web folder, > > and upload stuff in there > > (chrooted in their folder with vsftpd). > > > The setup is a devuan server under jessie with apache2 providing > > http server. > > Then, I use php-fpm to tie user, web-server and php processes. > > The passwd files is as below: > > 'user01:x:::user01,,,:/home/www/example.com/:/bin/bash'. > > > > TIA > > ___ > > Dng mailing list > > Dng@lists.dyne.org > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > > When you intend to replace ftp you can start with limiting the user to > use sftp only. No need to have a login shell. > > That part of my sshd_config looks like: > > Subsystem sftp internal-sftp > Match group sftponly > ChrootDirectory /home/%u > X11Forwarding no > AllowTcpForwarding no > ForceCommand internal-sftp > > > Grtz. > > Nick > > > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Thanks a lot for the input. I ll definitely have to do it at one point. Cheers, ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] Restricting user capabilities after ssh login
On Sun, 12 Aug 2018 09:38:45 +0300 Lars Noodén wrote: > On 08/12/2018 09:10 AM, KatolaZ wrote: > > On Sun, Aug 12, 2018 at 01:55:00PM +0900, mett wrote: > [snip]>> I m considering giving ssh access but I realized that > >> chroot for ssh looks quite involved. > >> > >> So, I m wondering if using 'chmod o-r' > >> for folders(and subfolders), and files on > >> /etc, /home, /root, /usr and /var is a viable solution. > > > > Maybe use a restricted shell, allowing only the bunch of commands > > you would like the users to be able to run. Beware of cat(s), > > though. > > With restricted shell the main thing is to make a separate directory > for the rshell user and replace $PATH with it so they can't access the > normal directories. There you put links (symbolic or hard) to the > original applications they are allowed to run, how ever few those are > but the fewer the better. > > However, why vsftpd instead of using chrooted SFTP for the file > transfers? > > /Lars > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Thanks for the input. To be honest, rbash is what I thought of, first. 2 things refrain me from using it: -user cannot cd in his subdirectories (I could as Lars said, then put applications I d like the user has access to) -the wikipedia example of writing 'bash' at the command line and then being able to access everywhere(I tried it). Regarding vsftpd instead of SFTP, the only reason is I had no problem with ftp up to now. OK, the files transfer can be tapped by the wire provider but that is not a big concern to the users-base (of course, I explained to them already). Anyway, I think I ll move to SFTP at one point. So, you don't think, as well, that restricting read access to others (on the the files and folders I choose) is a viable solution? I should have say read and write by the way. Cheers, ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] Restricting user capabilities after ssh login
On Sat, 11 Aug 2018 22:38:52 -0700 Rick Moen wrote: > Quoting mett (m...@pmars.jp): > > > I m wondering about the best way to restrict a user after > > he has ssh'd into his web folder. > > Try a chroot jail. > https://www.tecmint.com/restrict-ssh-user-to-directory-using-chrooted-jail/ > or > https://www.cyberciti.biz/faq/debian-ubuntu-restricting-ssh-user-session-to-a-directory-chrooted-jail/ > > If the users doesn't _need_ ssh access per se, you might consider > WebDAV, instead. > Thanks for the input. So, restricting read access to others only is not a viable solution? I should have say read and write, by the way. Actually, I checked those links before asking and thought was a little bit too involved for my case. But I think I will go this way in the end. WebDAV, I didn't know about, that looks interesting as well. Cheers, ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Python modules SimpleHTTPServer / SocketServer
Am 12.08.2018 um 13:12 schrieb leloft:
> Hello to everyone,
>
> I am trying to build a devuanized version of the debian
> security-tracker, but I have strayed very far from my skills base!
> Give or take a few untidy loose ends inherited from the
> debian oldoldstable and lts sections of the Makefile, the security
> database appears to build ok with devuan variables. I can confirm this
> in principle by cursory examination of a text file dump of the contents;
> as this file is >300Mb, this is hopelessly inadequate, but so
> far, so good.
>
> However, the process is halting at the creation of the python server.
> The problem is the same in 4 environments, and is the same with ordinary
> user and root privileges:
>
> 1) a headless 'dist-upgraded' ascii environment,
> 2) a chrooted 'minbase' ascii environment and
> 3) a chrooted 'minbase' debian stretch environment
> 4) a desktop machine running a 'dist-upgraded' ascii,
>
> Specifically, the process hangs during the
> SocketServer process:
>
> ^CTraceback (most recent call last):
> File "tracker_service.py", line 1773, in
> TrackerService(socket_name, db_name).run()
> File "../lib/python/web_support.py", line 840, in run
> self.server.serve_forever()
> File "/usr/lib/python2.7/SocketServer.py", line 231, in serve_forever
> poll_interval)
> File "/usr/lib/python2.7/SocketServer.py", line 150, in _eintr_retry
> return func(*args)
> KeyboardInterrupt
>
> The problem can be reproduced with this command
>
> $ python -m SimpleHTTPServer
>
> Serving HTTP on 0.0.0.0 port 8000 ...
> ^CTraceback (most recent call last):
> File "/usr/lib/python2.7/runpy.py", line 174, in _run_module_as_main
> "__main__", fname, loader, pkg_name)
> File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
> exec code in run_globals
> File "/usr/lib/python2.7/SimpleHTTPServer.py", line 235, in
> test()
> File "/usr/lib/python2.7/SimpleHTTPServer.py", line 231, in test
> BaseHTTPServer.test(HandlerClass, ServerClass)
> File "/usr/lib/python2.7/BaseHTTPServer.py", line 610, in test
> httpd.serve_forever()
> File "/usr/lib/python2.7/SocketServer.py", line 231, in serve_forever
> poll_interval)
> File "/usr/lib/python2.7/SocketServer.py", line 150, in _eintr_retry
> return func(*args)
> KeyboardInterrupt
>
> Has anyone any experience of whether these commands work/have worked
> 'out of the box' for them in an ascii installation? I cannot find any
> posts online that report any problems with the module, so I am assuming
> it is unique to me, unless someone has reproduced it on a different
> ascii machine.
>
> Ideas and insights or workarounds would be very welcome.
>
> Many Thanks
>
> leloft
>
<3 I've been following your DSA work, that's very awesome, thank you!
I just gave it a go on a (fresh-ish) VM and it appears to work:
0. apt-get install git make python-{apt,apsw}
1. git clone
https://salsa.debian.org/security-tracker-team/security-tracker.git
2 test that it works with debian config:
2.a make update-packages
2.b make
2.c make serve
This may be the place you reached: this now runs a web server,
leave this command running.
2.d curl http://127.0.0.1:10605/tracker/status/release/oldstable | less
This should show you a bunch of HTML with some CVE data.
2.e Finish the make serve command (CTRL+C)
2.f make clean
3. Edit Makefile accordingly
4. Edit lib/debian-releases.mk accordingly
5. Check if it works with devuan config, basically repeat 2.
For the changes I made in steps 3 and 4 check:
https://git.devuan.org/evilham/security-tracker/commit/2515688e17116ee28b735fc85df9a18fab6a44bd
Notice that they reflect the different repo structure for Devuan (also
that I left only one .mk file, having multiple leads to make warnings).
To keep the scripts happy, I also limited the architectures listed, e.g.
there is no ascii-updates/non-free/binary-mips in our repos.
@parazyd: is this a bug in Amprolla or is it by design? Would it make
sense to create an "empty" repository in those cases? I know this is
easily patchable in these scripts, but *maybe* it is a desirable thing
for Amprolla as a whole and is not too difficult.
Also notice that if you want, you can just git clone my repository and
follow 2. (the commands do take "forever" :-D so do that if you trust
what I did, which maybe you should not as you may have read more about
this!).
Another interesting thing is that in 2.d I used /oldstable to test,
since that was "jessie" in both Debian and Devuan, /stable returns no
entries (which is wrong!) it may have something to do with
/data/config.json or sth like that, I'll leave that for your further
testing (you have write permissions to that repo, so please update that
if you make progress).
If we are going to use this, we want to merge back to Debian's repo as
much as possible to minimise long-term maintenance overhead; that means
some refactoring because, of course, this is built with a very specific
Re: [DNG] [OT] Restricting user capabilities after ssh login
On 12-08-18 06:55, mett wrote: > Hi, > > I m wondering about the best way to restrict a user after > he has ssh'd into his web folder. > > Up to now, the users I had were using only FTP > to log into their web folder, > and upload stuff in there > (chrooted in their folder with vsftpd). > The setup is a devuan server under jessie with apache2 providing > http server. > Then, I use php-fpm to tie user, web-server and php processes. > The passwd files is as below: > 'user01:x:::user01,,,:/home/www/example.com/:/bin/bash'. > > TIA > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng When you intend to replace ftp you can start with limiting the user to use sftp only. No need to have a login shell. That part of my sshd_config looks like: Subsystem sftp internal-sftp Match group sftponly ChrootDirectory /home/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp Grtz. Nick ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Python modules SimpleHTTPServer / SocketServer
Hello to everyone, I am trying to build a devuanized version of the debian security-tracker, but I have strayed very far from my skills base! Give or take a few untidy loose ends inherited from the debian oldoldstable and lts sections of the Makefile, the security database appears to build ok with devuan variables. I can confirm this in principle by cursory examination of a text file dump of the contents; as this file is >300Mb, this is hopelessly inadequate, but so far, so good. However, the process is halting at the creation of the python server. The problem is the same in 4 environments, and is the same with ordinary user and root privileges: 1) a headless 'dist-upgraded' ascii environment, 2) a chrooted 'minbase' ascii environment and 3) a chrooted 'minbase' debian stretch environment 4) a desktop machine running a 'dist-upgraded' ascii, Specifically, the process hangs during the SocketServer process: ^CTraceback (most recent call last): File "tracker_service.py", line 1773, in TrackerService(socket_name, db_name).run() File "../lib/python/web_support.py", line 840, in run self.server.serve_forever() File "/usr/lib/python2.7/SocketServer.py", line 231, in serve_forever poll_interval) File "/usr/lib/python2.7/SocketServer.py", line 150, in _eintr_retry return func(*args) KeyboardInterrupt The problem can be reproduced with this command $ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... ^CTraceback (most recent call last): File "/usr/lib/python2.7/runpy.py", line 174, in _run_module_as_main "__main__", fname, loader, pkg_name) File "/usr/lib/python2.7/runpy.py", line 72, in _run_code exec code in run_globals File "/usr/lib/python2.7/SimpleHTTPServer.py", line 235, in test() File "/usr/lib/python2.7/SimpleHTTPServer.py", line 231, in test BaseHTTPServer.test(HandlerClass, ServerClass) File "/usr/lib/python2.7/BaseHTTPServer.py", line 610, in test httpd.serve_forever() File "/usr/lib/python2.7/SocketServer.py", line 231, in serve_forever poll_interval) File "/usr/lib/python2.7/SocketServer.py", line 150, in _eintr_retry return func(*args) KeyboardInterrupt Has anyone any experience of whether these commands work/have worked 'out of the box' for them in an ascii installation? I cannot find any posts online that report any problems with the module, so I am assuming it is unique to me, unless someone has reproduced it on a different ascii machine. Ideas and insights or workarounds would be very welcome. Many Thanks leloft ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] maintaining packages (was Re: systemd and ssh-server)
On Sun, Aug 12, 2018 at 09:38:30AM +0300, Lars Noodén wrote: > On 07/27/2018 01:33 PM, KatolaZ wrote: > > On Fri, Jul 27, 2018 at 01:18:41PM +0300, Lars Nood�n wrote: > > [cut] > >> Can you please (re-)post the link to the new Devuan build process? > [cut] > > > > and the relevant link is the fourth one: > > > > https://dev1galaxy.org/viewtopic.php?pid=1110#p1110 > > The manual of d1h, the Devuan packaging helper will help you build Devuan > > packages for Devuan or at home for your own use. > > > > Please feel free to ask if you need. Please also consider that the > > current version of d1h has a problem with the "cache" function, which > > I have to update to use the new salsa.debian.org. Sorry for the > > inconvenience. > > Ok. Thanks. I've not forgotten, just slow, and have been working out > which hardware to use and working through several options for what to > load (or not load) on the system and general work flow. It's looking > like the main way to reduce the probability of end-point compromise for > such a juicy target is to not have any X11 applications, but especially > not usual desktop stuff like a browser. > > Once I've got some more prerequisites out of the way, I'll be practicing > with d1h. Please consider that the current d1h has a problem with "d1h cache". I have a fix and I will release the new version soon. Sorry KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] signature.asc Description: PGP signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] Restricting user capabilities after ssh login
On 08/12/2018 09:10 AM, KatolaZ wrote: > On Sun, Aug 12, 2018 at 01:55:00PM +0900, mett wrote: [snip]>> I m considering giving ssh access but I realized that >> chroot for ssh looks quite involved. >> >> So, I m wondering if using 'chmod o-r' >> for folders(and subfolders), and files on >> /etc, /home, /root, /usr and /var is a viable solution. > > Maybe use a restricted shell, allowing only the bunch of commands you > would like the users to be able to run. Beware of cat(s), though. With restricted shell the main thing is to make a separate directory for the rshell user and replace $PATH with it so they can't access the normal directories. There you put links (symbolic or hard) to the original applications they are allowed to run, how ever few those are but the fewer the better. However, why vsftpd instead of using chrooted SFTP for the file transfers? /Lars ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] maintaining packages (was Re: systemd and ssh-server)
On 07/27/2018 01:33 PM, KatolaZ wrote: > On Fri, Jul 27, 2018 at 01:18:41PM +0300, Lars Nood�n wrote: > [cut] >> Can you please (re-)post the link to the new Devuan build process? [cut] > > and the relevant link is the fourth one: > > https://dev1galaxy.org/viewtopic.php?pid=1110#p1110 > The manual of d1h, the Devuan packaging helper will help you build Devuan > packages for Devuan or at home for your own use. > > Please feel free to ask if you need. Please also consider that the > current version of d1h has a problem with the "cache" function, which > I have to update to use the new salsa.debian.org. Sorry for the > inconvenience. Ok. Thanks. I've not forgotten, just slow, and have been working out which hardware to use and working through several options for what to load (or not load) on the system and general work flow. It's looking like the main way to reduce the probability of end-point compromise for such a juicy target is to not have any X11 applications, but especially not usual desktop stuff like a browser. Once I've got some more prerequisites out of the way, I'll be practicing with d1h. /Lars signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] Restricting user capabilities after ssh login
On Sun, Aug 12, 2018 at 01:55:00PM +0900, mett wrote: > Hi, > > I m wondering about the best way to restrict a user after > he has ssh'd into his web folder. > > Up to now, the users I had were using only FTP > to log into their web folder, > and upload stuff in there > (chrooted in their folder with vsftpd). > > I m considering giving ssh access but I realized that > chroot for ssh looks quite involved. > > So, I m wondering if using 'chmod o-r' > for folders(and subfolders), and files on > /etc, /home, /root, /usr and /var is a viable solution. Maybe use a restricted shell, allowing only the bunch of commands you would like the users to be able to run. Beware of cat(s), though. My2Cents KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] signature.asc Description: PGP signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
