Re: Escaping from shell-scripts
On Nov 18, 2010, at 5:52 AM, Julian Fagir wrote: > The straight-forward way would be to write this script, have all input parsed > by read and then let the script act according to this input (let's assume > that these tools are secure, it's just cp'ing and writing to > non-sensitive files. > > Are there possibilities to escape from such a script down to a prompt? Yes; consider using something like: trap "" 2 3 18 ...prevent them from using control-C, control-Z, control-\ to play games with the script. > All in all, this is a more general question I have for quite a time: Can you > use shell-scripts for security-relevant environments? Yes, but you really shouldn't trust them any farther than you would trust a user with an interactive shell. It's just too easy to exploit $IFS, invoke command line utilities that provide shell escapes, etc. Python or C is likely to be more securable, but getting it right is trickier than it may appear. Start with never trusting user-supplied inputs, always validate against a whitelist of what is trusted rather than trying to blacklist bad stuff. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Escaping from shell-scripts
doug writes: > If you make a program a shell AFAIK to escape is to logff. Bash has a > chroot like facility that might work. However if you write a simple C > program as a wrapper for your shell script and make that program a > shell, I would think that is pretty secure. As long as you don't call anything that can create an inferior shell. A common mistake when doing this kind of thing is to allow some file editing or mail reading, using programs that have a "shell escape" capability. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Escaping from shell-scripts
On Thu, Nov 18, 2010 at 8:52 AM, Julian Fagir wrote: > Hi, > > I'm planning a service with a login-user-interface. Thus, I want to > restrict > the user somehow to this script and to do nothing else. > > The straight-forward way would be to write this script, have all input > parsed > by read and then let the script act according to this input (let's assume > that these tools are secure, it's just cp'ing and writing to > non-sensitive files. > > Are there possibilities to escape from such a script down to a prompt? > > On the other hand, if I would take python for this, so a python-script is > executed, are there ways to get to a generic python-prompt? > > The restriction to that script would be done by either setting the > login-shell to that script, setting the ssh-command for that account/key > (and > ensuring that it can't be altered), or both. > > > All in all, this is a more general question I have for quite a time: Can > you > use shell-scripts for security-relevant environments? Does an attacker have > the possibility to escape from a script down to a prompt? > > I'm not that into shell-programming and there are too many legacies about > terminals (some time ago, I had to cope with termcap...) and shells which > one > just can't all know. > E.g., it was just a few days ago I found out what a terminal-stop means and > that it is still interpreted by screen, though using it for several years > now. > > > Regards, Julian > While I cannot answer your question fully, you could use python as the user's shell and call the python script in question by passing the script to the parser as login, how specifically that is done, I am not sure. I've never used py as a login shell but I am fairly certain it can be done ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Escaping from shell-scripts
On Thu, 18 Nov 2010, Julian Fagir wrote: Hi, I'm planning a service with a login-user-interface. Thus, I want to restrict the user somehow to this script and to do nothing else. The straight-forward way would be to write this script, have all input parsed by read and then let the script act according to this input (let's assume that these tools are secure, it's just cp'ing and writing to non-sensitive files. Are there possibilities to escape from such a script down to a prompt? On the other hand, if I would take python for this, so a python-script is executed, are there ways to get to a generic python-prompt? The restriction to that script would be done by either setting the login-shell to that script, setting the ssh-command for that account/key (and ensuring that it can't be altered), or both. All in all, this is a more general question I have for quite a time: Can you use shell-scripts for security-relevant environments? Does an attacker have the possibility to escape from a script down to a prompt? I'm not that into shell-programming and there are too many legacies about terminals (some time ago, I had to cope with termcap...) and shells which one just can't all know. E.g., it was just a few days ago I found out what a terminal-stop means and that it is still interpreted by screen, though using it for several years now. Regards, Julian If you make a program a shell AFAIK to escape is to logff. Bash has a chroot like facility that might work. However if you write a simple C program as a wrapper for your shell script and make that program a shell, I would think that is pretty secure. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Escaping from shell-scripts
Julian Fagir wrote: Hi, I'm planning a service with a login-user-interface. Thus, I want to restrict the user somehow to this script and to do nothing else. The straight-forward way would be to write this script, have all input parsed by read and then let the script act according to this input (let's assume that these tools are secure, it's just cp'ing and writing to non-sensitive files. Are there possibilities to escape from such a script down to a prompt? On the other hand, if I would take python for this, so a python-script is executed, are there ways to get to a generic python-prompt? The restriction to that script would be done by either setting the login-shell to that script, setting the ssh-command for that account/key (and ensuring that it can't be altered), or both. All in all, this is a more general question I have for quite a time: Can you use shell-scripts for security-relevant environments? Does an attacker have the possibility to escape from a script down to a prompt? I'm not that into shell-programming and there are too many legacies about terminals (some time ago, I had to cope with termcap...) and shells which one just can't all know. E.g., it was just a few days ago I found out what a terminal-stop means and that it is still interpreted by screen, though using it for several years now. Regards, Julian Your should think about "JAILS" and qjail in particular, http://sourceforge.net/projects/qjail/ If you don't have to many users just allocate a jail for each user id or all those users in a single jail and then you don't need any of the script stuff you are talking about. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Escaping from shell-scripts
I can't speak directly to your question, but also consider proper "base" security, so IF someone can get outside your script they're limited. Ie; proper user/group assignments, perms, etc. - file sysems, ulimit, et al. Maybe chroot. - Original Message - From: owner-freebsd-questi...@freebsd.org To: freebsd-questions@freebsd.org Sent: Thu Nov 18 07:52:39 2010 Subject: Escaping from shell-scripts Hi, I'm planning a service with a login-user-interface. Thus, I want to restrict the user somehow to this script and to do nothing else. The straight-forward way would be to write this script, have all input parsed by read and then let the script act according to this input (let's assume that these tools are secure, it's just cp'ing and writing to non-sensitive files. Are there possibilities to escape from such a script down to a prompt? On the other hand, if I would take python for this, so a python-script is executed, are there ways to get to a generic python-prompt? The restriction to that script would be done by either setting the login-shell to that script, setting the ssh-command for that account/key (and ensuring that it can't be altered), or both. All in all, this is a more general question I have for quite a time: Can you use shell-scripts for security-relevant environments? Does an attacker have the possibility to escape from a script down to a prompt? I'm not that into shell-programming and there are too many legacies about terminals (some time ago, I had to cope with termcap...) and shells which one just can't all know. E.g., it was just a few days ago I found out what a terminal-stop means and that it is still interpreted by screen, though using it for several years now. Regards, Julian "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Escaping from shell-scripts
Hi, I'm planning a service with a login-user-interface. Thus, I want to restrict the user somehow to this script and to do nothing else. The straight-forward way would be to write this script, have all input parsed by read and then let the script act according to this input (let's assume that these tools are secure, it's just cp'ing and writing to non-sensitive files. Are there possibilities to escape from such a script down to a prompt? On the other hand, if I would take python for this, so a python-script is executed, are there ways to get to a generic python-prompt? The restriction to that script would be done by either setting the login-shell to that script, setting the ssh-command for that account/key (and ensuring that it can't be altered), or both. All in all, this is a more general question I have for quite a time: Can you use shell-scripts for security-relevant environments? Does an attacker have the possibility to escape from a script down to a prompt? I'm not that into shell-programming and there are too many legacies about terminals (some time ago, I had to cope with termcap...) and shells which one just can't all know. E.g., it was just a few days ago I found out what a terminal-stop means and that it is still interpreted by screen, though using it for several years now. Regards, Julian signature.asc Description: PGP signature