Ian Kilgore wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dhruv Gami wrote:
| Hello Everyone,
|
| I am trying to setup an account for a user, who is to be given limited
| access. For example, this user should be able to run things like
reboot,
| useradd, ifconfig, tail, emacs (or vi) ... essentially a list of
| programs that I specify, and only those programs.
|
Whups. Be *very* careful with restricted shells. Many programs allow
the user to execute external programs (editors like vi and emacs, for
example)[1]. There are many different ways to get around a restricted
shell, or sudo. If you absolutely have to do this, spend lots of time
making sure it really is restricted...
As Ian alluded to, this is either relatively easy or *really* hard to do
well, depending on what the user requires access to. My best suggestion,
if possible, would be:
Start by compiling a list of things the user should be able to do.
Try and limit that list down, and use rbash (or any restricted shell)
and setup a closed down path and closed down set of binaries they have
access to.
Of course, as mentioned, be very careful with powerful editors, scripts,
especially scripts you wrote, or scripts you can't read and fully
understand in less than 5 mins. And if that script takes arguments,
question wether you really understand everything that's possible with
shell arguments (I know I don't, but I know enough to break most arg
parsing :) ).
Then, once you've got it setup, get a few trusted testers to try and
break out of the restricted environment. You might solicit TriLUG for
this, or someone internal to your company (if this is for work
purposes). If you need assistance, I'll be glad to spend 5 mins or so
trying to break out, and I'm sure you could find a couple volunteers on
#trilug. Try of course to get people more knowledgeable than yourself,
or particularly people with a security background, but in general the
more people that look at it the more likely you are to find someone who
knows of "that one last thing" that everyone over looks (which is always
different, of course).
Best of luck,
Aaron S. Joyner
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
