[Gllug] Limiting SSH access
John Edwards
John.Edwards at cornerstonelinux.co.uk
Thu Apr 3 22:00:33 UTC 2003
On Thu, Apr 03, 2003 at 12:01:22PM +0100, Richard W.M. Jones wrote:
> On Thu, Apr 03, 2003 at 09:39:17AM +0100, Mark Lowes wrote:
>> The only thing I can think of is that you put all those users into a
>> group which cannot run any programs other than those you have explicitly
>> specified.
>
> This doesn't work because it's possible to upload pre-built
> binary files, even if you've denied scp access.
>
> eg:
>
> uuencode evil_program < evil_program | ssh remote uudecode
> ssh remote chmod +x evil_program
> ssh remote ./evil_program
>
> Or if you remove uudecode, then:
>
> (a) Write a shell script which when run generates evil_program.
> (b) ssh remote
> (c) Cut and paste shell script into window.
> (d) /bin/bash evil_script (generates evil_program)
> (e) Run ./evil_program
Setting the user's shell to rbash (restricted bash) and setting $PATH
to a limited set of program removes a lot of this freedom:
[john at elephant john]$ ../../bin/uptime
rbash: ../../bin/uptime: restricted: cannot specify `/' in command names
[john at elephant john]$ export PATH=/sbin:/bin:/usr/sbin:/usr/bin
rbash: PATH: readonly variable
[john at elephant john]$ echo 'Evilness' > file
rbash: file: restricted: cannot redirect output
[john at elephant john]$ cd ../../
rbash: cd: restricted
"man bash" has full details on the restricted mode. This problem is
that it's often *too* restrictive for interactive users, but is good
for scripted use.
--
#--------------------------------------------------------#
| John Edwards Email: John.Edwards at uk.com |
| |
| "SEP is intended as a management routing protocol, |
| and should not be used in a production enviroment." |
#--------------------------------------------------------#
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list