[Gllug] Limiting SSH access

Richard W.M. Jones rich at annexia.org
Fri Apr 4 09:20:35 UTC 2003


On Thu, Apr 03, 2003 at 11:00:33PM +0100, John Edwards wrote:
> Setting the user's shell to rbash (restricted bash) and setting $PATH 
> to a limited set of program removes a lot of this freedom:
> 
> [john at elephant john]$ ../../bin/uptime
> rbash: ../../bin/uptime: restricted: cannot specify `/' in command names
> [john at elephant john]$ export PATH=/sbin:/bin:/usr/sbin:/usr/bin
> rbash: PATH: readonly variable
> [john at elephant john]$ echo 'Evilness' > file
> rbash: file: restricted: cannot redirect output
> [john at elephant john]$ cd ../../
> rbash: cd: restricted
> 
> "man bash" has full details on the restricted mode. This problem is 
> that it's often *too* restrictive for interactive users, but is good 
> for scripted use.

<pedantic>

By using a restricted shell, you're relying on the fact that none
of the programs that you allow the user to execute does this:

(a) ignores $SHELL and runs /bin/sh or /bin/bash,
(b) reads a start-up file which allows environment variables to be set,
    and provides shell escapes,
(c) has any buffer overflow on any possible input [a user can use a
    buffer overflow on input to cause the executable to exec /bin/sh]

Both are quite hard to check if you give the user are large set of
commands to run.

</pedantic>

I hope this display of pedantry has not harmed anyone's day :-) Now
I'm off to play with my Buffalo WLAN card ...

Rich.

-- 
Richard Jones, Red Hat Inc. (London office, UK) http://www.redhat.com/
http://www.annexia.org/ Freshmeat projects: http://freshmeat.net/users/rwmj
NET::FTPSERVER is a full-featured, secure, configurable, database-backed
FTP server written in Perl: http://www.annexia.org/freeware/netftpserver/

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list