Locked down shell accounts

zekiel

Ok I'm interested in the idea of giving out shell accounts to some mates on a linux box I have, however I dont want them to have open accounts.

Basically I'm trying to figure out do I put scripts in place or were do I really begin to lock them down.

All I want is to enable the following:
They will be logging in through SSH. Thats all.

Mail :-> I have pine in place for this.
IRC :-> I have irssi + BitchX in place for this.

I want to them give them small account folders say 50mb's (The mail they will have stored within this folder.)
I want to lock them to the account folder (I dont want them to have any way to browse the system outside the account folder)

So suggestions on ways to do this would be much appreciated or pointing me in the right direction as regards to creating a script that may do this.

I've checked out various sites on the net that offer free shell accounts but none of them give away the directions on how to do this.

rob1891

google rbash if you haven't already.

Syth

rob1891 is right, rbash is what you want. The internet society in my college gave us rbash last year. It's very locked down.

Red Alert

but if i didn't like linux already i would have hated it after using rbash! they wouldn't even let me run gunzip! damn netsoc!

Syth

Red Alert wrote:

but if i didn't like linux already i would have hated it after using rbash! they wouldn't even let me run gunzip! damn netsoc!

Yes it was a complete pain in the arse. Rubbish for learning. Only good if you want to completly control what people did.

eth0_

In a scenario like a netsoc, there are always going to be arseholes who want to wreck it for everyone else, or prove how leet they are by hax0ring around with the server, so I can understand why rbash was used there, even if it is pretty crappy if you want to learn.

Syth

I agree. The best would have been to give everyone rbash by default, and people would have to request a decent shell, which would be monitored, and could be taken away.

However now they have ksh and it's all good.

rob1891

They had a more open 'jail' (neat freebsd thing) available a while ago, I don't know if that is what they still have in place. It's kind of like an operating system within an operating system, so a shell can run in it, and the user can do whatever they want, but they'll never get out of address space of their mini-os and whatever damage they do inside is more or less irrelevant. With that, you can provide access to a whole lot more programs and not have to worry about exploits and bugs on every one of the 100 applications you might offer (or whatever).

Of course it's a good bit harder to set up that rbash, and if I were doing it, I'd never be quite sure if what I had was config'd correctly and that it was secure as imagined.

eth0_

Jails are brilliant!

Red Alert

think i'll set one up on my web server so people can't hack in from my broadband connection.

tck

jails are handy, but can be broken out of, if any bit of creativity and determination is held by one of your users - its not going to stop them

zekiel

ok I've decided to use rbash but I cant seem to get it to work.

I create the account with /bin/rbash

but I'm not sure how to configure rbash or do I even do this, when I assign it I find the user can still cd .. out of a folder. Were am I going wrong here?

I link it with "ln -s /bin/bash /bin/rbash"

Then have the account created with /bin/rbash

But nothing is restricted.. how do I?

Syth

zekiel wrote:

ok I've decided to use rbash but I cant seem to get it to work.

I create the account with /bin/rbash

but I'm not sure how to configure rbash or do I even do this, when I assign it I find the user can still cd .. out of a folder. Were am I going wrong here?

I link it with "ln -s /bin/bash /bin/rbash"

Then have the account created with /bin/rbash

But nothing is restricted.. how do I?

Hmmm if I remember my horrid experiences with rbash, one could only execute programmes in the $PATH (no slashes allowed in programmes calls) and one could not modify the $PATH variable. However cd is a shell builtin command. You could try aliasing it to something. ie `alias 'cd='`, that would effectifly disable cd-ing. You would then have to make sure your users can't call the alias programme.

rob1891

cd is built-in but rbash restricts it's usage. Are you certain that you could not cd?

as far as config'ing rbash, create a directory for the programs you want them to be able to run, say /usr/rbash/bin and then edit their PATH in their .bash_profile to point to this directory only.