Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Locked down shell accounts

  • 30-12-2004 12:32pm
    #1
    Registered Users, Registered Users 2 Posts: 998 ✭✭✭


    Ok I'm interested in the idea of giving out shell accounts to some mates on a linux box I have, however I dont want them to have open accounts.

    Basically I'm trying to figure out do I put scripts in place or were do I really begin to lock them down.

    All I want is to enable the following:
    They will be logging in through SSH. Thats all.

    Mail :-> I have pine in place for this.
    IRC :-> I have irssi + BitchX in place for this.

    I want to them give them small account folders say 50mb's (The mail they will have stored within this folder.)
    I want to lock them to the account folder (I dont want them to have any way to browse the system outside the account folder)

    So suggestions on ways to do this would be much appreciated or pointing me in the right direction as regards to creating a script that may do this.

    I've checked out various sites on the net that offer free shell accounts but none of them give away the directions on how to do this.


Comments

  • Registered Users, Registered Users 2 Posts: 1,038 ✭✭✭rob1891


    google rbash if you haven't already.


  • Registered Users, Registered Users 2 Posts: 1,865 ✭✭✭Syth


    rob1891 is right, rbash is what you want. The internet society in my college gave us rbash last year. It's very locked down.


  • Hosted Moderators Posts: 7,486 ✭✭✭Red Alert


    but if i didn't like linux already i would have hated it after using rbash! they wouldn't even let me run gunzip! damn netsoc!


  • Registered Users, Registered Users 2 Posts: 1,865 ✭✭✭Syth


    Red Alert wrote:
    but if i didn't like linux already i would have hated it after using rbash! they wouldn't even let me run gunzip! damn netsoc!
    Yes it was a complete pain in the arse. Rubbish for learning. Only good if you want to completly control what people did.


  • Registered Users, Registered Users 2 Posts: 10,846 ✭✭✭✭eth0_


    In a scenario like a netsoc, there are always going to be arseholes who want to wreck it for everyone else, or prove how leet they are by hax0ring around with the server, so I can understand why rbash was used there, even if it is pretty crappy if you want to learn.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,865 ✭✭✭Syth


    I agree. The best would have been to give everyone rbash by default, and people would have to request a decent shell, which would be monitored, and could be taken away.

    However now they have ksh and it's all good.


  • Registered Users, Registered Users 2 Posts: 1,038 ✭✭✭rob1891


    They had a more open 'jail' (neat freebsd thing) available a while ago, I don't know if that is what they still have in place. It's kind of like an operating system within an operating system, so a shell can run in it, and the user can do whatever they want, but they'll never get out of address space of their mini-os and whatever damage they do inside is more or less irrelevant. With that, you can provide access to a whole lot more programs and not have to worry about exploits and bugs on every one of the 100 applications you might offer (or whatever).

    Of course it's a good bit harder to set up that rbash, and if I were doing it, I'd never be quite sure if what I had was config'd correctly and that it was secure as imagined.


  • Registered Users, Registered Users 2 Posts: 10,846 ✭✭✭✭eth0_


    Jails are brilliant!


  • Hosted Moderators Posts: 7,486 ✭✭✭Red Alert


    think i'll set one up on my web server so people can't hack in from my broadband connection.


  • Closed Accounts Posts: 345 ✭✭tck


    jails are handy, but can be broken out of, if any bit of creativity and determination is held by one of your users - its not going to stop them


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 998 ✭✭✭zekiel


    ok I've decided to use rbash but I cant seem to get it to work.

    I create the account with /bin/rbash

    but I'm not sure how to configure rbash or do I even do this, when I assign it I find the user can still cd .. out of a folder. Were am I going wrong here?

    I link it with "ln -s /bin/bash /bin/rbash"

    Then have the account created with /bin/rbash

    But nothing is restricted.. how do I?


  • Registered Users, Registered Users 2 Posts: 1,865 ✭✭✭Syth


    zekiel wrote:
    ok I've decided to use rbash but I cant seem to get it to work.

    I create the account with /bin/rbash

    but I'm not sure how to configure rbash or do I even do this, when I assign it I find the user can still cd .. out of a folder. Were am I going wrong here?

    I link it with "ln -s /bin/bash /bin/rbash"

    Then have the account created with /bin/rbash

    But nothing is restricted.. how do I?
    Hmmm if I remember my horrid experiences with rbash, one could only execute programmes in the $PATH (no slashes allowed in programmes calls) and one could not modify the $PATH variable. However cd is a shell builtin command. You could try aliasing it to something. ie `alias 'cd='`, that would effectifly disable cd-ing. You would then have to make sure your users can't call the alias programme.


  • Registered Users, Registered Users 2 Posts: 1,038 ✭✭✭rob1891


    cd is built-in but rbash restricts it's usage. Are you certain that you could not cd?

    as far as config'ing rbash, create a directory for the programs you want them to be able to run, say /usr/rbash/bin and then edit their PATH in their .bash_profile to point to this directory only.


Advertisement