[PLUG] setting up SSH to chrrot to user homeDir
Chris Dawson
xrdawson at gmail.com
Fri Jul 21 18:02:30 UTC 2006
This worked for me using rbash:
Create an account where login shell is rbash. Create a .bashrc like
this in the user's home directory:
PATH=/opt/wiab/binary_data/upload/bin
PS1='Master Upload #
I symlinked only the applications I wanted into
/opt/wiab/binary_data/upload/bin. You can only run those applications
when you are logged in.
Chris
On 7/21/06, Tim Slighter <tcslighter at gmail.com> wrote:
> The rbash idea is a good one but there are still many more steps to take to
> make sure the user stays within that shell and within the confines of their
> home directory. You have to create a directory somewhere like /usr/progs
> and put the binaries and only the binaries that you want the user to have
> access to and then declare that directory and the users only path in their
> .bash_profile or .bashrc or both. Better off if any programs with potential
> shell escapes like pine, vi, emacs etc, are all replaced with a restricted
> version of the binary such as rvi or rvim, etc. You will also need to
> declare restrictive aliases for each user to prevent them access to any
> other shells so declare an alias for ksh to /bin/rbash and csh ->
> /bin/rbash, so what you are doing here is making sure that any shell they
> attempt to get to will always put them back into and keep them in rbash.
> Make sure also that you prevent them from using the unalias command by
> declaring that to /bin/rbash as well and then you must prevent the user from
> modifying the file so do a chattr +i on the .bashrc or .bash_profile files
> in their home directories. I did manage to do this but it was a pain and
> quite a bit of work and a lot of trial and error. Feel free to ask
> questions if you need help with this.
>
> On 7/21/06, Larry Brigman <larry.brigman at gmail.com> wrote:
> >
> > On 7/20/06, Josh Orchard <josh at emediatedesigns.com> wrote:
> > > Hello all,
> > >
> > > Been looking about the wonderful web and reading about how I could
> > > achieve this but all that I've found makes it sound like I need to setup
> > > yet another customer product of sorts. So...
> > >
> > > Is there a way that I can configure SSHD to allow clients to login but
> > > be chrooted to their home directory?
> > >
> > > FTP does this well and I would like to have it do the same for SSHD.
> > > I'm actually surprised this isn't a configuration option on OpenSSH as
> > > it would make sense that you would want to allow certain shell access
> > > but not allow all people to go about browsing your entire server.
> > >
> > > So, is this possible? Do I need some sort of custom SSH or is there
> > > another program I can use to give secure Shell access?
> > >
> >
> > What about setting the users shell to rbash or bash -r.
> >
> > >From the bash man page:
> > RESTRICTED SHELL
> > If bash is started with the name rbash, or the -r option is
> > supplied at
> > invocation, the shell becomes restricted. A restricted shell is
> > used
> > to set up an environment more controlled than the
> > standard shell. It
> > behaves identically to bash with the exception that the following
> > are
> > disallowed or not performed:
> >
> > changing directories with cd
> > setting or unsetting the values of SHELL, PATH, ENV, or
> > BASH_ENV
> > specifying command names containing /
> > specifying a file name containing a / as an argument to
> > the .
> > builtin command
> > Specifying a filename containing a slash as an
> > argument to the
> > -p option to the hash builtin command
> > importing function definitions from the shell environment
> > at
> > startup
> > parsing the value of SHELLOPTS
> > from the shell environment at
> > startup
> > redirecting output using the >, >|, <>, >&, &>, and >>
> > redirec-
> > tion operators
> > using the exec builtin command to replace the shell with
> > another
> > command
> > adding or deleting builtin commands with the -f and -d
> > options
> > to the enable builtin command
> > Using
> > the enable builtin command to enable disabled shell
> > builtins
> > specifying the -p option to the command builtin command
> > turning off restricted mode with set +r or set +o restricted.
> > _______________________________________________
> > PLUG mailing list
> > PLUG at lists.pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
More information about the PLUG
mailing list