[PLUG] setting up SSH to chrrot to user homeDir

Josh josh at mediacampus.com
Fri Jul 21 23:03:38 UTC 2006 

This sounds good but can the user just change the path setting in the 
.bashrc file and then have access to the other files?  You just assume 
they won't know enough for that?

Josh

Chris Dawson wrote:
> This worked for me using rbash:
>
> Create an account where login shell is rbash.  Create a .bashrc like
> this in the user's home directory:
>
> PATH=/opt/wiab/binary_data/upload/bin
> PS1='Master Upload #
>
> I symlinked only the applications I wanted into
> /opt/wiab/binary_data/upload/bin.  You can only run those applications
> when you are logged in.
>
> Chris
>
> On 7/21/06, Tim Slighter <tcslighter at gmail.com> wrote:
>> The rbash idea is a good one but there are still many more steps to 
>> take to
>> make sure the user stays within that shell and within the confines of 
>> their
>> home directory.  You have to create a directory somewhere like 
>> /usr/progs
>> and put the binaries and only the binaries that you want the user to 
>> have
>> access to and then declare that directory and the users only path in 
>> their
>> .bash_profile or .bashrc or both.  Better off if any programs with 
>> potential
>> shell escapes like pine, vi, emacs etc, are all replaced with a 
>> restricted
>> version of the binary such as rvi or rvim, etc.  You will also need to
>> declare restrictive aliases for each user to prevent them access to any
>> other shells so declare an alias for ksh to /bin/rbash and csh ->
>> /bin/rbash, so what you are doing here is making sure that any shell 
>> they
>> attempt to get to will always put them back into and keep them in rbash.
>>  Make sure also that you prevent them from using the unalias command by
>> declaring that to /bin/rbash as well and then you must prevent the 
>> user from
>> modifying the file so do a chattr +i on the .bashrc or .bash_profile 
>> files
>> in their home directories.  I did manage to do this but it was a pain 
>> and
>> quite a bit of work and a lot of trial and error.  Feel free to ask
>> questions if you need help with this.
>>
>> On 7/21/06, Larry Brigman <larry.brigman at gmail.com> wrote:
>> >
>> > On 7/20/06, Josh Orchard <josh at emediatedesigns.com> wrote:
>> > > Hello all,
>> > >
>> > > Been looking about the wonderful web and reading about how I could
>> > > achieve this but all that I've found makes it sound like I need 
>> to setup
>> > > yet another customer product of sorts.  So...
>> > >
>> > > Is there a way that I can configure SSHD to allow clients to 
>> login but
>> > > be chrooted to their home directory?
>> > >
>> > > FTP does this well and I would like to have it do the same for SSHD.
>> > > I'm actually surprised this isn't a configuration option on 
>> OpenSSH as
>> > > it would make sense that you would want to allow certain shell 
>> access
>> > > but not allow all people to go about browsing your entire server.
>> > >
>> > > So, is this possible?  Do I need some sort of custom SSH or is there
>> > > another program I can use to give secure Shell access?
>> > >
>> >
>> > What about setting the users shell to rbash or bash -r.
>> >
>> > >From the bash man page:
>> > RESTRICTED SHELL
>> >        If bash is started with the name rbash, or the -r option is
>> > supplied at
>> >        invocation,  the  shell becomes restricted.  A restricted 
>> shell is
>> > used
>> >        to set up an environment more controlled than the
>> > standard  shell.   It
>> >        behaves  identically  to bash with the exception that the 
>> following
>> > are
>> >        disallowed or not performed:
>> >
>> >              changing directories with cd
>> >              setting or unsetting the values of SHELL, PATH, ENV, or
>> > BASH_ENV
>> >              specifying command names containing /
>> >              specifying  a  file  name containing a / as an 
>> argument to
>> > the .
>> >                 builtin command
>> >              Specifying a filename containing a slash as an
>> > argument  to  the
>> >                 -p option to the hash builtin command
>> >              importing  function  definitions  from  the shell 
>> environment
>> > at
>> >                 startup
>> >              parsing the value of SHELLOPTS
>> > from  the  shell  environment  at
>> >                 startup
>> >              redirecting  output using the >, >|, <>, >&, &>, and >>
>> > redirec-
>> >                 tion operators
>> >              using the exec builtin command to replace the shell with
>> > another
>> >                 command
>> >              adding  or  deleting builtin commands with the -f and -d
>> > options
>> >                 to the enable builtin command
>> >              Using
>> > the  enable  builtin  command  to  enable  disabled  shell
>> >                 builtins
>> >              specifying the -p option to the command builtin command
>> >              turning off restricted mode with set +r or set +o 
>> restricted.
>> > _______________________________________________
>> > PLUG mailing list
>> > PLUG at lists.pdxlinux.org
>> > http://lists.pdxlinux.org/mailman/listinfo/plug
>> >
>> _______________________________________________
>> PLUG mailing list
>> PLUG at lists.pdxlinux.org
>> http://lists.pdxlinux.org/mailman/listinfo/plug
>>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>

More information about the PLUG mailing list