Dont Allow Exitting from a Script


 
Thread Tools Search this Thread
Operating Systems Linux Ubuntu Dont Allow Exitting from a Script
# 1  
Old 06-27-2014
Dont Allow Exitting from a Script

Hello,

I wrote a script and disabled Ctrl+C using

trap ' ' 2

For security, I cannot allow users to exit the script on their own for then they would have access to the command prompt. Are there any other cases that I need to cover?

Thank you. I'm new to scripting.
# 2  
Old 06-27-2014
Do you know what rsh is? a Restricted shell. That is more secure than anything you will script.

Basic rsh information for Linux:
Restricted Shells

Also consider chroot jails if you have stringent security requirements.

https://help.ubuntu.com/community/BasicChroot
# 3  
Old 06-27-2014
How are your users logging in? What are they on the computer for?

If it's a desktop login, good luck stopping anyone who knows what he's doing from getting an interactive shell. I've never failed to be able to get an interactive shell from a desktop login no matter how "locked down" it supposedly was.

Restricted shells and chroot jails - as already mentioned - are just about your only options.

Also, I question the logic behind not allowing anyone to have an interactive shell. What are they going to be able to do with an interactive shell that they couldn't do anyway? What any user can learn from an arbitrary computer is defined by the system calls he has access to, and the files visible to him. The tools used to make those system calls and view those files are irrelevant. Thinking that removing access to an interactive shell improves security shows a lack of understanding regarding true security. That's like saying no one can have a 16 oz claw hammer when there are 20 oz ones readily available.
# 4  
Old 06-27-2014
It is quite possible to specify a shell script (or other application program) as a login shell in /etc/passwd. Then, when that user logs in, all they get is access to that program. If they break out of that program; they're back to a login prompt. But, if the application program specified as the login shell has a shell escape mechanism, the system is theirs to play with as they see fit.
# 5  
Old 06-28-2014
I would just like to link up to the chroot, it is available directly in openssh.

Simple directive in sshd_config will enable sftp chroot, and users or groups will be limited by it.
If you follow best practice it will be impossible to exit the jail.

As for scripts or profiles which limit user, there is alot of code to be written besides one trap and it hard to limit a savvy person (it is doable perhaps but the effort will be great.)

Perhaps, if you elaborate which is the exact requirement for that user to do on server, folks might help further.
# 6  
Old 07-02-2014
still trying

Thank you everyone who responded, I'm going through in no particular order.

I would be very interested to do this:

"It is quite possible to specify a shell script (or other application program) as a login shell in /etc/passwd."

I need more information in order to follow up with it though. I tried googling the topic.

---------- Post updated at 05:29 PM ---------- Previous update was at 05:28 PM ----------

I do understand that I need to modify the permissions so that even if the user is to break out of the script, they cannot do anything I wouldn't want them to anyways.
# 7  
Old 07-02-2014
Quote:
Originally Posted by fzivkovi
Thank you everyone who responded, I'm going through in no particular order.

I would be very interested to do this:

"It is quite possible to specify a shell script (or other application program) as a login shell in /etc/passwd."

I need more information in order to follow up with it though. I tried googling the topic.

---------- Post updated at 05:29 PM ---------- Previous update was at 05:28 PM ----------

I do understand that I need to modify the permissions so that even if the user is to break out of the script, they cannot do anything I wouldn't want them to anyways.
Permissions aren't the issue (as long as your users can't modify the script you're letting them run). The whole point is that if they control-C out of the script, they fall back to a login prompt; not to a shell prompt.

What you have to be careful about is any interactive commands that you let your users access from your script. For instance, if you let them use ed, ex, sed, or vi to edit a file, they can get a shell escape from those editors to run anything they want (including an unrestricted shell). Some editors have an option to restrict the ability to do this, but these options are not standardized (so you need to check the man page for any editor you want to allow your users to use for an option such as -r or a command name like red or rvim that will start the editor you want your users to use in restricted mode on your system).

If you want to see a very simple example, create a new user with login name date with or without a password. Set the login shell for that user to the path to the date utility on your system (probably /bin/date or /usr/bin/date). When someone logs in to your system using the login name date, they'll see the current date and immediately go back to a login prompt.

Just remember that since you didn't login with bash, or ksh, or some other normal shell, the initialization scripts those shells run when you login are not run. So, your script will need to initialize any environment variables it needs to run just like you need to do if you run a script from a cron job.
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Programming

Shell script - if statements dont work

hi all, i have made a shell script and it runs until it reaches the if statement, doesn't the ! mean only if the command fails it will echo me that message and then exit can anyone please help me what is wrong with my code? many thanks, rob #!/bin/bash echo "is this archive... (10 Replies)
Discussion started by: robertkwild
10 Replies

2. Shell Programming and Scripting

Need Help on simple script as i dont know numch about UNIX scripting

Hello All, My name is vasu and I am very new to Unix scripting, i know basic commands, but now i need to write the following script, i have tried but no luck My requirment is i am getting one our from another command as following Used:1.8TB Advisory Quota:1.8TB aaa1 Used:4.5TB Advisory... (1 Reply)
Discussion started by: VasuKukkapalli
1 Replies

3. UNIX for Dummies Questions & Answers

Bash script dont works when executed as cronjob

Hello, i have cronjob: crontab -l * * * * * pkill -f domexpcheck;sh /root/dom/domexpcheck.sh it runs: /var/log/cron Mar 25 12:11:01 vps crond: (root) CMD (pkill -f domexpcheck;sh /root/dom/domexpcheck.sh) but somehow script dont run properly via cronjob. But when i execute cronjob... (7 Replies)
Discussion started by: postcd
7 Replies

4. UNIX for Dummies Questions & Answers

Call a UNIX script inside another and dont wait for it

Hi I have two scripts script1.sh and script2.sh(say this script is a long running). I want to call script2.sh inside and script1.sh,but when i call script2.sh i dont want to wait for script2 to complete and want this to run in back ground and go on next commands in script 1.sh and finally at the... (2 Replies)
Discussion started by: lijjumathew
2 Replies

5. Shell Programming and Scripting

Dont want to mention user id passwd in shell script

Hi, i have one shell script which transfers files from one server to other server through FTP, but i can see login id and password is not mentioned. kindly help to understand the script.then how below script is working if login and password is not mentioned in script #!/bin/sh... (1 Reply)
Discussion started by: ni3b007
1 Replies

6. UNIX for Dummies Questions & Answers

Simple While Loop not exitting

Hi Experts, Im running a bit complicated sql script and for reasons of scheduling,I wrapped it around in a simple shell script. So, when I run it, it do creates an output file and writes to it everytime I run it & this is what exactly I wanted. However, it is not exiting the while loop no... (4 Replies)
Discussion started by: PG3
4 Replies

7. UNIX for Dummies Questions & Answers

script dont' break out

I have concurrent manager stop and check to verify all the process are stopped BUT even after all the process are stopped query script continues to run without break out. # stop the concurrent manager $COMMON_TOP/admin/scripts/$CONTEXT_NAME/adstpall.sh $DB_USER/$DB_PSWD # check if the... (1 Reply)
Discussion started by: Paul.S
1 Replies

8. Shell Programming and Scripting

command << EOF(dont want to call other script)

Dear Freinds, Help needed in input redirection . My problem is as follows.. I have a shell script as follows which calls another gnuplot script . datagen.sh #!/bin/ksh gnuplot plot_I.plt In the above file I am calling another file called plot_I.plt which reside in the same... (4 Replies)
Discussion started by: user_prady
4 Replies

9. Programming

I dont want this

Im creating a sort of shell, for my cybercafe This will restrict my clients from accessing unwanted materials so im programming a similar bash to 1. to meet my goals 2. to learn new things. im creating it in C, please have a look at the attachement. i wish to avoid having a blank space... (6 Replies)
Discussion started by: C|[anti-trust]
6 Replies
Login or Register to Ask a Question