Unix/Linux Go Back    


Security Discuss UNIX and Linux computer and network security, cyber security, cyber attacks, IT security, and more.

Restricted user

Security


Tags
linux commands, unix commands

Closed    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 04-18-2002   -   Original Discussion by LivinFree
LivinFree's Unix or Linux Image
LivinFree LivinFree is offline Forum Advisor  
Goober Extraordinaire
 
Join Date: Jul 2001
Last Activity: 16 June 2011, 4:50 PM EDT
Location: Portland, OR, USA
Posts: 1,626
Thanks: 2
Thanked 15 Times in 13 Posts
Restricted user

A few of the other employees here need to learn "vi" in order to use crontab to schedule / unschedule jobs on one of our production servers. I tried to set up a login on one of my Linux boxes for them to use "vimtutor", but scrapped it and decided to try for something more secure, since there are expect scripts on this box to aid them in some jobs on other servers, and the passwords for the various accounts / services should not be known. I am the only person with a usable interactive account on this machine. Here are the steps I took:
In /etc/lilo.conf, I added "password=*****" and "restricted" lines, so that no one could bring the box up in single-user without a password. It does, however still have a floppy and cdrom drive that could bring it up - that is one of major weaknesses now, although there are only 5 or 6 people who could get physical access to it anyways. Let's pray that works out OK Linux
I added a user (named tutor). Here is the /etc/passwd entry:
tutor:x:1009:99:vimtutor login:/home/tutor:/bin/rbash
GID 99 is "nogroup".

Here is the contents of the /home/tutor directory:

Code:
/home/tutor$ ls -lia
total 24
 163281 drwxrwx---   3 tutor    admin        4096 Apr 18 03:01 ./
 881283 drwxrwxr-x   9 root     root         4096 Apr 17 22:02 ../
 163287 -rw-r-----   1 tutor    admin           1 Apr 18 02:52 .bash_history
 163288 -r--rw----   2 tutor    admin         457 Apr 18 03:05 .bash_profile
 163288 -r--rw----   2 tutor    admin         457 Apr 18 03:05 .bashrc
 163282 d-wxrwx---   2 tutor    admin        4096 Apr 18 03:09 tmp/
/home/tutor$ lsattr -a
-------- ./.
-------- ./..
-----a-- ./.bash_history
----i--- ./.bash_profile
-------- ./tmp
----i--- ./.bashrc

The permissions allow me (I am the admin group) to watch and modify files in the directory, but disallows editing/truncating (although it allows appending) of the .bash_history file, and makes the .bash_profile/.bashrc (they are the hardlinked) immutable. Even their own tmp dir is not listable, but more on that later.

The login shell, rbash, is a restricted bash environment that will not let you execute anything with a "/" in the path from the command line (it has to be in your path), and disallows the "cd" command. It also keeps many variables used by bash read-only, locks down the hash, set, command, enable, exec, ., and enable command, and disables the use of re-directors ( > , for example).
A common problem with restricted shells is that you can typically just type "sh" to execute a new shell and effectively "break out". To prevent this, I simply set the $PATH to null... there should be no interaction with the shell anyways. rbash will, however, allow you to specify applications by full path in the startup scripts. Check out the .bash_profile/.bashrc:

Code:
PATH=""
umask 007

export PATH

# Need this so vi works with 
# stupid Windows telnet... who the hell uses "ansi" anyways?
if [ "$TERM" = "ansi" ]; then export TERM=vt100; /usr/X11R6/bin/resize; fi

tutorial () {
TUTORCOPY=/home/tutor/tmp/tutor$$
export TUTORCOPY
/usr/bin/rvim -u NONE -c 'e $VIMRUNTIME/tutor/tutor' -c 'w! $TUTORCOPY' -c 'q'
/usr/bin/rvim -u NONE -c "set nocp" $TUTORCOPY
/bin/rm -f $TUTORCOPY
}
tutorial; /usr/bin/clear; exit

I've actually set it up to run the "vimtutor" program implemented in the .bash* rather than in a seperate script - as it exits, it should clear the screen and exit the shell. Also, vim is run in restricted mode, so no shell escapes are allowed, and it ignores the ^Z sequence to background it. It should technically not allow anyone out of vim.

I figure that nothing's perfect, so to mitigate the risk of a possible "escape", I made sure that key files (.b* and tmp/) are not able to be manipulated by the user. Even if they got "out", they couldn't even "ls", although "echo * .[a-z]*" would still give them a little info...

At one point, I was going to allow limited command access to the shell via using soft-linked commands in their own personal bin/ directory with the PATH=/home/tutor/bin . I realized very quickly though, that they could fuddle their way around a little, like using cp or cat to grap a copy of /bin/sh. I suppose I could have made bin/ non-writeable by them, but once you lock it down as much as I would have, there's no point in shell access, right? Let's just save ourselves the troubles and give shell access on a per-user basis (possibly set up a large chroot'd area for restricted users).

I think I have covered all (or at least most) of my steps...

Now the challenge! Can anyone find a way to break out?
I want this to be as tight as it reasonably can without removing the functionality altogether...

Look forward to your feedback!

Last edited by LivinFree; 04-18-2002 at 08:25 AM..
Sponsored Links
    #2  
Old Unix and Linux 04-18-2002   -   Original Discussion by LivinFree
Perderabo's Unix or Linux Image
Perderabo Perderabo is offline Forum Advisor  
Unix Daemon (Administrator Emeritus)
 
Join Date: Aug 2001
Last Activity: 26 February 2016, 12:31 PM EST
Location: Ashburn, Virginia
Posts: 9,930
Thanks: 64
Thanked 471 Times in 271 Posts
The shells are programming languages with considerable power, enough to reproduce most unix commands. This is why the restricted shells fail.


Code:
xxls() { while (($#)) ; do echo "$1" ; shift ; done ; }
xxcat() { while read l ; do echo "$1" ; done < $1 ; }
xxls /etc/pass*
xxcat /etc/passwd

That's already a good start and it's only the very tip of the iceberg.
Sponsored Links
Closed

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Restricted user lo-lp-kl AIX 1 02-17-2011 11:47 PM
create a restricted user reyazan Solaris 2 10-29-2010 04:15 AM
User should be restricted moving a folder perlamohan UNIX for Dummies Questions & Answers 6 10-24-2009 08:23 PM
Need to create a restricted user(Centos) ankushpandit UNIX for Dummies Questions & Answers 4 09-09-2009 04:41 PM
A user with restricted ftp access to a folder dwiravi AIX 1 07-28-2009 04:31 AM



All times are GMT -4. The time now is 07:01 PM.