how do i execute binary on ssh login?

fobster · 05-26-2006, 12:54 PM

I have a program that grabs info from the database and displays it. I created a new user account. The only function of this user account is to execute that program automatically when someone login with this account through ssh. If the program ends or if the user quits the program, the user should be logged out of ssh too. Basically, I dont want ppl to have shell access but just to run this program. How would i accomplish this?

TIA

fobster

macemoneta · 05-26-2006, 01:05 PM

You could set the ~/.bash_profile for the userid to something like:

Code:

function Cleanup_And_Exit_On_Interrupt () {
   logout
}
trap Cleanup_And_Exit_On_Interrupt INT
trap Cleanup_And_Exit_On_Interrupt HUP
trap Cleanup_And_Exit_On_Interrupt QUIT
trap Cleanup_And_Exit_On_Interrupt USR1
trap Cleanup_And_Exit_On_Interrupt TERM

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
        . ~/.bashrc
fi

someprogram
exit

You could also set their shell to a script that just runs the program and logs out.

haertig · 05-26-2006, 01:47 PM

You could also setup ssh to require pubkey authentication and then use "forced commands" specified in the user's authorized_keys2 file. But macemoneta's suggestion is probably simpler and easier to understand. You could also just setup "/path/to/someprogram" as the shell for the restricted user. Double verify there are no shell escapes in someprogram!!!

Something like this in /etc/passwd:

Code:

username:x:1000:1000:User name and phone number:/dev/null:/path/to/someprogram

I'm not sure if you can specify /dev/null as a user's HOME directory. Never tried that. Sounds like a good idea to try, if it works!

fobster · 05-26-2006, 05:04 PM

Quote:

Originally Posted by haertig

You could also setup ssh to require pubkey authentication and then use "forced commands" specified in the user's authorized_keys2 file. But macemoneta's suggestion is probably simpler and easier to understand. You could also just setup "/path/to/someprogram" as the shell for the restricted user. Double verify there are no shell escapes in someprogram!!!

Something like this in /etc/passwd:

Code:

username:x:1000:1000:User name and phone number:/dev/null:/path/to/someprogram

I'm not sure if you can specify /dev/null as a user's HOME directory. Never tried that. Sounds like a good idea to try, if it works!

thanks haertig, modifying /etc/passwd worked, is there anyway to prevent the user from killing the program with Ctrl-C??

haertig · 05-26-2006, 05:46 PM

Quote:

Originally Posted by fobster

thanks haertig, modifying /etc/passwd worked, is there anyway to prevent the user from killing the program with Ctrl-C??

If you're wanting to do this for security reasons, don't bother. Once that program exits, for any reason - normal exit, ctrl-c, etc., - they are logged off. That's why we put it into /etc/passwd as their shell. Normally, a user has a regular shell defined in /etc/password, bash is typical for Linux, and when they exit a program they are dropped back into their shell.

But if the program IS their shell, there's nowhere to drop back to, so they are logged off. Nice and secure.

haertig · 05-26-2006, 06:00 PM

p.s. - Even though this is exactly what I told you to do, it is generally considered a no-no to manually edit your /etc/passwd file. This is because if you screw up your editing and corrupt the file, you may lock yourself out of your system. It's always good to have Knoppix or another LiveCD handly to boot with should you need to save yourself from an editing mistake in a critical file such as this.

That being said, I edit important system files manually all the time. /etc/inittab, /etc/fstab, /etc/X11/xorg.conf, ... etc. I've got backups, and LiveCD's are kept handy for recovery.