Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
1. A bit better than a chroot jail, build a virtual environment and use LXC to create a virtual server for that user. They can do almost anything without impacting the host system (other than load).
2. BTW: Nothing is going to be perfectly what you want "out of the box". An OOTB solution is not the kind of answer you want anyway.
If you want to control exactly what commands a guest can run, I know of nothing better than IBSH. IT takes a bit of configuration, but you cannot avoid having to configure your solution.
3. We might have some targeted ideas to offer, if you offer enough details to give us better aim.
I am not looking for an OOTB solution, just something secured, and configurable enough to let a user access sudo in the jail.
I did tries with jailkit, but I get into some issue with pam auth. I disabled the auth for sudo, and things are going ok. Thus, wondering if that could lead to security holes.
I also did some tries with ibsh, that is pretty good but man cant work inside it because it is executing commands with a "/", and I couldnt find a way to avoid it unless modifying the source code of ibsh.
The entire point of a restricted shell or a jail is to restrict access.
The entire point of sudo is to allow access is to provide a way to extend, enhance, or escalate access and privelage.
The two are not very compatible.
Something like LXC or OpenVZ allows you to provide higher (even root) access, but to a server subset that does not affect the security of the host machine.
If you can reduce the commands needed to a narrow list, you can configure sudo to allow enhanced execution of ONLY those commands. Without knowing more about your problem I cannot say what might lead to a solution for you, but I do wish you luck with this.
Yes, after looking at containers, it is not exactly what I need.
I need to give users/groups restricted permission to a single server, they should be able to use only a restricted amount of commands by default. Those are really basics, ie ls. cd. cat. grep. egrep. vi. man. ping. nslookup. ssh. scp. and give elevated privilege to a set of users inside the jail to run minicom, tcpdump and other network tools.
I guess (tell me if I am wrong), a jail shell seems to be the solution and on top of that add sudo as an allowed command so that few users can priviledge to execute commands that need to be running as root.
Restricting users then allowing them to be unrestricted makes little sense to me. Either they are trusted or they are not.
If they are NOT trusted, but you still need them to be able to troubleshoot (or just shoot) your network:
I would set up one or more virtual servers that can do all they require. Give them accounts and sudo access to do what they need. Image those servers so that you can quickly restore them to clean and funtional condition.
Let them run, crash, perhaps destroy those v-servers if they need to: you can restore it as often as needed. (And find out which ones were trustworthy during the process!)
OpenVZ is the perfect tool for this, LXC will also work though it is not as mature. Possibly other virtualization would work, but I doubt if anything else is as thin and efficient as the kernel based solutions OpenVZ and LXC.