LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-03-2012, 11:16 PM   #1
fredo2906
LQ Newbie
 
Registered: May 2012
Posts: 11

Rep: Reputation: Disabled
Question Jail shell


A question for geeks...

What is the best restricted shell which offer the possibility to control executed commands for each users?

- iron bars shell : good but man does not work out of the box because commands are executed using a full path ie. /usr/bin/nroff -c -mandoc 2>/dev/null

- jailkit : good but difficult to implement sudo in that chroot shell.

Any other? Which one is the best for you?
 
Old 06-04-2012, 12:35 AM   #2
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295
Hello,

You can have a pretty restricted Bash shell by invoking it with the -r parameter. Have a look at the man page for more detail.

Kind regards,

Eric
 
Old 06-04-2012, 12:42 PM   #3
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 2,134

Rep: Reputation: 849Reputation: 849Reputation: 849Reputation: 849Reputation: 849Reputation: 849Reputation: 849
Better than chroot

1. A bit better than a chroot jail, build a virtual environment and use LXC to create a virtual server for that user. They can do almost anything without impacting the host system (other than load).

2. BTW: Nothing is going to be perfectly what you want "out of the box". An OOTB solution is not the kind of answer you want anyway.
If you want to control exactly what commands a guest can run, I know of nothing better than IBSH. IT takes a bit of configuration, but you cannot avoid having to configure your solution.

3. We might have some targeted ideas to offer, if you offer enough details to give us better aim.
 
1 members found this post helpful.
Old 06-04-2012, 11:38 PM   #4
fredo2906
LQ Newbie
 
Registered: May 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
Hi,

Thanks for the info.

I am not looking for an OOTB solution, just something secured, and configurable enough to let a user access sudo in the jail.
I did tries with jailkit, but I get into some issue with pam auth. I disabled the auth for sudo, and things are going ok. Thus, wondering if that could lead to security holes.

I also did some tries with ibsh, that is pretty good but man cant work inside it because it is executing commands with a "/", and I couldnt find a way to avoid it unless modifying the source code of ibsh.

Well, lxc looks very good, elegant solution.
 
Old 06-06-2012, 04:28 AM   #5
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 2,134

Rep: Reputation: 849Reputation: 849Reputation: 849Reputation: 849Reputation: 849Reputation: 849Reputation: 849
jail

The entire point of a restricted shell or a jail is to restrict access.
The entire point of sudo is to allow access is to provide a way to extend, enhance, or escalate access and privelage.

The two are not very compatible.

Something like LXC or OpenVZ allows you to provide higher (even root) access, but to a server subset that does not affect the security of the host machine.

If you can reduce the commands needed to a narrow list, you can configure sudo to allow enhanced execution of ONLY those commands. Without knowing more about your problem I cannot say what might lead to a solution for you, but I do wish you luck with this.
 
Old 06-06-2012, 08:26 PM   #6
fredo2906
LQ Newbie
 
Registered: May 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
Yes, after looking at containers, it is not exactly what I need.

I need to give users/groups restricted permission to a single server, they should be able to use only a restricted amount of commands by default. Those are really basics, ie ls. cd. cat. grep. egrep. vi. man. ping. nslookup. ssh. scp. and give elevated privilege to a set of users inside the jail to run minicom, tcpdump and other network tools.

I guess (tell me if I am wrong), a jail shell seems to be the solution and on top of that add sudo as an allowed command so that few users can priviledge to execute commands that need to be running as root.

Fred.
 
Old 06-07-2012, 10:00 AM   #7
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 2,134

Rep: Reputation: 849Reputation: 849Reputation: 849Reputation: 849Reputation: 849Reputation: 849Reputation: 849
Another plan

Restricting users then allowing them to be unrestricted makes little sense to me. Either they are trusted or they are not.

If they are NOT trusted, but you still need them to be able to troubleshoot (or just shoot) your network:
I would set up one or more virtual servers that can do all they require. Give them accounts and sudo access to do what they need. Image those servers so that you can quickly restore them to clean and funtional condition.


Let them run, crash, perhaps destroy those v-servers if they need to: you can restore it as often as needed. (And find out which ones were trustworthy during the process!)

OpenVZ is the perfect tool for this, LXC will also work though it is not as mature. Possibly other virtualization would work, but I doubt if anything else is as thin and efficient as the kernel based solutions OpenVZ and LXC.


Good luck!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Chroot jail or Root jail bayprince Linux - Newbie 3 07-25-2011 07:43 PM
[SOLVED] chroot jail problem: 'empty' jail MatrixS_Master Linux - Security 4 03-27-2010 06:25 AM
Jail problem tipa Linux - Security 1 03-15-2006 10:29 AM
IMAP Jail FinnNetworks Linux - Software 0 03-08-2004 02:08 PM
Jail? Hoops66 *BSD 1 09-11-2003 06:45 AM


All times are GMT -5. The time now is 07:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration