Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What is the best restricted shell which offer the possibility to control executed commands for each users?
- iron bars shell : good but man does not work out of the box because commands are executed using a full path ie. /usr/bin/nroff -c -mandoc 2>/dev/null
- jailkit : good but difficult to implement sudo in that chroot shell.
1. A bit better than a chroot jail, build a virtual environment and use LXC to create a virtual server for that user. They can do almost anything without impacting the host system (other than load).
2. BTW: Nothing is going to be perfectly what you want "out of the box". An OOTB solution is not the kind of answer you want anyway.
If you want to control exactly what commands a guest can run, I know of nothing better than IBSH. IT takes a bit of configuration, but you cannot avoid having to configure your solution.
3. We might have some targeted ideas to offer, if you offer enough details to give us better aim.
I am not looking for an OOTB solution, just something secured, and configurable enough to let a user access sudo in the jail.
I did tries with jailkit, but I get into some issue with pam auth. I disabled the auth for sudo, and things are going ok. Thus, wondering if that could lead to security holes.
I also did some tries with ibsh, that is pretty good but man cant work inside it because it is executing commands with a "/", and I couldnt find a way to avoid it unless modifying the source code of ibsh.
The entire point of a restricted shell or a jail is to restrict access.
The entire point of sudo is to allow access is to provide a way to extend, enhance, or escalate access and privelage.
The two are not very compatible.
Something like LXC or OpenVZ allows you to provide higher (even root) access, but to a server subset that does not affect the security of the host machine.
If you can reduce the commands needed to a narrow list, you can configure sudo to allow enhanced execution of ONLY those commands. Without knowing more about your problem I cannot say what might lead to a solution for you, but I do wish you luck with this.
Yes, after looking at containers, it is not exactly what I need.
I need to give users/groups restricted permission to a single server, they should be able to use only a restricted amount of commands by default. Those are really basics, ie ls. cd. cat. grep. egrep. vi. man. ping. nslookup. ssh. scp. and give elevated privilege to a set of users inside the jail to run minicom, tcpdump and other network tools.
I guess (tell me if I am wrong), a jail shell seems to be the solution and on top of that add sudo as an allowed command so that few users can priviledge to execute commands that need to be running as root.
Restricting users then allowing them to be unrestricted makes little sense to me. Either they are trusted or they are not.
If they are NOT trusted, but you still need them to be able to troubleshoot (or just shoot) your network:
I would set up one or more virtual servers that can do all they require. Give them accounts and sudo access to do what they need. Image those servers so that you can quickly restore them to clean and funtional condition.
Let them run, crash, perhaps destroy those v-servers if they need to: you can restore it as often as needed. (And find out which ones were trustworthy during the process!)
OpenVZ is the perfect tool for this, LXC will also work though it is not as mature. Possibly other virtualization would work, but I doubt if anything else is as thin and efficient as the kernel based solutions OpenVZ and LXC.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.