A question for geeks...

What is the best restricted shell which offer the possibility to control executed commands for each users?

- iron bars shell : good but man does not work out of the box because commands are executed using a full path ie. /usr/bin/nroff -c -mandoc 2>/dev/null

- jailkit : good but difficult to implement sudo in that chroot shell.

Any other? Which one is the best for you?

Hello,

You can have a pretty restricted Bash shell by invoking it with the -r parameter. Have a look at the man page for more detail.

Kind regards,

Eric

1. A bit better than a chroot jail, build a virtual environment and use LXC to create a virtual server for that user. They can do almost anything without impacting the host system (other than load).

2. BTW: Nothing is going to be perfectly what you want "out of the box". An OOTB solution is not the kind of answer you want anyway.
If you want to control exactly what commands a guest can run, I know of nothing better than IBSH. IT takes a bit of configuration, but you cannot avoid having to configure your solution.

3. We might have some targeted ideas to offer, if you offer enough details to give us better aim.

1 members found this post helpful.

Hi,

Thanks for the info.

I am not looking for an OOTB solution, just something secured, and configurable enough to let a user access sudo in the jail.
I did tries with jailkit, but I get into some issue with pam auth. I disabled the auth for sudo, and things are going ok. Thus, wondering if that could lead to security holes.

I also did some tries with ibsh, that is pretty good but man cant work inside it because it is executing commands with a "/", and I couldnt find a way to avoid it unless modifying the source code of ibsh.

Well, lxc looks very good, elegant solution.

The entire point of a restricted shell or a jail is to restrict access.
The entire point of sudo is to allow access is to provide a way to extend, enhance, or escalate access and privelage.

The two are not very compatible.

Something like LXC or OpenVZ allows you to provide higher (even root) access, but to a server subset that does not affect the security of the host machine.

If you can reduce the commands needed to a narrow list, you can configure sudo to allow enhanced execution of ONLY those commands. Without knowing more about your problem I cannot say what might lead to a solution for you, but I do wish you luck with this.

Yes, after looking at containers, it is not exactly what I need.

I need to give users/groups restricted permission to a single server, they should be able to use only a restricted amount of commands by default. Those are really basics, ie ls. cd. cat. grep. egrep. vi. man. ping. nslookup. ssh. scp. and give elevated privilege to a set of users inside the jail to run minicom, tcpdump and other network tools.

I guess (tell me if I am wrong), a jail shell seems to be the solution and on top of that add sudo as an allowed command so that few users can priviledge to execute commands that need to be running as root.

Fred.

Restricting users then allowing them to be unrestricted makes little sense to me. Either they are trusted or they are not.

If they are NOT trusted, but you still need them to be able to troubleshoot (or just shoot) your network:
I would set up one or more virtual servers that can do all they require. Give them accounts and sudo access to do what they need. Image those servers so that you can quickly restore them to clean and funtional condition.


Let them run, crash, perhaps destroy those v-servers if they need to: you can restore it as often as needed. (And find out which ones were trustworthy during the process!)

OpenVZ is the perfect tool for this, LXC will also work though it is not as mature. Possibly other virtualization would work, but I doubt if anything else is as thin and efficient as the kernel based solutions OpenVZ and LXC.


Good luck!