LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 05-07-2013, 06:06 AM   #1
gm33
LQ Newbie
 
Registered: May 2013
Posts: 4

Rep: Reputation: Disabled
Looking for a way to jail a process/user in directory


Hello,

I'm creating a game hosting control panel,
It makes people able to manage their gameservers wich is hosted on dedicated servers threw a simple php made control panel.
The communication between the control panel and the dedicated servers is all managed, but i'm stuck at 1 big problem!
And as i looked at another game hoster (with custom panel)
I seen he was able to start his gameserver process in a jailed directory, and when i tried to execute shell by using the gameserver process, it just returned nothing on everything i executed!

Example:
Gameserver path: /home/servers/12345/
Gameserver executable: /home/servers/12345/gameserver
This user has to be jailed within the Gameserver path, but must be able to have the process started on his name.

Thanks in advance.

Last edited by gm33; 05-07-2013 at 06:07 AM. Reason: Edit: i'm using CentOS 6.3
 
Old 05-07-2013, 08:08 AM   #2
pan64
Senior Member
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 4,001

Rep: Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003
are you looking for restricted shell?
https://www.gnu.org/software/bash/ma...ted-Shell.html
 
Old 05-07-2013, 08:11 AM   #3
gm33
LQ Newbie
 
Registered: May 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
I tried that out! rbash, but if you just type bash, you are able to use bash...
 
Old 05-07-2013, 08:15 AM   #4
pan64
Senior Member
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 4,001

Rep: Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003
so in that case the environment is not ok. You need to set up an environment (especially PATH) before executing rbash. It will ensure that the user will not have access to "illegal" tools.
I would suggest you to collect your apps into /usr/local/restricted/bin and set PATH to there and remove /usr/bin and /bin
there can be other solution
 
Old 05-08-2013, 01:05 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603
See http://www.linuxquestions.org/questi...tempts-340366/
 
Old 05-08-2013, 10:06 AM   #6
gm33
LQ Newbie
 
Registered: May 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
Do you mean the AllowUsers variable in the sshd_config?

i still have no clue how to do this the best way!

Quote:
Originally Posted by pan64
so in that case the environment is not ok. You need to set up an environment (especially PATH) before executing rbash. It will ensure that the user will not have access to "illegal" tools.
I would suggest you to collect your apps into /usr/local/restricted/bin and set PATH to there and remove /usr/bin and /bin
there can be other solution
the user should not have access to execute any ssh command at all! BUT it needs to be able to run the gameserver!
 
Old 05-09-2013, 12:55 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603
Quote:
Originally Posted by gm33 View Post
Do you mean the AllowUsers variable in the sshd_config?
Sorry, wrong link, please ignore.


Quote:
Originally Posted by gm33 View Post
i still have no clue how to do this the best way!
the user should not have access to execute any ssh command at all! BUT it needs to be able to run the gameserver!
Any form of virtualization in which a user runs processes inside its own container obviously offers a stronger form of isolation. So IMHO it depends on the specific capabilities of your platform, or phrased differently: how generic the solution should be. The strongest compartmentalization solutions are definitely invasive and not generic. The most generic one is chroot, possibly followed by lXC / cgroups (but only on more recent kernels).


@pan64: could you please stop pimping rbash usage everywhere? In this day and age rbash is the most inefficient, weakest option possible. In fact I would mark it a non-solution in almost all cases. Thanks in advance.
 
Old 05-09-2013, 01:13 AM   #8
pan64
Senior Member
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 4,001

Rep: Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003
Quote:
Originally Posted by unSpawn View Post

@pan64: could you please stop pimping rbash usage everywhere? In this day and age rbash is the most inefficient, weakest option possible. In fact I would mark it a non-solution in almost all cases. Thanks in advance.
No I do not want them to use rbash, just asked them.....
 
Old 05-09-2013, 07:40 AM   #9
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,049

Rep: Reputation: 953Reputation: 953Reputation: 953Reputation: 953Reputation: 953Reputation: 953Reputation: 953Reputation: 953
It sounds like you are referring to a chroot jail.
 
Old 05-09-2013, 10:58 AM   #10
gm33
LQ Newbie
 
Registered: May 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
Someone told me this:
Quote:
Chrooted sftp, look it up.
You just create a group for sftp users, create the users and set the directory in sshd_config.
That would work great! but i just need to know how i can let that user start the gameserver,
Any ideas?
 
Old 05-09-2013, 11:34 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603
As I said before:
Quote:
Originally Posted by unSpawn View Post
chroot
Do some research, get some examples, experiment.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to jail a process in his repertory ? Debian Linux - Security 12 12-14-2011 09:55 AM
Jail user to run process tanveer Linux - Security 1 06-02-2009 09:51 PM
User Creationg : ssh/sftp user jail to $HOME only routers Solaris / OpenSolaris 2 10-29-2007 11:28 PM
jail user to /home/user directory confused_user Linux - Security 12 03-15-2006 09:56 AM


All times are GMT -5. The time now is 03:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration