LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Users forced to subshell on login (https://www.linuxquestions.org/questions/linux-newbie-8/users-forced-to-subshell-on-login-4175451790/)

tkinsella 02-26-2013 01:48 PM

Users forced to subshell on login
 
Hello All!

The sysadmin previous to me set something up on one of our machines that when a user logs in, it forces them into a modified bash "subshell".

I am at a loss as to how he accomplished this, and therefore cannot undo the modification.

Any help would be appreciated! I can reply with more information if needed, but not sure where to even start at this point.

Thanks!

TB0ne 02-26-2013 02:08 PM

Quote:

Originally Posted by tkinsella (Post 4900263)
Hello All!
The sysadmin previous to me set something up on one of our machines that when a user logs in, it forces them into a modified bash "subshell".

I am at a loss as to how he accomplished this, and therefore cannot undo the modification. Any help would be appreciated! I can reply with more information if needed, but not sure where to even start at this point.

Read the man page on the usermod command. Pay particular attention to how to set a users shell.

A 'shell' can be ANY program, including a custom-written shell script. Look at the /etc/passwd file, and the users shell can be seen in it, as the last parameter I believe. Change it to whatever else you want via the usermod command.

tkinsella 02-26-2013 02:12 PM

I did check that first and everyone is set to /bin/bash

When logged in we get a message :

Last login: Tue Feb 26 10:39:54 2013 from 10.1.3.161
Notice: Your umask has been set to 002 for group sharing.
Your group has been changed to apache.
You are in a subshell. Type exit to resume individual credentials.


I assume that this is a message that the sysadmin set up. There is not motd or banner in the sshd_config that would prompt this.

rnturn 02-26-2013 02:20 PM

Quote:

Originally Posted by tkinsella (Post 4900263)
Hello All!

The sysadmin previous to me set something up on one of our machines that when a user logs in, it forces them into a modified bash "subshell".

I am at a loss as to how he accomplished this, and therefore cannot undo the modification.

Any help would be appreciated! I can reply with more information if needed, but not sure where to even start at this point.

Thanks!

I take it the intention was to limit those victims^Wusers to only be able to use a subset of the shell.

Can you show a line from /etc/passwd for one of the affected user accounts? I wonder if there is a modified shell specified for those users. The fix may be as simple as tweaking the /etc/passwd entry for those user accounts.

BTW, if you find that the /etc/passwd entries for the accounts is specified as "rbash" or "bash -r", i.e., "restricted" shells. (I'm not sure if passwd accepts the second example as a valid shell.) You ought to be careful about undoing that. What were those accounts intended to be used for? Would unrestricting the shells for those accounts make your system less secure? Setting up a user account with such a shell is usually done to allow fairly, shall we say, "unsophisticated" users run programs in an environment (pun intended) that doesn't allow them to cause too much damage should they get into something that they shouldn't be running. Check out the "RESTRICTED SHELL" section at the bottom of the bash(1) man page for more on this.

If your predecessor didn't set up these accounts with a restricted shell then more detective work will be needed.

--
Rick

tkinsella 02-26-2013 02:27 PM

tkinsella:x:1408:1408::/home/tkinsella:/bin/bash

rnturn 02-26-2013 03:40 PM

Isn't digital archeology fun?
 
Quote:

Originally Posted by tkinsella (Post 4900294)
tkinsella:x:1408:1408::/home/tkinsella:/bin/bash

Pretty generic. Dang... so much for the simple fix.

Since you are seeing some distinct messages during the login process, have you grepped the contents of the scripts under /etc (or /usr/local/*, and so on) to see if those have been modified to set up the subshell. For example, /etc/profile, that "Notice: Your umask has been set to..." message seems pretty non-standard. If you can find out what's issuing that message, you should get a good idea how to undo the restrictions.

Question: What are "individual credentials"? When you see
Code:

You are in a subshell. Type exit to resume individual credentials.
what happens when you enter "exit"? Are you in a "normal" shell or logged out?


--
Rick

tkinsella 02-26-2013 03:44 PM

Thanks for the help! Told you I was lost on this one, can't find anything that just sticks out.

The first thing I did was to grep for those lines and I can't seem to find them anywhere which makes me think the last admin may have recompiled bash with this stuff in it.

Code:

Notice: Your umask has been set to 002 for group sharing.
Your group has been changed to apache.
You are in a subshell. Type exit to resume individual credentials.
bash-3.2$ exit
exit
-bash-3.2$


TB0ne 02-26-2013 04:07 PM

Quote:

Originally Posted by tkinsella (Post 4900294)
tkinsella:x:1408:1408::/home/tkinsella:/bin/bash

Then log in, and get root access (either with "sudo -s" or "su"), and look at the .bashrc and .profile files for one of the users that is behaving like that. Could be as simple as something getting run when a user logs in. Also, check the /etc/profile file, since it could also be that whatever is being run is coming from there (a UID/GID check to see what happens when a shell is invoked).

If that's the case (and assuming you DON'T want this anymore), check the /etc/skel directory, since those are the 'skeleton' files that get pushed out whenever you make a new user.

rnturn 02-26-2013 05:44 PM

Quote:

Originally Posted by tkinsella (Post 4900356)
Code:

Notice: Your umask has been set to 002 for group sharing.
Your group has been changed to apache.
You are in a subshell. Type exit to resume individual credentials.
bash-3.2$ exit
exit
-bash-3.2$


Ah... So it looks like you need to log out twice to disconnect, right? That tells me that the profile (/etc/profile?) is running something at the end that actually is spawning another shell.

See TBOne's suggestion about examining the profiles in /etc to see if some script is being executed at the end of the standard /etc/profile, bash.bashrc, etc. Commenting out that command will likely solve your problem.

Good luck...

-- Rick

chrism01 02-26-2013 07:48 PM

Also check the skel stuff as indicated; he may(!) have added it to the end of the user's .bash_profile or .bashrc or .profile.


All times are GMT -5. The time now is 02:23 AM.