Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-08-2007, 08:38 PM
|
#1
|
LQ Newbie
Registered: Jan 2006
Posts: 11
Rep:
|
Using a perl script as a User's Shell
Hi,
I'm interested in setting up a simple game that i created in perl so that it can be accessed over SSH. At the moment I have the script set as a special user's shell, but I'm a little worried about security issues with this setup. There is very minimal user input taken by the script so I'm not worried too much about the script itself, but would there be a way for someone logging in to break out of the script and get to a command shell prompt?
Thanks
JB
|
|
|
07-08-2007, 10:34 PM
|
#2
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Try having that script as the "ForceCommand" command in /etc/sshd_config, and changing the users entry in /etc/passwd so that their shell is /bin/false. I haven't tested this. I don't know if the later part will cause the game script not to run. In the very least change the shell to /bin/rbash which is a restricted shell.
Last edited by jschiwal; 07-08-2007 at 10:35 PM.
|
|
|
07-25-2007, 02:30 AM
|
#3
|
LQ Newbie
Registered: Jan 2006
Posts: 11
Original Poster
Rep:
|
Thanks for the idea. Just now have gotten around to trying some things. The ForceCommand won't work with the shell set to /bin/false as ForceCommand needs a real shell to run the command. ForceCommand seemed to do what I needed when user's shell was set to /bin/bash. Simply setting user's shell to my perl script seems to produce the same result. In testing the latter I am trying to see what the effect of appending a command to the ssh client connect command. I'm not sure what is happening when I do that, but the script does not immediately run.
Perhaps the most secure way to do this is using a restricted shell of some sort with the ForceCommand option to avoid the security issues that might exist with appending a command to the ssh client login
|
|
|
07-25-2007, 11:42 PM
|
#4
|
LQ Newbie
Registered: Jan 2006
Posts: 11
Original Poster
Rep:
|
After comparing the effects of
1) placing my perl script as my users' shell in /etc/passwd, with
2) placing my perl script as my users' shell in /etc/passwd and setting ForceCommand to run the script, with
3) setting /bin/bash as my user's shell and using ForceCommand to run my script
I found that under all three I was unable to run a command outside of the script. I tried specifying things like "ssh -l user 192.168.1.2 ls /etc" and "ssh -l user 192.168.1.2 /bin/bash".
Under all three options trying to specify a command on connect resulted in the script not immediately running. The cursor flashes on the empty line, if I press return or enter text and press return the script runs taking the text I entered as <STDIN> to the script. Which seems strange. Here is what I mean, with the output of my test perl script that prints two lines, takes input, sleeps 2 seconds and spits it out:
---------------------\
me@computer:~$ ssh -l user 192.168.1.2 /bin/bash
user@192.168.1.2's password:
echo "I'm typing this line while the script seems not to be running"
here we go!
enter something:
YOU SAID: echo "I'm typing this line while the script seems not to be running"
---------------------------/
the only other thing of note, is that when not using ForceCommand in trial (1) the banner information and last login was displayed. Can anyone figure out why the above is behaving the way it is?
|
|
|
07-28-2007, 04:22 AM
|
#5
|
Moderator
Registered: May 2001
Posts: 29,415
|
Unless you're and a seasoned and confident scripter, and have made sure you covered all potential holes, and even if you restrict access to the shell to known and trusted users, I'd make sure STDIN isn't allowed until it's "safe" to do so, make sure logging is on (network plus Rootsh/Sudosh or GRSecurity or SELinux) and make sure the script is run chrooted.
|
|
|
All times are GMT -5. The time now is 06:59 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|