LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-08-2007, 08:38 PM   #1
john_b
LQ Newbie
 
Registered: Jan 2006
Posts: 11

Rep: Reputation: 0
Using a perl script as a User's Shell


Hi,
I'm interested in setting up a simple game that i created in perl so that it can be accessed over SSH. At the moment I have the script set as a special user's shell, but I'm a little worried about security issues with this setup. There is very minimal user input taken by the script so I'm not worried too much about the script itself, but would there be a way for someone logging in to break out of the script and get to a command shell prompt?

Thanks
JB
 
Old 07-08-2007, 10:34 PM   #2
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
Try having that script as the "ForceCommand" command in /etc/sshd_config, and changing the users entry in /etc/passwd so that their shell is /bin/false. I haven't tested this. I don't know if the later part will cause the game script not to run. In the very least change the shell to /bin/rbash which is a restricted shell.

Last edited by jschiwal; 07-08-2007 at 10:35 PM.
 
Old 07-25-2007, 02:30 AM   #3
john_b
LQ Newbie
 
Registered: Jan 2006
Posts: 11

Original Poster
Rep: Reputation: 0
Thanks for the idea. Just now have gotten around to trying some things. The ForceCommand won't work with the shell set to /bin/false as ForceCommand needs a real shell to run the command. ForceCommand seemed to do what I needed when user's shell was set to /bin/bash. Simply setting user's shell to my perl script seems to produce the same result. In testing the latter I am trying to see what the effect of appending a command to the ssh client connect command. I'm not sure what is happening when I do that, but the script does not immediately run.

Perhaps the most secure way to do this is using a restricted shell of some sort with the ForceCommand option to avoid the security issues that might exist with appending a command to the ssh client login
 
Old 07-25-2007, 11:42 PM   #4
john_b
LQ Newbie
 
Registered: Jan 2006
Posts: 11

Original Poster
Rep: Reputation: 0
After comparing the effects of

1) placing my perl script as my users' shell in /etc/passwd, with

2) placing my perl script as my users' shell in /etc/passwd and setting ForceCommand to run the script, with

3) setting /bin/bash as my user's shell and using ForceCommand to run my script

I found that under all three I was unable to run a command outside of the script. I tried specifying things like "ssh -l user 192.168.1.2 ls /etc" and "ssh -l user 192.168.1.2 /bin/bash".

Under all three options trying to specify a command on connect resulted in the script not immediately running. The cursor flashes on the empty line, if I press return or enter text and press return the script runs taking the text I entered as <STDIN> to the script. Which seems strange. Here is what I mean, with the output of my test perl script that prints two lines, takes input, sleeps 2 seconds and spits it out:

---------------------\
me@computer:~$ ssh -l user 192.168.1.2 /bin/bash
user@192.168.1.2's password:
echo "I'm typing this line while the script seems not to be running"
here we go!

enter something:

YOU SAID: echo "I'm typing this line while the script seems not to be running"
---------------------------/

the only other thing of note, is that when not using ForceCommand in trial (1) the banner information and last login was displayed. Can anyone figure out why the above is behaving the way it is?
 
Old 07-28-2007, 04:22 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Unless you're and a seasoned and confident scripter, and have made sure you covered all potential holes, and even if you restrict access to the shell to known and trusted users, I'd make sure STDIN isn't allowed until it's "safe" to do so, make sure logging is on (network plus Rootsh/Sudosh or GRSecurity or SELinux) and make sure the script is run chrooted.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Trying to write a perl script that will print shell variable ohcarol Programming 2 04-16-2007 08:02 AM
how to run a shell script in the perl script sharad Linux - General 1 05-24-2006 03:23 AM
Perl: Source shell script to for environment variables? stefanlasiewski Programming 3 02-07-2006 06:27 PM
Shell Script, C, C++, or Perl ? mrpc_cambodia Programming 5 08-12-2004 10:18 AM
how to find the pid of a perl script from shell script toovato Linux - General 1 12-19-2003 06:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration