LITTLEBLACKDOG.COM

Posted: Fri Jul 28, 2006 3:14 am Post subject: verdict on a false shell

On FreeBSD, I'm trying to limit a bunch of remote access users to only the commands I deem suitable. I've a false shell that seems to work fine and want to know what a bunch of clever dogs think!
Bear in mind this will only work for remote logins. Local logins exit instantly.

Code: Select all

#!/bin/sh


[ "$1" = "-c" ] && shift


read CMD PARAMS << eot


$@


eot


case $CMD in


  ls|pwd|whoami)


    $CMD $PARAMS


  ;;


  *)


  ;;


esac

This example only allows 'ls', 'pwd' and 'whoami'. All other commands (hopefully) fail!

Thoughts? Comments? Blaringly obvious security holes that should see me shot at dawn???

Posted: Fri Jul 28, 2006 5:08 am Post subject:

If you're not letting them run anything except pwd and whoami then ls is superfluous.

Posted: Sun Jul 30, 2006 9:30 am Post subject:

Sounds like a good idea. I believe FreeShell does something similar for their free accounts. They are not that restrictive though. My other thought was to do it with Group Permissions or if you are using BASH then use the Restrive Shell option.

Posted: Tue Aug 01, 2006 1:41 am Post subject:

Toxin: Those commands were just in there as examples, they're not what users would be using. The first version of this shell didn't handle spaces so having ls in the list is a handy test with something like ls -l

Squashman: I thought about rbash but my understanding of what I've read is that it's restrictions are not as severe as this approach. I'm taking the attitude that the less a user can do, the less stuff they can break! Will have to check out FreeShell and see what they do/have, thanks for the pointer.

It's only 12 lines of 'code' but I've been staring at it for a while and a fresh set of eyes often sees things the tired ones miss. I'm no wizard script writer and am slightly worried that something so simple seems to do the job so well!!!

Posted: Tue Aug 01, 2006 1:00 pm Post subject:

be careful of what you allow for commands. Anything allowing a copy and directory list allows any sentient hacker to first find the shell ini and to change it. Unless you leave the shell ini somewhere out of reach. Also any command that allows a push into a new shell with arguments would be a bad thing. And don't let people download stuff. First thing I'd download is a script from my full-priv environment, and I'd work on figuring out some way to get a real shell to run it.

*edit* have you tried any pipe commands with that? for instance if ls | more works, then you have a security hole. Because I can probably craft something to get a push out of your script.

Posted: Wed Aug 02, 2006 3:27 am Post subject:

EdisonRex wrote:
*edit* have you tried any pipe commands with that? for instance if ls | more works, then you have a security hole. Because I can probably craft something to get a push out of your script.

I have now... and it fails. Even if ls and more are both in the allowed list, ls just gets upset that 'pipe' isn't a valid argument. Either that or it claims it can't find the file "| more", depending on spaces or not around the pipe.

You bring up some interesting other points too. More food for thought!