FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 10-16-2011, 08:47 AM
Benjamin
 
Default restricted shell

Hi Friends,

I want to configure restricted shell for one of my server.

I want to allow specific commands only to my local admin , means he can
use only commands which i allowed for him.no more commands or any other
bash facility he can't use.

Please guide me , how to setup such kind of environment.

I am using fedora 15.

Regards,
Benjo
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-16-2011, 12:53 PM
Tim
 
Default restricted shell

On Sun, 2011-10-16 at 14:17 +0530, Benjamin wrote:
> I want to configure restricted shell for one of my server.
>
> I want to allow specific commands only to my local admin , means he
> can use only commands which i allowed for him.no more commands or any
> other bash facility he can't use.

You can look into "chroot"ing, where the other person has a different
root directory, and all the sub-directories, and you copy the commands
that they're allowed to use into their directory tree.

Of course, to do this properly, you also need to make sure that they
can't use a compiler, else they can create their own commands.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-16-2011, 01:06 PM
Don Quixote de la Mancha
 
Default restricted shell

On Sun, Oct 16, 2011 at 5:53 AM, Tim <ignored_mailbox@yahoo.com.au> wrote:
> On Sun, 2011-10-16 at 14:17 +0530, Benjamin wrote:
>> I want to allow specific *commands only to my local admin , means he
>> can use only commands which i allowed for him.no more commands or any
>> other bash facility he can't use.
>
> You can look into "chroot"ing, where the other person has a different
> root directory, and all the sub-directories, and you copy the commands
> that they're allowed to use into their directory tree.

Chroot is great for securing certain kinds of things, but if the
intended user is an administrator, he won't be able to administer any
of the files outside of his chroot jail.

I'm pretty sure bash doesn't provide a facility like this, but there
should be a different shell that does.

A simple hack that would work for any shell would be to remove the
"others execute" permission from all of your executable programs,
other than the commands you want him to be able to use. You will also
need to place him in his own group.

chmod o-x

will do it.

But some daemons run as unpriveliged users, either their own username
or as "nobody". You will need these daemons to be in a group that can
run the commands.

Wholesale alteration of executable permissions could break your system
in a big way, though. The permissions might get reset by software
updates. It's probably best to keep looking for a shell that does
what you really need.

--
Don Quixote de la Mancha
Dulcinea Technologies Corporation
Software of Elegance and Beauty
http://www.dulcineatech.com
quixote@dulcineatech.com
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-16-2011, 01:06 PM
Benjamin
 
Default restricted shell

Hi Tim,

Can u provide me any good document or any example to get proper idea of
chroot

Regards,
Benjo


> On Sun, 2011-10-16 at 14:17 +0530, Benjamin wrote:
>> I want to configure restricted shell for one of my server.
>>
>> I want to allow specific commands only to my local admin , means he
>> can use only commands which i allowed for him.no more commands or any
>> other bash facility he can't use.
> You can look into "chroot"ing, where the other person has a different
> root directory, and all the sub-directories, and you copy the commands
> that they're allowed to use into their directory tree.
>
> Of course, to do this properly, you also need to make sure that they
> can't use a compiler, else they can create their own commands.
>

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-17-2011, 12:00 AM
"Mikkel L. Ellertson"
 
Default restricted shell

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/16/2011 08:06 AM, Don Quixote de la Mancha wrote:
>
> Chroot is great for securing certain kinds of things, but if the
> intended user is an administrator, he won't be able to administer any
> of the files outside of his chroot jail.
>
> I'm pretty sure bash doesn't provide a facility like this, but there
> should be a different shell that does.
>
> A simple hack that would work for any shell would be to remove the
> "others execute" permission from all of your executable programs,
> other than the commands you want him to be able to use. You will also
> need to place him in his own group.
>
> chmod o-x
>
> will do it.
>
> But some daemons run as unpriveliged users, either their own username
> or as "nobody". You will need these daemons to be in a group that can
> run the commands.
>
> Wholesale alteration of executable permissions could break your system
> in a big way, though. The permissions might get reset by software
> updates. It's probably best to keep looking for a shell that does
> what you really need.
>
You may want to look at the -r option of bash, or bash invoked as
rbash. Unfortunately, there are ways to get around the restrictions
of rbash, or most other restricted shells.

Mikkel
- --
Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEUEARECAAYFAk6bcB0ACgkQqbQrVW3JyMRTBwCY96wjeTFoV7 k5pumC3mmyfTKA
jgCfVf+IRgZdpgsfH+4RzmJGoSzXeGg=
=Mjbx
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-17-2011, 12:25 AM
suvayu ali
 
Default restricted shell

On Mon, Oct 17, 2011 at 2:00 AM, Mikkel L. Ellertson
<mellertson@gmail.com> wrote:
> You may want to look at the -r option of bash, or bash invoked as
> rbash. Unfortunately, there are ways to get around the restrictions
> of rbash, or most other restricted shells.
>

Although the OP specifically asked for a restricted shell, I believe
using SUDO is the right way to go. If the OP is looking to allow only
a small group of admin commands, creating a command group and adding
the new user to that group should do the trick.

> Mikkel
>

HTH

--
Suvayu

Open source is the future. It sets us free.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-17-2011, 08:27 PM
Hugh Caley
 
Default restricted shell

Not precisely what you are requesting, but the "sudo" command could be
used to allow your admin root access to certain commands only.

See "man sudo" and "man visudo". The /etc/sudoers file has examples of
this sort of functionality, but should only be edited using the visudo
utility.

Hugh

On Sun, 2011-10-16 at 14:17 +0530, Benjamin wrote:

> I want to configure restricted shell for one of my server.
>
> I want to allow specific commands only to my local admin , means he
> can use only commands which i allowed for him.no more commands or any
> other bash facility he can't use.
You can look into "chroot"ing, where the other person has a different
root directory, and all the sub-directories, and you copy the commands
that they're allowed to use into their directory tree.

Of course, to do this properly, you also need to make sure that they
can't use a compiler, else they can create their own commands.

-- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send
private replies to my address, the mailbox is ignored. I read messages
from the public lists.
-- */Hugh Caley/ Linux System Administrator Aldon Business Area Rocket
Software* 6001 Shellmound St. Ste. 600 Emeryville, CA 94608 USA
Tel:+1.510.285.8542 Email:hcaley@aldon.com Web:aldon.com

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-17-2011, 08:36 PM
Joe Zeff
 
Default restricted shell

On 10/17/2011 01:27 PM, Hugh Caley wrote:
> Not precisely what you are requesting, but the "sudo" command could be
> used to allow your admin root access to certain commands only.

Yes. In fact, I'm fairly sure that this is exactly what it was written
for in the first place. Using it in place of su for general system
administration is a later adaptation[1] of the command. I'm presuming
that you want certain users to have access to all of the regular
commands plus a small subset of administrative commands. If so, sudo is
the best way to go.

[1]or perversion, as purists would have it
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 03:29 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org