[NTLUG:Discuss] restricting shell functions in a telnet session

Kyle_Davenport@compusa.com Kyle_Davenport at compusa.com
Thu Apr 27 08:57:17 CDT 2000 

To be completely secure you would have to put

     "chroot [homedir] /bin/bash"

as the command to run after login (the 7th stanza in the /etc/passwd file).
"Breaking out" of that means they log off!   But again you have the whole
problem of putting all necessary commands and libraries under their home
directory.  This could be not so painful if you set their root to /home (same
environment of commands and libraries for everyone) and use proper permissions
to prevent them access to other user's directories.  Indeed, I would be
surprised if there isn't already a package out there that does something like
this.


_____________________________________________________




Mark Bainter <mark-ntlug at firinn.org> on 04/26/2000 03:19:44 PM

Please respond to discuss at ntlug.org

To:   Kevin Brannen <kbrannen at gte.net>
cc:   discuss at ntlug.org (bcc: Kyle Davenport/Is/Corporate/CompUSA)
Subject:  Re: [NTLUG:Discuss] restricting shell functions in a telnet session



Kevin Brannen [kbrannen at gte.net] wrote:
> David Camm wrote:
> >
> > several of our customers have asked if they could have telnet access to
> > their information on our server.  those who need it already have guest
> > ftp access.
> >
> > in searching through the telnet and login docs, i can find no way to
> > restrict a user's login shell to NOT go above the user's home directory,
> > as guest or anonymous ftp does.
> >
> > since we've been a bit sloppy, going back and chekcing all permissions
> > on all files to ensure that a user couldn't inadvertantly (or
> > advertantly, for that matter) wreak any havoc would be a royal pain,
> >
> > is there any way of modifying (say) /etc/bashrc or /etc/profile to
> > accomplish this?
> >
> > is there another way?
>
> Have you considered changing their login shell to be "/bin/bash -r"?
> You could also create a script that does something like:
>
>    chroot $HOME
>    /bin/bash
>
> and make that their login shell (untested but the theory sounds good.
> :-)
>

This is not such a good idea.  Unfortunately, the login process is not
instantaeous.  So, if they can send an interrupt signal before the login
process gets to that point in the profile they can get an unrestricted shell.

Hrm.  I dunno if telnet supports it but you can do forced chroot in ftp by
putting /./ at the end of a users home directory.  (i.e. /home/user/./)  If
the default shell doesn't support this (particularly in restricted mode) you
might be able to find a patch that honors it.  Or you could write one. ;-)

I just wouldn't depend on the profile option providing much protection.

--
"25 States allow anyone to buy a gun, strap it on, and walk down the street
with no permit of any kind: some say it's crazy. However, 4 out of 5 US
murders are committed in the other half of the country: so who is crazy?"
                    -- Andrew Ford

_______________________________________________
http://ntlug.org/mailman/listinfo/discuss

More information about the Discuss mailing list