One way to restrict what users can do on your Linux systems is by
using rbash -- the restricted Bourne Again shell -- but only if you take
some additional steps to ensure that your users can't break out of
their cells.
What is rbash?
Rbash is an alternative to chrooted
accounts -- though it works much better as an add-on. It works by
disallowing a number of shell features. For example, when assigned rbash
as their shell, your users cannot change their PATH environment
variable. They cannot change directories with the cd command. They
cannot use full paths to run commands. They cannot use redirection. If
you meander down to the 90th page or so of the bash man page, you will
likely see a list of those things that a user cannot do if they are constrained to using rbash. The list will look something like this:
changing directories with cd
setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
specifying command names containing /
specifying a file name containing a / as an argument to the . builtin command
Specifying a filename containing a slash as an argument to the -p option to the hash builtin command
importing function definitions from the shell environment at startup
parsing the value of SHELLOPTS from the shell environment at startup
redirecting output using the >, >|, <>, >&, &>, and >> redirection operators
using the exec builtin command to replace the shell with another command
adding or deleting builtin commands with the -f and -d options to the enable builtin command
Using the enable builtin command to enable disabled shell builtins
specifying the -p option to the command builtin command
turning off restricted mode with set +r or set +o restricted.
That's a lot of things to not
be able to do if you're an rbash user. Unfortunately (or fortunately,
depending on your role in this situation), there are also a lot of ways
you can escape your rbash shell if you'vr been restricted. But before we
get into this, let's first look at how rbash is set up and used.
For
the first thing, it's an optional feature of bash. It can be included
in bash if the --enable-restricted option is used with the configure
command when bash is built. To make it usable, you (assuming you're the
admin now) create a symbolic link to bash and call is rbash. It's as
simple as that. And if you're not sure if a system that you use or
administer provides the rbash functionality, try this:
Create a symbolic link to bash and call it rbash -- ln -s /bin/bash rbash
Start rbash -- rbash
Try a forbidden operation such as this one -- cd /tmp
If you get a response like what you see below, rbash is available to you.
$ cd /tmp
rbash: cd: restricted
Now, let's try breaking out. Obviously since you're running
rbash within bash, you can always just ^D your way back to your starting
point, but that wouldn't prove much. Instead, try starting yet another
shell.
$ cd /tmp
rbash: cd: restricted
$ /bin/bash
rbash: /bin/bash: restricted: cannot specify `/' in command names
$ bash
$ cd /tmp
$ pwd
/tmp
You can also try redirecting command output, changing your PATH
variable, and asking where the date command is located (i.e., which
date) and you will notice that you're not in Kansas anymore.
In
the little exercise above, your restricted shell balked at your attempt
to start a third shell when typing its full path, but not when you took
advantage of the fact that /bin was on your search path and you typed
just "bash". You might also be able to add other tools to your account
that would allow you to do things that yoiur restricted environment
would not.
For rbash to work well at restricting users, therefore, you also need to limit what they can do. You probably won't
want /bin in their paths. That means that you probably want to set up a
new bin directory containing only the commands that you want your
restricted users to use. And it won't contain bash, scp, cp or any
commands beyond what you want your restricted users to be able to do.
If
you have a number of accounts to restrict, it's probably a good idea to
set up a bin that all of them can use rather than giving each of them
their own -- if only to save a little disk space.
Make sure that
your restricted users' search paths are limited to your limited bin
directory and, of course, make sure that bash is listed in their
/etc/passwd entries.
Rbash will not stop your restricted users
from listing files in other directories. If you need that kind of
control, you should look into a chrooted setup in which their restricted
environment appears to them to be the entire system. That kind of
environment is more work than using rbash, but isn't all that difficult
to configure.
No comments:
Post a Comment