Wednesday, January 28, 2015

Clamping down on users with rbash

http://www.itworld.com/article/2875972/clamping-down-on-users-with-rbash.html

restricted sign


One way to restrict what users can do on your Linux systems is by using rbash -- the restricted Bourne Again shell -- but only if you take some additional steps to ensure that your users can't break out of their cells.

What is rbash?

Rbash is an alternative to chrooted accounts -- though it works much better as an add-on. It works by disallowing a number of shell features. For example, when assigned rbash as their shell, your users cannot change their PATH environment variable. They cannot change directories with the cd command. They cannot use full paths to run commands. They cannot use redirection. If you meander down to the 90th page or so of the bash man page, you will likely see a list of those things that a user cannot do if they are constrained to using rbash. The list will look something like this:
  • changing directories with cd
  • setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
  • specifying command names containing /
  • specifying a file name containing a / as an argument to the . builtin command
  • Specifying a filename containing a slash as an argument to the -p option to the hash builtin command
  • importing function definitions from the shell environment at startup
  • parsing the value of SHELLOPTS from the shell environment at startup
  • redirecting output using the >, >|, <>, >&, &>, and >> redirection operators
  • using the exec builtin command to replace the shell with another command
  • adding or deleting builtin commands with the -f and -d options to the enable builtin command
  • Using the enable builtin command to enable disabled shell builtins
  • specifying the -p option to the command builtin command
  • turning off restricted mode with set +r or set +o restricted.
That's a lot of things to not be able to do if you're an rbash user. Unfortunately (or fortunately, depending on your role in this situation), there are also a lot of ways you can escape your rbash shell if you'vr been restricted. But before we get into this, let's first look at how rbash is set up and used.

For the first thing, it's an optional feature of bash. It can be included in bash if the --enable-restricted option is used with the configure command when bash is built. To make it usable, you (assuming you're the admin now) create a symbolic link to bash and call is rbash. It's as simple as that. And if you're not sure if a system that you use or administer provides the rbash functionality, try this:
  • Create a symbolic link to bash and call it rbash -- ln -s /bin/bash rbash
  • Start rbash -- rbash
  • Try a forbidden operation such as this one -- cd /tmp
If you get a response like what you see below, rbash is available to you.
 
$ cd /tmp
rbash: cd: restricted

Now, let's try breaking out. Obviously since you're running rbash within bash, you can always just ^D your way back to your starting point, but that wouldn't prove much. Instead, try starting yet another shell.
 
$ cd /tmp
rbash: cd: restricted
$ /bin/bash
rbash: /bin/bash: restricted: cannot specify `/' in command names
$ bash
$ cd /tmp
$ pwd
/tmp
 
You can also try redirecting command output, changing your PATH variable, and asking where the date command is located (i.e., which date) and you will notice that you're not in Kansas anymore.

In the little exercise above, your restricted shell balked at your attempt to start a third shell when typing its full path, but not when you took advantage of the fact that /bin was on your search path and you typed just "bash". You might also be able to add other tools to your account that would allow you to do things that yoiur restricted environment would not.

For rbash to work well at restricting users, therefore, you also need to limit what they can do. You probably won't want /bin in their paths. That means that you probably want to set up a new bin directory containing only the commands that you want your restricted users to use. And it won't contain bash, scp, cp or any commands beyond what you want your restricted users to be able to do.

If you have a number of accounts to restrict, it's probably a good idea to set up a bin that all of them can use rather than giving each of them their own -- if only to save a little disk space.

Make sure that your restricted users' search paths are limited to your limited bin directory and, of course, make sure that bash is listed in their /etc/passwd entries.

Rbash will not stop your restricted users from listing files in other directories. If you need that kind of control, you should look into a chrooted setup in which their restricted environment appears to them to be the entire system. That kind of environment is more work than using rbash, but isn't all that difficult to configure.

No comments:

Post a Comment