SUMMARY: Restricted shells

From: rwolf@dretor.dciem.dnd.ca
Date: Thu Nov 26 1992 - 18:42:49 CST


Sorry for the long delay in posting this summary but there were so many
good responses and I wanted to wait till I got all of them and then post
a good summary.

Original question:
------------------
Does anyone know of a shell that can be configured to restrict a
user to their home directory and/or restrict them to list of commands they
can run. Or better yet is there a way do to it in sunos?
I am running sun3's and sun4's, sunos 4.1.[1,2].

Special thanks to the following people:
---------------------------------------
alc.com!hoogs@alc.com
frank@baobab.awadi.com.AU
ups!kevin@fourx.Aus.Sun.COM
rossner@imbi.uni-freiburg.de
Richard.Feuerriegel@ag.auburn.edu
ups!glenn@fourx.Aus.Sun.COM
bronto.geo.vu.nl:aribi@geo.vu.nl
montjoy@thor.ece.uc.EDU
antonson@hydra.Software.ORG
randy@ai.iit.nrc.ca
tlr@toy.rad.msu.edu
danny@ews7.dseg.ti.com
davisson@ida.org
era@niwot.scd.ucar.EDU
daryl@cs.athabascau.ca
auratek!auratek.com!bwalker@uunet.UU.NET
issi!issi.com!vasey@cs.utexas.edu
magi@csd.uwo.ca
... plus those people I accidentaly missed

Summary:
--------

1) A PD version of a program called sudo. It is a set UID program which
   allows you to grant root access to selected commands or paths vi a sudoers
   file. The drawback from the users perspective is that the commands have
   to be specified just as they are listed in the sudoers file.

   contact fmc@key.amdahl.com for more information

2) It is not readily documented, but rsh (/usr/lib/rsh, as opposed to
   /usr/ucb/rsh) is a restricted shell to do just that.

    Basically, restricted mode prevents the user from modifying environment
    variables (esp. $PATH), doing any "cd" operations, or executing any file
    beginning with /. Keeps him pretty close to $HOME. Extensive environments
    can be defined in /etc/profile and $HOME/.profile (which do not need to be
    owned by the user).

   Another way is /bin/sh -r. To get at the hidden documents do

   % egrep ".\\\"" /usr/share/man/man1/sh.1

   contact ups!glenn@fourx.Aus.Sun.COM for more information

3) Is to make the login program something that creates a chroot jail from
   loopback mounts. The commands they need are in a special directory, and
   all they can run is one or two applications. The rest of the system
   doesn't exist as far as they are concerned.
   
   Useful tool for application platforms - making chroot jails for other
   things that don't need system wide access to do their job as a method of
   security enhancement.

   contact ups!kevin@fourx.Aus.Sun.COM for more information

4) We found a restricted shell at
        host puffin.doc.ic.ac.uk (146.169.2.1)
        file /unix/wsmr-simtel20.army.mil/sysadmin/resh.tar-z

        wuarchive.wustl.edu:/mirrors4/unix-c/sysadmin/resh.tar-z
        tupac-amaru.informatik.rwth-aachen.de:/pub/rz.archiv/simtel/unix-c/sysadmin/resh.tar-z
        rigel.acs.oakland.edu:/pub/unix-c/sysadmin

   contact rossner@imbi.uni-freiburg.de for more information
   contact vannes@alcatel.ch for more information

5) Look at chroot.

6) Setup an anonymous ftp.

7) Use rksh (a restricted Korn Shell).

8) SYS V.R4 has believe it or not a restricted shell. I haven't immersed myself
with Solaris 2.0 but I'll take a guess that there is a restricted shell with
Solaris 2.0.

9) A commercial package called RUE.
   contact info@uuserve.on.ca for more information

10) A home grown restricted shell.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I created such an environment using a small setuid 'C' program that
makes use of the "chroot" system call. I'm not claiming this is the
simplest, or best way, but it does work. This setup allows a user to
login and use ONLY those few commands included in the local "bin"
directory (csh, data, ftp, ls, more, pwd).

The restricted user can't do much but login and use FTP to send files
back to themselves. You could set it up to do other things as needed. I
have included a listing of the directory tree you need to build, as
well as copies of the non-system files I use (croot.c, .login, and
.profile). Also, I have included the password file entry for the
restricted user. When setting up the directory tree, pay close
attention to permissions, ownership, etc.

Restricted user entry in /etc/passwd:

ruser:GHkllOT.R.Oos:999:11:Restricted User Login:/home/restricted_user_home:/bin/sh

Recursive listing of restricted user directory:
(set up directory tree/permissions as below)
(create copies of appropriate system files)
(compile croot.c (included below) into "croot")
(copies of .login and .profile included below)

/home/restricted_user_home:

dr-xr-xr-x 3 root 512 Nov 4 09:06 .
-r-------- 1 ruser 153 Jan 9 1991 .profile
---S--x--- 1 root 24576 Jan 9 1991 croot
dr-xr-xr-x 7 root 512 Jan 9 1991 root

/home/restricted_user_home/root:
-r-------- 1 ruser 23 Jan 9 1991 .login
-r--r--r-- 1 root 1186 Jun 27 1991 README
dr-xr-xr-x 2 root 512 Apr 18 1992 bin
dr-xr-xr-x 2 root 512 Jan 8 1991 dev
dr-xr-xr-x 2 root 512 Apr 18 1992 etc
dr-xr-xr-x 2 root 512 May 7 1992 ruser_files
dr-xr-xr-x 3 root 512 Jan 8 1991 usr

/home/restricted_user_home/root/bin:
-r-xr-xr-x 1 root 147456 Jan 8 1991 csh
-r-xr-xr-x 1 root 7456 Jan 9 1991 date
-r-xr-xr-x 1 root 81920 Jan 8 1991 ftp
-r-xr-xr-x 1 root 13336 Jan 8 1991 ls
-r-xr-xr-x 1 root 49152 Jan 8 1991 more
-r-xr-xr-x 1 root 2112 Jan 8 1991 pwd

/home/restricted_user_home/root/dev:
cr--r--r-- 1 root 3, 12 Jan 8 1991 zero

/home/restricted_user_home/root/etc:
-r--r--r-- 1 root 26 Jan 8 1991 group
-r--r--r-- 1 root 69 Apr 18 1992 passwd

/home/restricted_user_home/root/ruser_files:
-r--r--r-- 1 root 7771 Jan 8 1991 README

/home/restricted_user_home/root/usr:
dr-xr-xr-x 2 root 512 Jan 8 1991 lib

/home/restricted_user_home/root/usr/lib:
-r-xr-xr-x 1 root 40960 Jan 8 1991 ld.so
-r-xr-xr-x 1 root 516096 Jan 8 1991 libc.so.1.5

------------------------croot.c----------------------------
#include <pwd.h>
#include <stdio.h>
/*
 * change cwd and root to $1 change euid and uid to $2
 * (check password)
 * then exec $3 with $* as args
 *
 * croot newroot newuser command [arg ...]
 *
 * Terry Rosenbaum
 * Michigan State University
 * Radiology Department
 * East Lansing, MI 48824 USA
 * <tlr@radiology.msu.edu>
 *
 * January 8, 1991
 *
 */
main(argc,argv)
        int argc;
        char **argv;
{
        char typed_password[16],
                *raw_password,
                *encrypted_password,
                *getpass(),
                *crypt();

        struct passwd *passwd,*getpwnam();
        
        if(argc < 4) exit(-1);

        /*
         * get the password entry for the user specified
         * in argument "newuser"
         */

        if((passwd=getpwnam(argv[2])) == (struct passwd *)NULL) exit(-1);

        /*
         * only check password if not real superuser, and if there is one
         * and only if the change-to-user is not the current real user
         */

        if(getuid() != 0 && passwd->pw_passwd != (char *)NULL &&
                *passwd->pw_passwd && getuid() != passwd->pw_uid)
        {
                raw_password=getpass("password:");
                if(raw_password == (char *)NULL) exit(-2);
                if(strcmp(encrypted_password,passwd->pw_passwd)) exit(-2);
        }
        
        if(chdir(argv[1])) exit(-3);
        if(chroot(argv[1])) exit(-4);
        if(setuid(passwd->pw_uid)) exit(-5);
        if(execvp(argv[3],&argv[4])) exit(-6);
        exit(-7);
}
------------------------croot.c----------------------------
------------------------.profile----------------------------
:
#
PATH=/bin
HOME=/
TZ=EST5EDT
SHELL=/bin/csh
export PATH HOME TZ SHELL
./croot /home/restricted_user_home/root ruser /bin/csh -csh
exit
exit
exit
exit
exit
------------------------.profile----------------------------
------------------------.login----------------------------
more README
cd ruser_files
------------------------.login----------------------------

One thing I forgot to include was the setup of the passwd/group files
in the restricted tree (neither should have valid passwords, unless
people will be doing "su" in that environment -- they are used for
"ls", etc.). Here they are:

/home/restricted_user_home/root/etc:
-r--r--r-- 1 root 26 Jan 8 1991 group
-r--r--r-- 1 root 69 Apr 18 1992 passwd

----------------/home/restricted_user_home/root/etc/passwd----------------------
root:**NO-LOGIN**:0:1:Operator::
ruser:**NO-LOGIN**:999:11:ruser access:/:
----------------/home/restricted_user_home/root/etc/passwd----------------------

----------------/home/restricted_user_home/root/etc/group----------------------
daemon:*:1:
ruser:*:11:
----------------/home/restricted_user_home/root/etc/group----------------------

_____________________________________________________________________

  Terry Rosenbaum E-mail: tlr@radiology.msu.edu
  Michigan State University Phone: 517/355-0120
  Radiology Department Fax: 517/336-2849
  B-220 Clinical Center
  138 Service Rd
  East Lansing MI 48824-1315 USA
_____________________________________________________________________
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
------------------------------------------------------------------------------
Robert J Wolf, Sun System Admin. DCIEM, CFB Toronto
rwolf@dciem.dnd.ca PO Box 2000 1133 Sheppard Avenue West
uunet!csri.toronto.edu!dciem!rwolf North York (Toronto), Ont., Canada M3M 3B9
Internet: 192.16.207.3 Phone: (416)635-2073 FAX: (416)635-2104
"Capitalism with environmental ethics will benefit the entire world."



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:53 CDT