restricting allowed ssh commands
Hi all,
Been searching for this - I have users jailed, but they can still run free and top, and also browse around /. But I'd like to restrict commands to just:
cd
ls
wget
tar
rm
mkdir
ln
git
svn
And I guess maybe a few other essential commands. Is there a place to have an "allowed commands" list?
Speaking as a security consultant first and systems administrator second, I would recommend that you do not under any circumstances allow your users SSH access whatsoever in any form.
If you feel you must grant SSH access (though really not necessary usually), then I would at least make sure that you place the users in a jailshell but don't assume that because someone has a "jailed" login that your security worries are over because they most certainly are not.
Regarding your question of restricting commands ---
**SOME** commands you can restrict by setting to "root:root" with permissions of 700 or 754 but you cannot do that with every command as you will actually break your server if you restrict some commands
In irony, of the commands you listed that you *DO* want to allow access, most of those commands are precisely the very commands that you reallly *DON'T* want users to access such as svn, wget, git, and ln as these are some of the most commonly abused commands.
Again though, I personally wouldn't allow SSH access myself -- bad idea!
Thanks for the reply. I'm actually doing some 'specialized' hosting, for some software I've been writing. I have deploy scripts which utilize wget/git. But I don't want them running free or top (it's still there in a jailed shell). IIRC, when I used to be with site5, they did it somehow.
Is there a way to add 'scripts' into cpanel? IE, a client can go into the panel, and run a certain bash script or maybe a php/python script without having to go into SSH?
Take a look at the Cpanel development site documentation ....
It is very easy to turn most scripts into plugins or make your own auto-installer packages for Cpanel and you might look into either of those.
Regarding what I said earlier about "root:root", you might look at setting "root:cpanel" and limiting to owner and group access in which case Cpanel would still have access but not end users.
Outside of these things, I have at times used a trigger process where I have a cron process watching for a certain condition such as an install request inserted in a database or a file dropped into a certain location and then the system wakes up under root and performs whatever task I have pre-assigned. By doing things in this manner, there is no need to give end users SSH access for items like pre-installing scripts and since no commands or information is being passed over to the process actually performing the installations, it remains safe doing that and actually gives you an extra buffer layer there between the system and end user.
Anyway though, there is a few ideas for you ....
Thanks for the ideas. I actually use the entry in a db to trigger deployment processes here at work, but might be too complicated for end-users.
I'll explore the dev documentation, though. I'm like the flexibility
Cheers!
LinkBack URL
About LinkBacks
Reply With Quote