[TriLUG] Limited Access User Account

Aaron S. Joyner aaron at joyner.ws
Fri Sep 16 15:03:12 EDT 2005


Ian Kilgore wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dhruv Gami wrote:
> | Hello Everyone,
> |
> | I am trying to setup an account for a user, who is to be given limited
> | access. For example, this user should be able to run things like 
> reboot,
> | useradd, ifconfig, tail, emacs (or vi) ... essentially a list of
> | programs that I specify, and only those programs.
> |
>
> Whups. Be *very* careful with restricted shells. Many programs allow
> the user to execute external programs (editors like vi and emacs, for
> example)[1]. There are many different ways to get around a restricted
> shell, or sudo. If you absolutely have to do this, spend lots of time
> making sure it really is restricted...

As Ian alluded to, this is either relatively easy or *really* hard to do 
well, depending on what the user requires access to. My best suggestion, 
if possible, would be:
Start by compiling a list of things the user should be able to do.
Try and limit that list down, and use rbash (or any restricted shell) 
and setup a closed down path and closed down set of binaries they have 
access to.
Of course, as mentioned, be very careful with powerful editors, scripts, 
especially scripts you wrote, or scripts you can't read and fully 
understand in less than 5 mins. And if that script takes arguments, 
question wether you really understand everything that's possible with 
shell arguments (I know I don't, but I know enough to break most arg 
parsing :) ).
Then, once you've got it setup, get a few trusted testers to try and 
break out of the restricted environment. You might solicit TriLUG for 
this, or someone internal to your company (if this is for work 
purposes). If you need assistance, I'll be glad to spend 5 mins or so 
trying to break out, and I'm sure you could find a couple volunteers on 
#trilug. Try of course to get people more knowledgeable than yourself, 
or particularly people with a security background, but in general the 
more people that look at it the more likely you are to find someone who 
knows of "that one last thing" that everyone over looks (which is always 
different, of course).

Best of luck,
Aaron S. Joyner




More information about the TriLUG mailing list