Home arrow Security arrow Page 8 - Unix Host Security: Hacks 11-20

Restricted Shell Environments Hack #18 - Security

Security isn't a noun, it's a verb; not a product, but a process. Today, learn the hacks involved in reducing the risks involved in offering services on a Unix-based system. This the second part of chapter one in Network Security Hacks, by Andrew Lockhart (ISBN 0-596-00643-8, O'Reilly & Associates, 2004).

TABLE OF CONTENTS:
  1. Unix Host Security: Hacks 11-20
  2. Prevent Stack-Smashing AttacksHack #12
  3. Lock Down Your Kernel with grsecurity Hack #13
  4. Restrict Applications with grsecurity Hack #14
  5. Restrict System Calls with Systrace Hack #15
  6. Automated Systrace Policy Creation Hack #16
  7. Control Login Access with PAM Hack #17
  8. Restricted Shell Environments Hack #18
  9. Enforce User and Group Resource Limits Hack #19
  10. Automate System Updates Hack #20
By: O'Reilly Media
Rating: starstarstarstarstar / 31
May 10, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Keep your users from shooting themselves (and you) in the foot.

Sometimes a sandboxed environment [Hack #10] is overkill for your needs. If you want to set up a restricted environment for a group of users that only allows them to run a few particular commands, youíll have to duplicate all of the libraries and binaries for those commands for each user. This is where restricted shells come in handy. Many shells include such a feature, which is usually invoked by running the shell with the -r switch. While not as secure as a system callĖbased sandbox environment, it can work well if you trust your users not to be malicious, but worry that some might be curious to an unhealthy degree.

Some common features of restricted shells are the ability to prevent a program from changing directories, to only allow the execution of commands using absolute pathnames, and to prohibit executing commands in other subdirectories. In addition to these restrictions, all of the command-line redirection operators are disabled. With these features, restricting the commands a user can execute is as simple as picking and choosing which commands should be available and making symbolic links to them inside the userís home directory. If a sequence of commands needs to be executed, you can also create shell scripts owned by another user. These scripts will execute in a nonrestricted environment and canít be edited within the environment by the user.

Letís try running a restricted shell and see what happens:

$ bash -r
bash: SHELL: readonly variable
bash: PATH: readonly variable
bash-2.05b$ ls
bash: ls: No such file or directory
bash-2.05b$ /bin/ls
bash: /sbin/ls: restricted: cannot specify `/' in command names
bash-2.05b$ exit
$ ln -s /bin/ls .
$ bash -r
bash-2.05b$ ls -la
total 24
drwx------ 2 andrew andrew 4096 Oct 20 08:01 .
drwxr-xr-x 4 root root 4096 Oct 20 14:16 ..
-rw------- 1 andrew andrew 18 Oct 20 08:00 .bash_history
-rw-r--r-- 1 andrew andrew 24 Oct 20 14:16 .bash_logout
-rw-r--r-- 1 andrew andrew 197 Oct 20 07:59 .bash_profile
-rw-r--r-- 1 andrew andrew 127 Oct 20 07:57 .bashrc
lrwxrwxrwx 1 andrew andrew 7 Oct 20 08:01 ls -> /bin/ls

Restricted ksh is a little different in that it will allow you to run scripts and binaries that are in your PATH, which can be set before entering the shell:

$ rksh
$ ls -la
total 24
drwx------ 2 andrew andrew 4096 Oct 20 08:01 .
drwxr-xr-x 4 root root 4096 Oct 20 14:16 ..
-rw------- 1 andrew andrew 18 Oct 20 08:00 .bash_history
-rw-r--r-- 1 andrew andrew 24 Oct 20 14:16 .bash_logout
-rw-r--r-- 1 andrew andrew 197 Oct 20 07:59 .bash_profile
-rw-r--r-- 1 andrew andrew 127 Oct 20 07:57 .bashrc
lrwxrwxrwx 1 andrew andrew 7 Oct 20 08:01 ls -> /bin/ls
$ which ls
/bin/ls
$ exit

This worked because /bin was in the PATH before we invoked ksh. Now letís change the PATH and run rksh again:

$ export PATH=.
$ /bin/rksh
$ /bin/ls
/bin/rksh: /bin/ls: restricted
$ exit
$ ln -s /bin/ls .
$ ls -la
total 24
drwx------ 2 andrew andrew 4096 Oct 20 08:01 .
drwxr-xr-x 4 root root 4096 Oct 20 14:16 ..
-rw------- 1 andrew andrew 18 Oct 20 08:00 .bash_history
-rw-r--r-- 1 andrew andrew 24 Oct 20 14:16 .bash_logout
-rw-r--r-- 1 andrew andrew 197 Oct 20 07:59 .bash_profile
-rw-r--r-- 1 andrew andrew 127 Oct 20 07:57 .bashrc
lrwxrwxrwx 1 andrew andrew 7 Oct 20 08:01 ls -> /bin/ls

Restricted shells are incredibly easy to set up and can provide minimal restricted access. They may not be able to keep out determined attackers, but they certainly make a hostile userís job much more difficult. 

Buy the book!If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!

Visit the O'Reilly Network http://www.oreillynet.com for more online content.



 
 
>>> More Security Articles          >>> More By O'Reilly Media
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- Whatís behind the curtain? Part II

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: