From owner-freebsd-questions@freebsd.org Thu Jun 28 15:48:17 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CDD331016AB7 for ; Thu, 28 Jun 2018 15:48:16 +0000 (UTC) (envelope-from o1e9.cherkasov@yandex.com) Received: from forward102p.mail.yandex.net (forward102p.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1F09581892 for ; Thu, 28 Jun 2018 15:48:15 +0000 (UTC) (envelope-from o1e9.cherkasov@yandex.com) Received: from mxback8j.mail.yandex.net (mxback8j.mail.yandex.net [IPv6:2a02:6b8:0:1619::111]) by forward102p.mail.yandex.net (Yandex) with ESMTP id ED6734305224 for ; Thu, 28 Jun 2018 18:48:13 +0300 (MSK) Received: from smtp2o.mail.yandex.net (smtp2o.mail.yandex.net [2a02:6b8:0:1a2d::26]) by mxback8j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id PQY7c4Fe8I-m7w4vY87; Thu, 28 Jun 2018 18:48:07 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1530200887; bh=BFUh1as3JZV5f81SLrqszGKNFrRP/QnokK0S9qtOHM8=; h=Reply-To:Subject:To:References:From:Message-ID:Date:In-Reply-To; b=IYxTosYWybI/Y2G7Z3skdQ4IpNPWJVm0XqRKBE20K9I7AK62wlCaLpFKHOINqAfom Xxw8WC+ILhWK/sAk2uKk1GZkeLjVrQNB3Pq1axXanwWaozb55FSj77Z0o6L8ZhsARA MaXl2U+9o1QxiInE7SsK9xHHSavvnuiJoV0NYia8= Received: by smtp2o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id 516TXlk0VX-m654lQqE; Thu, 28 Jun 2018 18:48:06 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1530200886; bh=BFUh1as3JZV5f81SLrqszGKNFrRP/QnokK0S9qtOHM8=; h=Reply-To:Subject:To:References:From:Message-ID:Date:In-Reply-To; b=f6m1amfSE7R/neYZ7Y4F0oq0zAQQkQRNgtdFTClu6h1B4w3jJWEj0eIiHaF+ZHFEZ 746ZCedfc+ALl4NQPYUsKMMAKnysNa80rnJC0lsJEbWqlo9db36bTsdRFLk/pSht28 wTi26TJK1CsUtQRm7wSY4VB4lu3GayqqC2dDoLDU= Authentication-Results: smtp2o.mail.yandex.net; dkim=pass header.i=@yandex.com Reply-To: o1e9@member.fsf.org Subject: Re: FreeBSD 11.1: chroot users / provide pre-built binaries To: freebsd-questions@freebsd.org References: <20180628070515.3591314b.freebsd@edvax.de> From: Oleg Cherkasov Message-ID: <6aec1872-509a-5807-23fe-cc22089d58eb@yandex.com> Date: Thu, 28 Jun 2018 17:48:05 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <20180628070515.3591314b.freebsd@edvax.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2018 15:48:17 -0000 On 28. juni 2018 07:05, Polytropon wrote: > On Mon, 25 Jun 2018 19:45:02 +0200, Philipp Vlassakakis wrote: > >> On the one hand I want to save space, so that the binairies >> don't have to be in every $HOME, >> on the other hand the work is reduced if a binary needs to be >> updated. > > If you want a set of "whitelisted binaries", i. e., a fixed > and defined set of binaries a user can call interactively, > you'll still be facing the problem mentioned above: The shell. > If you allow interactive logins, it's more or less GAME OVER > as the shell sadly has too much power. Sure, creating a > directory like /secbin (secure binaries), making copies of > the binaries you explicitely want to allow, and only have > PATH=/secbin could be a starting point, but as mentioned > above, this won't work. > > The easiest way to prevent execution of any (!) programs is > to disallow interactive access. Tools like scp and sftp will > still work, but ssh won't. Setting $SHELL to /sbin/nologin > or /does/not/exist in /etc/passwd for those users will > prevent the use of ssh (without completely deactivating it > for the whole system), and still allow scp uploads. > > But changing $PATH isn't sufficient. If the user has access > to /bin, /usr/bin or /usr/local/bin, he can manually call > binaries from there (via full path). This is where chroot > can help. Bash has RESTRICTED SHELL mode with -r option or may be soft linked as rbash to run in restricted mode. Check man bash and search for RESTRICTED SHELL for more details.