From owner-freebsd-questions@freebsd.org Tue Oct 9 20:33:01 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61AA710BB7C8 for ; Tue, 9 Oct 2018 20:33:01 +0000 (UTC) (envelope-from freebsd-en@lists.vlassakakis.de) Received: from dd14614.kasserver.com (dd14614.kasserver.com [85.13.136.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E69E17B6F0 for ; Tue, 9 Oct 2018 20:33:00 +0000 (UTC) (envelope-from freebsd-en@lists.vlassakakis.de) Received: from pmbp.fritz.box (p5496EFF9.dip0.t-ipconnect.de [84.150.239.249]) by dd14614.kasserver.com (Postfix) with ESMTPSA id 8BD5043C14A8 for ; Tue, 9 Oct 2018 22:32:59 +0200 (CEST) From: Philipp Vlassakakis Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: FreeBSD 11.1: chroot users / provide pre-built binaries Date: Tue, 9 Oct 2018 22:32:59 +0200 References: <20180628070515.3591314b.freebsd@edvax.de> <6aec1872-509a-5807-23fe-cc22089d58eb@yandex.com> <44a7reagqj.fsf@lowell-desk.lan> To: FreeBSD Questions In-Reply-To: <44a7reagqj.fsf@lowell-desk.lan> Message-Id: <11DB717D-54C1-4EA0-B2EE-128900AC177A@lists.vlassakakis.de> X-Mailer: Apple Mail (2.3445.9.1) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Oct 2018 20:33:01 -0000 Hi everyone, just FYI and for documentation purposes. Another =E2=80=9Csolution" would be to use scponly = (https://www.freshports.org/shells/scponly/), but it=E2=80=99s = unmaintained for a couple of years.=20 Regards, Philipp > On 28. Jun 2018, at 20:49, Lowell Gilbert = wrote: >=20 > Oleg Cherkasov > writes: >=20 >> On 28. juni 2018 07:05, Polytropon wrote: >>> On Mon, 25 Jun 2018 19:45:02 +0200, Philipp Vlassakakis wrote: >>>=20 >>>> On the one hand I want to save space, so that the binairies >>>> don't have to be in every $HOME, >>>> on the other hand the work is reduced if a binary needs to be >>>> updated. >>>=20 >>> If you want a set of "whitelisted binaries", i. e., a fixed >>> and defined set of binaries a user can call interactively, >>> you'll still be facing the problem mentioned above: The shell. >>> If you allow interactive logins, it's more or less GAME OVER >>> as the shell sadly has too much power. Sure, creating a >>> directory like /secbin (secure binaries), making copies of >>> the binaries you explicitely want to allow, and only have >>> PATH=3D/secbin could be a starting point, but as mentioned >>> above, this won't work. >>>=20 >>> The easiest way to prevent execution of any (!) programs is >>> to disallow interactive access. Tools like scp and sftp will >>> still work, but ssh won't. Setting $SHELL to /sbin/nologin >>> or /does/not/exist in /etc/passwd for those users will >>> prevent the use of ssh (without completely deactivating it >>> for the whole system), and still allow scp uploads. >>>=20 >>> But changing $PATH isn't sufficient. If the user has access >>> to /bin, /usr/bin or /usr/local/bin, he can manually call >>> binaries from there (via full path). This is where chroot >>> can help. >>=20 >> Bash has RESTRICTED SHELL mode with -r option or may be soft linked = as >> rbash to run in restricted mode. Check man bash and search for >> RESTRICTED SHELL for more details. >=20 > Like other restricted shells, bash's restricted mode is very fragile. > You should never trust that sort of configuration to keep you safe = when > an actively hostile attacker might gain access. > _______________________________________________ > freebsd-questions@freebsd.org = mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions = > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org = "