Date: Tue, 9 Oct 2018 22:32:59 +0200 From: Philipp Vlassakakis <freebsd-en@lists.vlassakakis.de> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: FreeBSD 11.1: chroot users / provide pre-built binaries Message-ID: <11DB717D-54C1-4EA0-B2EE-128900AC177A@lists.vlassakakis.de> In-Reply-To: <44a7reagqj.fsf@lowell-desk.lan> References: <D380FEAE-77CE-4927-A610-B45000C0811E@lists.vlassakakis.de> <20180628070515.3591314b.freebsd@edvax.de> <6aec1872-509a-5807-23fe-cc22089d58eb@yandex.com> <44a7reagqj.fsf@lowell-desk.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi everyone, just FYI and for documentation purposes. Another =E2=80=9Csolution" would be to use scponly = (https://www.freshports.org/shells/scponly/), but it=E2=80=99s = unmaintained for a couple of years.=20 Regards, Philipp > On 28. Jun 2018, at 20:49, Lowell Gilbert = <freebsd-questions-local@be-well.ilk.org> wrote: >=20 > Oleg Cherkasov <o1e9.cherkasov@yandex.com = <mailto:o1e9.cherkasov@yandex.com>> writes: >=20 >> On 28. juni 2018 07:05, Polytropon wrote: >>> On Mon, 25 Jun 2018 19:45:02 +0200, Philipp Vlassakakis wrote: >>>=20 >>>> On the one hand I want to save space, so that the binairies >>>> don't have to be in every $HOME, >>>> on the other hand the work is reduced if a binary needs to be >>>> updated. >>>=20 >>> If you want a set of "whitelisted binaries", i. e., a fixed >>> and defined set of binaries a user can call interactively, >>> you'll still be facing the problem mentioned above: The shell. >>> If you allow interactive logins, it's more or less GAME OVER >>> as the shell sadly has too much power. Sure, creating a >>> directory like /secbin (secure binaries), making copies of >>> the binaries you explicitely want to allow, and only have >>> PATH=3D/secbin could be a starting point, but as mentioned >>> above, this won't work. >>>=20 >>> The easiest way to prevent execution of any (!) programs is >>> to disallow interactive access. Tools like scp and sftp will >>> still work, but ssh won't. Setting $SHELL to /sbin/nologin >>> or /does/not/exist in /etc/passwd for those users will >>> prevent the use of ssh (without completely deactivating it >>> for the whole system), and still allow scp uploads. >>>=20 >>> But changing $PATH isn't sufficient. If the user has access >>> to /bin, /usr/bin or /usr/local/bin, he can manually call >>> binaries from there (via full path). This is where chroot >>> can help. >>=20 >> Bash has RESTRICTED SHELL mode with -r option or may be soft linked = as >> rbash to run in restricted mode. Check man bash and search for >> RESTRICTED SHELL for more details. >=20 > Like other restricted shells, bash's restricted mode is very fragile. > You should never trust that sort of configuration to keep you safe = when > an actively hostile attacker might gain access. > _______________________________________________ > freebsd-questions@freebsd.org <mailto:freebsd-questions@freebsd.org> = mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions = <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>; > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org = <mailto:freebsd-questions-unsubscribe@freebsd.org>"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11DB717D-54C1-4EA0-B2EE-128900AC177A>