15 March 2007

Restricting Interactive Access

How can I give someone one SSH access to my server without compromising security? - Plenty of People

[How can I] allow shell access but NOT allow [arbitrary] remote commands to be run? - TyphoonJoe @ Ubuntu Forums (Impromptu)

First, every point of access to your system is a potential weak spot. Learn to accept it.

The long and short of this is if you want to allow someone interactive access to a machine, but want to control what programs they can run, you need to do one of two things. Either force a customized shell upon the user that will implement some sort of access control, or use regular, old-fashioned file system permissions to lock out certain programs.

Wrapping a shell is best left to experts. There are some interrupt issues to handle as well as some special case scenarios to worry about. Plus, its usually overkill!

File system permissions are quick, easy, and effective. There are just six simple steps to take:


  1. Identify a restricted program or group of programs (such as ifconfig or gcc and ld.)

  2. Create a group for the program or program group.

  3. Add users permitted to use the restricted programs to the corresponding group.

  4. Change the group owner on the program(s) to the specially create group.

  5. Change file system permissions on the program so that only the owner or group can read or execute the program.

  6. Pray you didn't botch steps 1 through 5.



Keep in mind that man other programs, scripts, and services may need to use what you have restricted. When locking out commands with file system permissions make sure you are as thorough as possible.

1 comment:

Cheap SSL Certificate said...

This is the best blog I’ve ever seen in my life! I really appreciate you taking the time out of your busy day to share your this with everyone.