topic Restricted Shell in Operating System - HP-UX

Restricted Shell

Michael Geraghty_1 — Fri, 11 Nov 2005 04:57:44 GMT

Hi

I have setup a a restricted sheel for a user, but I want to allow him to mkdir's in his home directory an be able to 'CD' into them

I know you can no cd out of your home directory - but can they not cd down ?

Thanks

Mick

Re: Restricted Shell

Muthukumar_5 — Fri, 11 Nov 2005 05:01:12 GMT

Are you set rksh to that specific user? He will not be able to execute cd command!

man ksh says,

The cd command cannot be executed by rksh.

hth.

Re: Restricted Shell

RAC_1 — Fri, 11 Nov 2005 05:01:36 GMT

How you have set restricted user??

Re: Restricted Shell

Michael Geraghty_1 — Fri, 11 Nov 2005 05:04:35 GMT

yes - I have set rsh as there shell in /etc/passwd.

Basically I wanted to setup a scp server for users that can only copy in and out of there own directories and maybe subdirectories in there $HOME

This cant be done with rsh then ?

Re: Restricted Shell

Muthukumar_5 — Fri, 11 Nov 2005 05:07:25 GMT

Then you can not give cd execution to that permission.

I've tried out this:

$ mkdir test
$ cd test
rksh: cd: restricted
$
$
$ echo "cd test" | ksh
ksh: cd: restricted

So you can not achive with rksh setting in /etc/passwd.

hth.

Re: Restricted Shell

Muthukumar_5 — Fri, 11 Nov 2005 05:15:16 GMT

Basically I wanted to setup a scp server for users that can only copy in and out of there own directories and maybe subdirectories in there $HOME
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

I hope scp will allow to access files under $HOME. Did you check with that? I am not having scp utility here.

Test as,
# Machine2:

touch /file1

# Machine 1 ---> Machine 2
$ scp test@Machine2:/file1 .
has to be failed

# Machine 1 ---> Machine 2
$ scp root@Machine2:/file1 .
has to be passed

for your requirement. Check revert with results.

hth.

Re: Restricted Shell

Michael Geraghty_1 — Fri, 11 Nov 2005 05:38:48 GMT

I created a 'test' directory under the users home directoy

I was able to scp a file over to the new directory, if I ssh to the server, I can list the new file under $HOME/test but cant cd into it

This I could get away with if the user is using shell under unix - but if using something like WinSCP, it throws you out if you try to view the contents of ../test

Re: Restricted Shell

Ivan Ferreira — Fri, 11 Nov 2005 07:21:32 GMT

We use restricted shell. As said before, you cannot cd to any directories.

Anyway, users does not need to cd to the directory to perform operations with the file. They just must specify the path to the file.

Why do you need to cd to that directory?

Re: Restricted Shell

Michael Geraghty_1 — Fri, 11 Nov 2005 07:30:18 GMT

If they ssh to the server they can list what is in the directory no problem so copying to and from $HOME/test/test2 is no problem.

But, if using WinSCP or some other tool, it throws you out because when you click on the folder to list the contents - it uses "cd" to get in and list ??

Re: Restricted Shell

Matti_Kurkela — Fri, 11 Nov 2005 08:40:22 GMT

With a restricted shell, you can limit what commands the user can execute - but not necessarily what he/she can do with those commands. The commands you allow to the restricted user must be able to perform similar restrictions internally, otherwise a tricky user might circumvent your restrictions.

If your goal is to create an user account for SSH file transfer which can access files only in the account's home directory and subdirectories, chroot is the answer.

The commercial SSH from ssh.com and newer versions of OpenSSH can be configured to chroot the session for certain users. When a session is chrooted, the user sees his/her home directory as a root directory. The subdirectories of the home directory are accessible normally, but the rest of the filesystem "does not exist" for him/her.

The disadvantage of chroot is that if the user is going to execute normal (non-chroot-aware) commands inside the chroot jail, you must supply the entire environment inside the jail. The sshd handles SFTP internally, so it does not need any libraries.

But if you need anything else, you must determine the correct libraries using "ldd" and "chatr" commands, and copy those libraries into the chroot environment. Symlinking does not help: the symlinks are interpreted within the context of the chroot environment.

Re: Restricted Shell

Ivan Ferreira — Fri, 11 Nov 2005 08:42:14 GMT

I agree with the CHROOT solution ;).

Re: Restricted Shell

Ivan Ferreira — Fri, 11 Nov 2005 09:35:22 GMT

Another thing that came to my mind is:

What if you in the /etc/profile verify if the users falls under the restricted category (by the name, group, etc) and if so, assign them the restricted shell.

The profile is not read when you ftp/sftp. But, still the chroot environment is more secure.