HPE Community
Operating System - HP-UX
1826364 Members
4863 Online
109692 Solutions
New Discussion

help for a jailed user

 
CAS_2
Valued Contributor

‎02-07-2006 04:55 AM

‎02-07-2006 04:55 AM

help for a jailed user

Hi

I created a jailed user by the simplest way -- using restricted shell.
I also changed /etc/ftpd/ftpaccess in order to be a GUEST ftp user. So, its home directory is similar to

/dirA/./dirB

My problem is that I have to grant write permission for its home dir (/dirA/dirB) and this means the user can modify/delete its .profile file. Therefore, that user can edit its .profile and include a 'cd' command in it for jumping to any other directory in the tree (according to shell man pages, restrictions to shell are enforced AFTER reading user's .profile):

The restrictions above are enforced after the .profile and ENV files are interpreted.



Any other simple ideas ?

P.D: I decided to use restricted shell to prevent create a STRONG jailed user (using sudo and chroot)
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎02-07-2006 05:18 AM

‎02-07-2006 05:18 AM

Re: help for a jailed user

Shalom,

The user is not properly jailed if all the user can just modify his/her .profile and get out of jail.

You have changed ftp access, which is a good start. For FTP to work right in a chroot jail, a few binaries like ls need to be copied locally.

The user should NOT have write permission on .profile. The chroot commands and setup can be performed there. The user may need a normal shell to execute needed comands but if the user is in chroot without the ability to change .profile the user is stuck.

chroot doesn't work really well if the user needs to use applications that require access to the root of the system.

Secure shell and chroot environments:
http://docs.hp.com/en/T1471-90013/ch01s13.html
Chroot in general
http://unix.derkeiler.com/Mailing-Lists/HP-UX-Admin/2003-06/0034.html

It may seem complex, but its really not once you do it a few times.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
CAS_2
Valued Contributor

‎02-07-2006 05:29 AM

‎02-07-2006 05:29 AM

Re: help for a jailed user

You wrote
"The user should NOT have write permission on .profile"

I agree. This can be accomplised if owner is root, for example. But if user has permission to write in its home directory, it can delete the .profile owned by root and create a new one owned by him.
0 Kudos
Reply
TwoProc
Honored Contributor

‎02-07-2006 06:06 AM

‎02-07-2006 06:06 AM

Re: help for a jailed user

Restrict the permission to both the .profile and the home directory of the user - giving them read access to things only by access from a group that you create for the one user, then create a subdirectory called "data" or "docs" or "pub", etc., that they can rwx to via direct user ownership.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
Chan 007
Honored Contributor

‎02-07-2006 06:11 AM

‎02-07-2006 06:11 AM

Re: help for a jailed user

CAS,

Why not use acl...


Chan
0 Kudos
Reply
CAS_2
Valued Contributor

‎02-07-2006 07:40 AM

‎02-07-2006 07:40 AM

Re: help for a jailed user

ACL ?

What entries shoud I use ?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.