[clug] Wanted: Developer to securely implement a restricted SSH shell

Nathan O'Sullivan nathan at mammoth.com.au
Mon Jan 4 00:09:59 MST 2010

>> Can't this be done simply by replacing /bin/sh in /etc/passwd with
>> /path/to/some/binary
>> that execs xm console $DOMAIN for given domU logins?
>> What am I missing here?
> The `xm console $DOMAIN` command needs to be run as root.
> Would setuid root on the proposed shell script work?

Perhaps my off-site posting worked too well - I have a sample naive 
implementation at the bottom of 

In my implementation I utilise sudo to restrict the user to being able 
to run "xm console $DOMAIN" and nothing else.

My primary concern is if/how the user might interrupt or otherwise 
affect the behaviour of this custom login shell - I know I dont know 
enough about this to say what attacks are out there.


More information about the linux mailing list