[clug] Wanted: Developer to securely implement a restricted SSH shell
Nathan O'Sullivan
nathan at mammoth.com.au
Mon Jan 4 00:09:59 MST 2010
>> Can't this be done simply by replacing /bin/sh in /etc/passwd with
>> /path/to/some/binary
>> that execs xm console $DOMAIN for given domU logins?
>> What am I missing here?
>>
> The `xm console $DOMAIN` command needs to be run as root.
> Would setuid root on the proposed shell script work?
>
>
Perhaps my off-site posting worked too well - I have a sample naive
implementation at the bottom of
http://www.mammothmedia.com.au/~nats/restricted-shell-job.txt
In my implementation I utilise sudo to restrict the user to being able
to run "xm console $DOMAIN" and nothing else.
My primary concern is if/how the user might interrupt or otherwise
affect the behaviour of this custom login shell - I know I dont know
enough about this to say what attacks are out there.
Regards
Nathan
More information about the linux
mailing list