[clug] Fwd: Re: Wanted: Developer to securely implement a restricted SSH shell
Hal Ashburner
hal.ashburner at gmail.com
Mon Jan 4 06:26:18 MST 2010
On 04/01/10 17:35, Adam Thomas wrote:
> 2010/1/4 Hal Ashburner<hal.ashburner at gmail.com>:
>
>> On 04/01/10 17:24, Steven Hanley wrote:
>>
>>> On Mon, Jan 04, 2010 at 05:21:10PM +1100, Michael Still wrote:
>>>
>>>
>>>> Nathan O'Sullivan wrote:
>>>>
>>>>
>>>>> If you or your company do this kind of work, please mail me off-list. I
>>>>> am happy to discuss someone working on this after hours and would love
>>>>> to put a bit of cash into the pockets of a list member.
>>>>>
>>>>> Or if you can recommend someone that would be excellent too.
>>>>>
>>>>>
>>>>> I've posted the requirements off list, but to summarise: I need a way
>>>>> to let customers access their Xen domU console ("xm console $DOMAIN")
>>>>> over SSH, while doing our utmost to prevent the customer from doing
>>>>> anything else on the dom0.
>>>>>
>>>>> Further description and a naive implementation is available at
>>>>> http://www.mammothmedia.com.au/~nats/restricted-shell-job.txt
>>>>>
>>>>>
>>>> Are you thinking of implementing a restricted shell and using openssh,
>>>> or a custom ssh server?
>>>>
>>>>
>>> Bob has some code in the svn repository here that does a restricted ssh
>>> job
>>> for students submitting assignments with elevated privoleges on a
>>> different
>>> server, he may be able to help you out with that if you have a look at how
>>> it works.
>>>
>>>
>>>
>> Can't this be done simply by replacing /bin/sh in /etc/passwd with
>> /path/to/some/binary
>> that execs xm console $DOMAIN for given domU logins?
>> What am I missing here?
>>
> The `xm console $DOMAIN` command needs to be run as root.
> Would setuid root on the proposed shell script work?
>
proposed binary. The answer being yes?
I've never touched xen so I don't know what I might be missing here.
More information about the linux
mailing list