[clug] Fwd: Re: Wanted: Developer to securely implement a restricted SSH shell
steve jenkin
sjenkin at canb.auug.org.au
Mon Jan 4 15:11:46 MST 2010
Hal Ashburner wrote on 5/01/10 12:26 AM:
>> The `xm console $DOMAIN` command needs to be run as root.
>> Would setuid root on the proposed shell script work?
>>
> proposed binary. The answer being yes?
> I've never touched xen so I don't know what I might be missing here.
Ummmm... Tell me if my idea (below) is this really, really stupid or not...
Why can't the 'xm' executable, or a copy of it, be made "setuid" with
group execute perms for a "xenusers" group?
You then need a low-privilege user (say "xenuser") to host the
~/.ssh/authorized_keys file and use the "command=/special/bin/xm console
DOM001" form of Andrews'.
Do your users already have command line access to the system?
If so, you can add 'from="local_client"', otherwise you could specify a
per-customer IP or subnet address or two...
Did I miss something or can it be done without extra scripting?
HTH
s
--
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA
sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
More information about the linux
mailing list