[clug] Fwd: Re: Wanted: Developer to securely implement a restricted SSH shell

steve jenkin sjenkin at canb.auug.org.au
Mon Jan 4 15:11:46 MST 2010

Hal Ashburner wrote on 5/01/10 12:26 AM:

>>  The `xm console $DOMAIN` command needs to be run as root.
>>  Would setuid root on the proposed shell script work?
> proposed binary. The answer being yes?
> I've never touched xen so I don't know what I might be missing here.

Ummmm... Tell me if my idea (below) is this really, really stupid or not...

Why can't the 'xm' executable, or a copy of it, be made "setuid" with
group execute perms for a "xenusers" group?

You then need a low-privilege user (say "xenuser") to host the
~/.ssh/authorized_keys file and use the "command=/special/bin/xm console
DOM001"  form of Andrews'.

Do your users already have command line access to the system?
If so, you can add 'from="local_client"', otherwise you could specify a
per-customer IP or subnet address or two...

Did I miss something or can it be done without extra scripting?


Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the linux mailing list