Provide Limited Shell Access to users in Linux
I was wondering, on whats the best way to provide limited shell access to certain users. I get to talk to many people in the security domain and one thing many people have consensus on is,
Its always better to whitelist on what a user can do, as apposed to blacklist things the user cannot do. They ll, always find a way to break it!
The following were my requirements
- Execute few bash commands like
dateetc in non-sudo mode. - I dint want to use any third party shells or add extra code to the platform. Basically, make as minimal changes as possible with least overhead.
- I should be easily able to extend the privileges (in this case mostly what commands the users can execute)
My first thought was to chroot, which is like creating a jail like environment for the user. But afaik, there is not easy way grant sudo access for certain commands in chroot as you ll have to copy all the sudo and its dependent files to chrooted environment. It very soon gets messy. Besides, over a period of time, it ll be very difficult to manage as and when I add a few more commands to extend the users privilege.
So finally, I decided to use restricted bash shell (rbash). All you need to do is to add set -r in your .bash_profile and limit the PATH to users HOMEand HOME/bin
When you login either via console or via ssh, .bash_profile is executed by the shell before your initial command prompt. After logging in, if you create another bash instance by typing /bin/bash, then .bashrc is executed. So its better to set restricted mode changes in .bash_profile as apposed to .bashrc
In rbash, users cannot do the following things.
- Changing directories with the
cdbuiltin. - Setting or unsetting the values of the
SHELL,PATH,ENV, orBASH_ENVvariables. - Specifying command names containing slashes.
- Specifying a filename containing a slash as an argument to the
.builtin command. - Specifying a filename containing a slash as an argument to the -p option to the
hashbuiltin command. - Importing function definitions from the shell environment at startup.
- Parsing the value of
SHELLOPTSfrom the shell environment at startup. - Redirecting output using the ‘>’, ‘>|’, ‘<>’, ‘>&’, ‘&>’, and ‘>>’ redirection operators.
- Using the
execbuiltin to replace the shell with another command. - Adding or deleting builtin commands with the -f and -d options to the
enablebuiltin. - Using the
enablebuiltin command to enable disabled shell builtins. - Specifying the -p option to the
commandbuiltin.
This pretty much restricts users from doing anything meaningful. We might as well not give access in the first place. But wait, there is more… we need to whitelist some the bash commands for the user. Remember, after setting restricted shell you cannot execute any command with / in it. So, the user cannot really access /bin/ls etc. In order to allow users to do that, we need to create symbolic links to actual path. That way, they can access those commands from their home directory. So all the whitelisted cmds can be linked by symbolic link.
sudo ln -s /bin/ls /home/limited_user/bin/ls
Now that we can created a bunch of symbolic links, the users can execute those commands without the need to add / in it.
After all this, I was thinking I have pretty much secured a limited access shell to user….. spoiler alert! Nooooooo
Users can modify the .bash_profile themselves and get out of restricted mode. So you ll have to modify the permissions of .bash_profile itself, so that only root can change it.
Now the user cannot change .bash_profile and is only using a restricted shell with certain whitelisted commands. There is nooooo way he/she can break it. Right ? ….. Nooooooooo! Not, if you grant vi access. Apparently, in vi you can execute shell commands. :!UNIX_COMMAND can do wonders :) So ensure, you dont whitelist vi , instead maybe grant access to nano which is another simple file editor, not as powerful as vi though.
After doing all this, so far I havent been able to break the restricted shell given to user. I ‘ll be more than happy to know, if you know any other way break this setup. I ll add more, if I find something.
