restricted bash

solskog · 2022-05-27 08:59:14

I am trying using $HOME/.bash_profile with restricted bash

$ cat $HOME/.bash_profile 
$ exec /bin/bash -r
$

Will this be good enough to prevent login user from breaking out restricted shell?

Alad · 2022-05-27 09:15:33

No. You can still call other programs which in turn can spawn a regular shell, should it be needed. Or even a regular bash script. What are you trying to do in the first place?

solskog · 2022-05-27 09:46:26

As a bastion host, the login user can only run a few safe binary commands located inside home directory. no creation of files is allowed for the login user.
Also nothing is on the $PATH

$ echo $PATH
$

twelveeighty · 2022-05-27 16:27:58

Wouldn't it be a safer/better approach to use a combination of "command=safe_cmd_script.sh" in authorized_keys and the SSH_ORIGINAL_COMMAND to support multiple allowed commands? That way the user is technically never really logging into the bastion as a 'free' user and can only run specific commands. You could even take it a step further and have those user's /home on a read-only filesystem.

solskog · 2022-05-28 02:04:01

'SSH_ORIGIANL_COMMAND' I think this is the right approach, Thanks!

sekret · 2022-05-28 08:29:32

solskog wrote:

'SSH_ORIGIANL_COMMAND' I think this is the right approach, Thanks!

Just make sure you use it without the typo you produced here

Arch Linux

#1 2022-05-27 08:59:14

restricted bash

#2 2022-05-27 09:15:33

Re: restricted bash

#3 2022-05-27 09:46:26

Re: restricted bash

#4 2022-05-27 16:27:58

Re: restricted bash

#5 2022-05-28 02:04:01

Re: restricted bash

#6 2022-05-28 08:29:32

Re: restricted bash

Board footer