You are not logged in.

#1 2022-05-27 08:59:14

solskog
Member
Registered: 2020-09-05
Posts: 320

restricted bash

I am trying using $HOME/.bash_profile with restricted bash

$ cat $HOME/.bash_profile 
$ exec /bin/bash -r
$

Will this be good enough to prevent login user from breaking out restricted shell?

Offline

#2 2022-05-27 09:15:33

Alad
Wiki Admin/IRC Op
From: Bagelstan
Registered: 2014-05-04
Posts: 2,320
Website

Re: restricted bash

No. You can still call other programs which in turn can spawn a regular shell, should it be needed. Or even a regular bash script. What are you trying to do in the first place?


Mods are just community members who have the occasionally necessary option to move threads around and edit posts. -- Trilby

Offline

#3 2022-05-27 09:46:26

solskog
Member
Registered: 2020-09-05
Posts: 320

Re: restricted bash

As a bastion host, the login user can only run a few safe binary commands located inside home directory. no creation of files is allowed for the login user.
Also nothing is on the $PATH

$ echo $PATH
$

Offline

#4 2022-05-27 16:27:58

twelveeighty
Member
From: Alberta, Canada
Registered: 2011-09-04
Posts: 885

Re: restricted bash

Wouldn't it be a safer/better approach to use a combination of "command=safe_cmd_script.sh" in authorized_keys and the SSH_ORIGINAL_COMMAND to support multiple allowed commands? That way the user is technically never really logging into the bastion as a 'free' user and can only run specific commands. You could even take it a step further and have those user's /home on a read-only filesystem.

Offline

#5 2022-05-28 02:04:01

solskog
Member
Registered: 2020-09-05
Posts: 320

Re: restricted bash

'SSH_ORIGIANL_COMMAND' I think this is the right approach, Thanks!

Offline

#6 2022-05-28 08:29:32

sekret
Member
Registered: 2013-07-22
Posts: 243

Re: restricted bash

solskog wrote:

'SSH_ORIGIANL_COMMAND' I think this is the right approach, Thanks!

Just make sure you use it without the typo you produced here wink

Offline

Board footer

Powered by FluxBB