« I’m back
february 2008 security conferences »
17 02 2008

How to secure login with linux restricted shell

Posted by: phillip in Security

linuxsec.jpgSometimes we need to allow other users to connect remotely to our servers with ssh. The are many different reason to do that; people that want to read their own email with mutt or using their own favourite irc client or whatever. In this situation the users can easily gain access to sensitive files such as: passwords or other files/directories that are accessible to any person with an unrestricted shell just using the cd command. After searching around, I’ve found ibsh (Iron Bars Shell), that allows you to create a restricted environment where the user can not step out of his home directory (jail), the user can not access any files outside his jail; the user may execute only those commands, which the sysadmin lists in the appropriate configuration file and ibsh automatically logs the activities of the user to syslog.

 

After downloading the .deb package from ibsh.sourceforge.net , we can proceed with the installation:

 

debianmaster:~# dpkg -i debian_ibsh.deb

 

we can add a user just for a test:

debianmaster:~# adduser test

in /etc/password - we must change the default shell for the restricted user from bash to ibsh

 

example:
test:x:1001:1001:,,,:/home/test:/bin/bash
to
test:x:1001:1001:,,,:/home/test:/bin/ibsh

First we need to add the following command in order to exit and logoff from the session,

in /etc/ibsh/globals.cmds

 

#globals.cmds
logout
exit

 

then later we can add other commands like:

mutt,gpg,links,ping,irssi.

 

Now I’m able to connect to the linux box with the restricted user. After the login I’ll find a command prompt like this ” [/]%” , trying to do some bad things like cd /etc or wget url://exploit, the prompt will warn me:

[/]% cd /etc ibsh: cd: /home/test/etc: No such file or directory and

[/]% wget http://exploit Sorry, can’t let you do that!

 

 

Some other useful commands to add to /etc/ibsh/globals.cmds

mkdir,ls,cd,vim etc etc.

IBSH is not the ultimate tool for restricted shells but is a good step to start securing your linux server.

Suggestions and comments are welcome.

 

 

This entry was posted on Sunday, February 17th, 2008 at 8:58 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “How to secure login with linux restricted shell”

  1. Martinss says:
    April 22nd, 2008 at 11:32 am

    Hello there! Maybe you can tell me how to add to the allowed commands this?
    ./hlds_run -game cstrike +exec server.cfg +ip xx.xx.xx.xx +port 27015 +maxplayers 16 +map de_dust -debug -nomaster -insecure

    Tryed, adding to global.cmds ./hlds_run, hlds_run and the full command - no success. :(

Leave a Reply