Lock users in the home directory

From Cryptolife

Jump to: navigation, search

This guide shows how to lock some/all users into a safe envirnoment withibsh.


Sometimes we need to allow other users to connect remotely to our servers with ssh. The are many different reason to do that; people that want to read their own email with mutt or using their own favourite irc client or whatever. In this situation the users can easily gain access to sensitive files such as: passwords or other files/directories that are accessible to any person with an unrestricted shell just using the cd command. After searching around, I’ve found ibsh (Iron Bars Shell), that allows you to create a restricted environment where the user can not step out of his home directory (jail), the user can not access any files outside his jail; the user may execute only those commands, which the sysadmin lists in the appropriate configuration file and ibsh automatically logs the activities of the user to syslog.


After downloading the .deb package from ibsh.sourceforge.net , we can proceed with the installation:

debian:~# dpkg -i debian_ibsh.deb


we can add a user just for a test:


debian:~# adduser test


in /etc/password - we must change the default shell for the restricted user from bash to ibsh


example:
test:x:1001:1001:,,,:/home/test:/bin/bash
to
test:x:1001:1001:,,,:/home/test:/bin/ibsh

First we need to add the following command in order to exit and logoff from the session,

in /etc/ibsh/globals.cmds


  1. globals.cmds
    logout
    exit


then later we can add other commands like:

mutt,gpg,links,ping,irssi.


Now I’m able to connect to the linux box with the restricted user. After the login I’ll find a command prompt
like this ” [/]%” , trying to do some bad things like cd /etc or wget url://exploit, the prompt will warn me:


[/]% cd /etc ibsh: cd: /home/test/etc: No such file or directory and

[/]% wget http://exploit Sorry, can’t let you do that!




Some other useful commands to add to /etc/ibsh/globals.cmds

mkdir,ls,cd,vim etc etc.


IBSH is not the ultimate tool for restricted shells but is a good step to start securing your linux server.

Retrieved from "http://www.cryptolife.org/index.php/Lock_users_in_the_home_directory"
Personal tools
Creative Commons License