Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Jailing a certain user
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Zucca
l33t
l33t


Joined: 14 Jun 2007
Posts: 921
Location: KUUSANKOSKI, Finland

PostPosted: Wed Sep 13, 2017 11:52 am    Post subject: Jailing a certain user Reply with quote

I'd want to create a quite restricted user account. The purpose of this user is for media consuming. Pictures, videos, music (via mpd and locally also) and some simple games (emulators mainly).

For starters this user, called media, will be created on my Raspberry Pi 3 system (later on my server too). I've actually created that user already along with the group bearing the same name. I've also added it to the list of DenyUsers in /etc/ssh/sshd_config. The user will not have password so it's usable by anyone who uses the computer locally.
I have planned to use very stripped down xfce (maybe only the window manager from it) or Openbox (more suitable suggestions are welcome) with [url=https://www.linux.com/var/uploads/Image/articles/128892-1(1).png]wbar[/url] for lauching programs/actions. The media user should not be able to reboot or poweroff the machine if there's an open ssh, tmux or screen session open by another user. But that's after I have managed to create otherwise proper jail for the media user. So I'll concentrate on jailing first.

What method I should use to jail (chroot maybe) a user? I can create bind mounts inside the /home/media so that shared files from other computer are reachable by the media user. There exist a interesting program called lshell. But does it become too complicated to use that as a login shell for the user? I'd like to use it since the configuration looks plain simple.

Suggestions? Experiences? Your methods?
_________________
..: Zucca :..
This space is not for rent.
Back to top
View user's profile Send private message
FlorianSchmidt
Tux's lil' helper
Tux's lil' helper


Joined: 20 May 2008
Posts: 77
Location: Germany

PostPosted: Sun Sep 24, 2017 7:27 pm    Post subject: Reply with quote

Hi Zucca,

I just stumbled accross your post, although it is a few days old already.

Have you thought about ACLs?
something like
Code:

setfacl -R -m d:u:media:--- /
setfacl -R -m u:media:--- /

And then re-enable whatever is needed? (like it's homedir :-) )

Setting an alternative shell as the login shell for the user is not that complicated, keeping him from changing the shell could be, but if lshell can restrict the user from that, I'd try it out.

br
Florian
_________________
-bash: :wq: command not found
Back to top
View user's profile Send private message
FlorianSchmidt
Tux's lil' helper
Tux's lil' helper


Joined: 20 May 2008
Posts: 77
Location: Germany

PostPosted: Sun Sep 24, 2017 8:06 pm    Post subject: Reply with quote

I was curious about lshell and tested it out.

I took it from here: https://github.com/ghantoos/lshell
build it on a test machine and configured it as the login shell for "testy"

Code:

florian@flos-delle ~ $ ssh testy@build.home
testy@build.home's password:
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
testy:~$ pwd
*** forbidden command: pwd
testy:~$ help
cd  clear  echo  exit  help  history  ll  lpath  ls  lsudo
testy:~$ ls
testy:~$ lsudo
No sudo commands allowed
testy:~$


looks quite restricted already, getting it to work with xfce might be tricky, but looks possible

br
Florian
_________________
-bash: :wq: command not found
Back to top
View user's profile Send private message
Zucca
l33t
l33t


Joined: 14 Jun 2007
Posts: 921
Location: KUUSANKOSKI, Finland

PostPosted: Sun Sep 24, 2017 8:11 pm    Post subject: Reply with quote

Thanks for your reply!
I'll think I'll set openbox+lshell environment for the media user. And maybe even move it's home directory to (small) tmpfs.
_________________
..: Zucca :..
This space is not for rent.
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 500
Location: France

PostPosted: Mon Sep 25, 2017 9:35 am    Post subject: Reply with quote

Perhaps rbash can help ? With a minimal PATH (just one directory containing symlinks to the commands you want to allow, for example), the user has a very limited access to the system. But I don't know how to use that with a graphical session...
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2316

PostPosted: Mon Sep 25, 2017 8:29 pm    Post subject: Reply with quote

The real question is how much of a jail do you really need? An unprivileged user seems to fit the need. It can't go outside of its group so other user's data is safe.

You can do the halt thing with a bash script and use sudo to only allow the user to use the script. All you need to do is figure out how to detect when you conditions are met.
_________________
First things first, but not necessarily in that order.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum