View previous topic :: View next topic |
Author |
Message |
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3339 Location: Rasi, Finland
|
Posted: Wed Sep 13, 2017 11:52 am Post subject: Jailing a certain user |
|
|
I'd want to create a quite restricted user account. The purpose of this user is for media consuming. Pictures, videos, music (via mpd and locally also) and some simple games (emulators mainly).
For starters this user, called media, will be created on my Raspberry Pi 3 system (later on my server too). I've actually created that user already along with the group bearing the same name. I've also added it to the list of DenyUsers in /etc/ssh/sshd_config. The user will not have password so it's usable by anyone who uses the computer locally.
I have planned to use very stripped down xfce (maybe only the window manager from it) or Openbox (more suitable suggestions are welcome) with [url=https://www.linux.com/var/uploads/Image/articles/128892-1(1).png]wbar[/url] for lauching programs/actions. The media user should not be able to reboot or poweroff the machine if there's an open ssh, tmux or screen session open by another user. But that's after I have managed to create otherwise proper jail for the media user. So I'll concentrate on jailing first.
What method I should use to jail (chroot maybe) a user? I can create bind mounts inside the /home/media so that shared files from other computer are reachable by the media user. There exist a interesting program called lshell. But does it become too complicated to use that as a login shell for the user? I'd like to use it since the configuration looks plain simple.
Suggestions? Experiences? Your methods? _________________ ..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
FlorianSchmidt Tux's lil' helper
Joined: 20 May 2008 Posts: 77 Location: Germany
|
Posted: Sun Sep 24, 2017 7:27 pm Post subject: |
|
|
Hi Zucca,
I just stumbled accross your post, although it is a few days old already.
Have you thought about ACLs?
something like
Code: |
setfacl -R -m d:u:media:--- /
setfacl -R -m u:media:--- /
|
And then re-enable whatever is needed? (like it's homedir :-) )
Setting an alternative shell as the login shell for the user is not that complicated, keeping him from changing the shell could be, but if lshell can restrict the user from that, I'd try it out.
br
Florian _________________ -bash: :wq: command not found |
|
Back to top |
|
|
FlorianSchmidt Tux's lil' helper
Joined: 20 May 2008 Posts: 77 Location: Germany
|
Posted: Sun Sep 24, 2017 8:06 pm Post subject: |
|
|
I was curious about lshell and tested it out.
I took it from here: https://github.com/ghantoos/lshell
build it on a test machine and configured it as the login shell for "testy"
Code: |
florian@flos-delle ~ $ ssh testy@build.home
testy@build.home's password:
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
testy:~$ pwd
*** forbidden command: pwd
testy:~$ help
cd clear echo exit help history ll lpath ls lsudo
testy:~$ ls
testy:~$ lsudo
No sudo commands allowed
testy:~$
|
looks quite restricted already, getting it to work with xfce might be tricky, but looks possible
br
Florian _________________ -bash: :wq: command not found |
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3339 Location: Rasi, Finland
|
Posted: Sun Sep 24, 2017 8:11 pm Post subject: |
|
|
Thanks for your reply!
I'll think I'll set openbox+lshell environment for the media user. And maybe even move it's home directory to (small) tmpfs. _________________ ..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
Syl20 l33t
Joined: 04 Aug 2005 Posts: 619 Location: France
|
Posted: Mon Sep 25, 2017 9:35 am Post subject: |
|
|
Perhaps rbash can help ? With a minimal PATH (just one directory containing symlinks to the commands you want to allow, for example), the user has a very limited access to the system. But I don't know how to use that with a graphical session... |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Mon Sep 25, 2017 8:29 pm Post subject: |
|
|
The real question is how much of a jail do you really need? An unprivileged user seems to fit the need. It can't go outside of its group so other user's data is safe.
You can do the halt thing with a bash script and use sudo to only allow the user to use the script. All you need to do is figure out how to detect when you conditions are met. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
|