1

As a method for setting up some bare-bones systems monitoring, I have a script set up to SSH in, and run some basic shell commands, reading some files in /proc. I would like to create a specific user account for this task, and it should have the following access:

  • SSH
  • Bash
  • Read-only in /proc

Other posts have mentioned rssh or Chroot, but are these the best methods? It seems to me that there should be a way to create a user with no permissions and only add what is needed, enforcing my restrictions at the filesystem level rather than at SSH. Is this possible?

All of the systems I want to monitor right now are running Ubuntu, but I'd like to not lock myself down to any one paticular distribution.

Improve this question
5
  • what are you trying to protect? Some files are world write. The file permissions are set by the kernel module - unless you want to change kernel code (and affect everyone) you can't change them. Also, do you want to protect /sys? and sysctl?
    – Rich Homolka
    Commented Dec 1, 2013 at 3:35
  • @RichHomolka I'm not trying to protect anything in particular... just trying to limit damage potential should the credentials of the monitoring account are compromised. If something is world writable, I'm not too concerned.
    – Brad
    Commented Dec 1, 2013 at 3:36
  • @Brad By default, any account only has user-write and group-write permissions to its home directory. Anything that's world-write or world-read can, of course, be accessed. There probably isn't a way of preventing that short of using a custom shell or enabling ACLs. Actually, if you set up a login 'shell' that runs a script and returns the results without taking any input, that might work. If you really want FS-level restrictions, use ACLs.
    – Bob
    Commented Dec 1, 2013 at 4:01
  • @Bob I really like your shell idea. Please post that and the rest of your clarification related to user accounts, so I can accept it as an answer. Thanks!
    – Brad
    Commented Dec 1, 2013 at 4:11
  • Just for the record - rssh is designed to only allow SCP and SFTP, not arbitrary commands in a specific directory. And if you really want to allow any command, chroot is probably the easiest way to go. But, again, I'd recommend just whitelisting specific commands.
    – Bob
    Commented Dec 1, 2013 at 6:31

2 Answers 2

Reset to default
1

Firstly, permissions. When you create a new account (with adduser on Debian-based systems, anyway - others might be slightly different), you get a new user and a new group with the same name. You also get a home directory for the user. This new user will have user and group read/write permissions on their home directory. They will also be able to access anything designated as world-readable, and modify anything that's world-writeable.

As far as I know, it is not possible to specifically exclude one user or group from world-read/write permissions using the traditional POSIX permission system. You can however, enable the more advanced ACLs (much like Windows' NTFS, if you're familiar with that), which allow you to set specific deny permissions.

An alternative method is to set up a custom login shell, using the chsh command or by modifying /etc/passwd. When they log in, this 'shell' will be executed with the user's input redirected as its standard input, and its standard output/error redirected to the terminal output. You can set this 'shell' to be any executable on the system, including (but not limited to) your own C program, bash/python/perl script, etc..

There are a few ways you could do this. You could set the login shell to be a script that simply outputs whatever data you want, and takes no input. It just outputs the data and exits, closing the SSH session. This is the most secure way, though not as flexible.

Alternatively, you could have a script take some input, and use that input to determine what to print. How you do this is up to you - if you use a bash script, you can use read along with a case statement or a series of if statements. You do have to be careful that you don't run any unsanitised commands from the user directly, though - and there are other possible security issues with taking untrusted input. For example, you might take the input processes and return the output of ps -e.

If you want, and are good with C, you could even modify bash itself to not be able to access any other directories - but it's far more secure to either not take input or to filter only specific whitelisted commands, rather than trying to restrict which directories you can access. It's also easier to write a quick shell script than to modify a complex C program.

Improve this answer
1

To enforce read-only on /proc, you can access to a sshfs read-only clone of /proc.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .