How to grant limited access to your server

It isn’t always easy to offer services to other people in the IT field – especially if you want to be sure to limit their access to their files and folders to ensure they cannot break things. To do that, we use rssh, the restricted shell. First of all, let’s start with the installation procedure, which is a simple emerge:

emerge -av rssh

That’s the easy part of the installation and we can turn to some coffee and finally to the configuration file which lives in /etc/rssh.conf. Here’s a pretty default configuration:

# This is the default rssh config file

# set the log facility. “LOG_USER” and “user” are equivalent.
logfacility = LOG_USER

# Leave these all commented out to make the default action for rssh to lock
# users out completely…

allowscp
allowsftp
#allowcvs
#allowrdist
#allowrsync

# set the default umask
umask = 022

# If you want to chroot users, use this to set the directory where the root of
# the chroot jail will be located.
#
# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
# chrootpath = /home

# You can quote anywhere, but quotes not required unless the path contains a
# space… as in this example.
#chrootpath = “/usr/local/my chroot”

##########################################
# EXAMPLES of configuring per-user options

#user=rudy:077:00010: # the path can simply be left out to not chroot
#user=rudy:077:00010 # the ending colon is optional

#user=rudy:011:00100: # cvs, with no chroot
#user=rudy:011:01000: # rdist, with no chroot
#user=rudy:011:10000: # rsync, with no chroot
#user=”rudy:011:00001:/usr/local/chroot” # whole user string can be quoted
#user=rudy:01″1:00001:/usr/local/chroot” # or somewhere in the middle, freak!
#user=rudy:’011:00001:/usr/local/chroot’ # single quotes too

# if your chroot_path contains spaces, it must be quoted…
# In the following examples, the chroot_path is “/usr/local/my chroot”
#user=rudy:011:00001:”/usr/local/my chroot” # scp with chroot
#user=rudy:011:00010:”/usr/local/my chroot” # sftp with chroot
#user=rudy:011:00011:”/usr/local/my chroot” # both with chroot

# Spaces before or after the ‘=’ are fine, but spaces in chrootpath need
# quotes.
#user = “rudy:011:00001:/usr/local/my chroot”
#user = “rudy:011:00001:/usr/local/my chroot” # neither do comments at line end

If you don’t want to do any funky chrooting, you just need to register rssh in /etc/shells and assign them to a user.

BIG FAT WARNING: NEVER use rssh for the root user as you are locking yourself out of the system!

If you are a little more adventurous or paranoid, feel free to read on – we chroot the users now. As I tend to keep all of my users in /home, I do chroot them to there too, to make it simple for me. To do that, we adapt the chrootpath in our rssh.conf file:

umask = 022
chrootpath=”/home”

Now think back on installing packages. Right! Packages have dependencies to run. So we need to collect them and get them inside the chroot:

cd /home
mkdir -p usr/bin
cp /usr/bin/scp usr/bin
cp /usr/bin/rssh usr/bin
mkdir -p usr/libexec
cp /usr/libexec/rssh_chroot_helper usr/libexec
mkdir -p usr/lib/misc
cp /usr/lib/misc/sftp-server usr/lib/misc

To keep SCP happy, we need to check its dependencies too. I used ldd to do so:

ldd /usr/bin/scp 
        libutil.so.1 => /lib/libutil.so.1 (0x4001c000) 
        libz.so.1 => /usr/lib/libz.so.1 (0x4001f000) 
        libnsl.so.1 => /lib/libnsl.so.1 (0x4002d000) 
        libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40042000) 
        libc.so.6 => /lib/libc.so.6 (0x40106000) 
        libdl.so.2 => /lib/libdl.so.2 (0x40235000) 
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

In theory we could just symlink the libraries into the chroot – but believe me, this is a bad idea as it enables the users we locked in to mess around with the libraries which would make the whole chroot obsolete.

cd /home
mkdir lib
cp /lib/libutil.so.1 lib
cp /lib/libnsl.so.1 lib
cp /lib/libc.so.6 lib
cp /lib/libdl.so.2 lib
cp /lib/ld-linux.so.2 lib
mkdir -p usr/lib
cp /usr/lib/libz.so.1 usr/lib
cp /usr/lib/libcrypto.so.0.9.6 usr/lib

Now you can do the same thing for the other files like rssh, rssh_chroot_helper, the sftp_server and whatever you would like to offer in the chroot. Finally we may assign the shell to our first testuser, the victim: usermod -s /usr/bin/rssh testuser

Testing it:

sftp testuser@example.com
Connecting to example.com…
testuser@example.com’s password:
sftp> ls
.
..
.bash_profile
.bashrc
sftp> pwd
Remote working directory: /testuser
sftp> exit

Remember that we denied ssh?

ssh testuser@example.com
testuser@example.com’s password:

This account is restricted to scp or sftp.

If you believe this is in error, please contact your system administrator.

Connection to example.com closed.

… and there he goes. A slight word of warning in the end: If you update the sshd or its dependencies, don’t forget to update the chroot as it would still run on old libraries.

Author:

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.