Shell
- Thread starter Sco
- Start date
nobaloney
NoBaloney Internet Svcs - In Memoriam †
The only way you could do it would be if you could do it within the shell. I don't know if anyone's written shells to replace the ubiquotous bash, or to patch it.
Jeff
Jeff
Hello,
On another forum i was told to do this.
1) chmod his own directory (/home/USER)so he will not be able to read others data, 711 is good .
2) You can give specific ip access to ssh :
Add to /etc/hosts.allow
sshd: 11.111.111.111 (Ip for the person or 111.111.*.* if you want to open it for a range )
Add to /etc/hosts.deny :
sshd: ALL
3) Limit binaries , for example chmod the important commands to root only , I.E: chmod 700 /bin/uname and so on.
On another forum i was told to do this.
1) chmod his own directory (/home/USER)so he will not be able to read others data, 711 is good .
2) You can give specific ip access to ssh :
Add to /etc/hosts.allow
sshd: 11.111.111.111 (Ip for the person or 111.111.*.* if you want to open it for a range )
Add to /etc/hosts.deny :
sshd: ALL
3) Limit binaries , for example chmod the important commands to root only , I.E: chmod 700 /bin/uname and so on.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
chmodding his directory will prevent others from seeing his directory; it won't prevent him from seeing others' directories.
And chmodding it to 711 will still allow others to enter his directory, so I don't see the point.
Allowing only your users' IP# to /hosts/allow and blocking everything else in /hosts/deny will effectively limit everyone else, includuing you, from using ssh.
I don't recommend this because then if you have to change IP#s (perhaps you don't have a static IP#, or your static IP# changes because your DSL provider just decides to change it (it happened to me), or you have to get into your server from any other location besides your home or office, you can't use ssh again until you visit the server to change it from a local login.
While you can limit certain programs to not run from anyone except root, there are a lot of important ones you don't want to do that to, and of course you can't do a thing about the commands built in to bash.
Jeff
And chmodding it to 711 will still allow others to enter his directory, so I don't see the point.
Allowing only your users' IP# to /hosts/allow and blocking everything else in /hosts/deny will effectively limit everyone else, includuing you, from using ssh.
I don't recommend this because then if you have to change IP#s (perhaps you don't have a static IP#, or your static IP# changes because your DSL provider just decides to change it (it happened to me), or you have to get into your server from any other location besides your home or office, you can't use ssh again until you visit the server to change it from a local login.
While you can limit certain programs to not run from anyone except root, there are a lot of important ones you don't want to do that to, and of course you can't do a thing about the commands built in to bash.
Jeff
MadDancer
Verified User
On a related note, I have wondered about this...
I do NOT allow shell access to our DA machine because of the (perceived) security risks... If someone has shell access, I am assuming they can wander around the box aimlessly, looking at anything that's 755'd anywhere on any partition. Am I incorrect in assuming this?
If I check "allow SSH" in DA, and allow DA to do all the user administration, DA isn't smart enough to "jail" the user to their home directory alone, is it?
The damage that could be done by someone able to dig into the bowels of the system looking around is admittedly minimal when they don't have root access, but I don't want them poking around where they don't belong. I'd probably be OK with allowing shell access if they were jailed to their home directory only.
Any thoughts on this?
I do NOT allow shell access to our DA machine because of the (perceived) security risks... If someone has shell access, I am assuming they can wander around the box aimlessly, looking at anything that's 755'd anywhere on any partition. Am I incorrect in assuming this?
If I check "allow SSH" in DA, and allow DA to do all the user administration, DA isn't smart enough to "jail" the user to their home directory alone, is it?
The damage that could be done by someone able to dig into the bowels of the system looking around is admittedly minimal when they don't have root access, but I don't want them poking around where they don't belong. I'd probably be OK with allowing shell access if they were jailed to their home directory only.
Any thoughts on this?
nobaloney
NoBaloney Internet Svcs - In Memoriam †
As long as the files are in a directory with world-executable permissions and world read permissions you are absolutely correct. The same is true for SCP; anyone with SSH access can download any such files.MadDancer said:
Including /etc/passwd, with a complete list of all login users on the server (though not their passwords in a properly configured system.
Let's say it a bit differently.
Let's say that ssh isn't smart enough to jail anyone to their home directories. In fact, if it were, then it couldn't be useful, as it wouldn't allow any commands to run (not even bash), because there wouldn't be a path to them.
Not to mention that anyone with shell access and a bit of malice in their heart can search to their heart's content for any local vulnerabiities.
Eventually SELINUX will mature, and DA will have the changes made to work with it, and we'll be able to use it for a much more fine-grained control.
But I don't think that's going to happen this week.
Jeff
MadDancer
Verified User
Thanks, as always, Jeff. A prompt response that addressed my question perfectly. 