[TriLUG] Limited Access User Account

Jon Carnes jonc at nc.rr.com
Fri Sep 16 16:34:07 EDT 2005 

Looking at some of the examples it seems like the setup is for a user to
do system maintenance/administration on system without compromising the
security of user files/accounts (Paranoid Pointy-Haired Bosses don't
like the fact that a sysadmin can read their all to valuable files)

Is this the problem you are trying to solve?

Have you looked at using something like Webmin to admin the servers in
question?  You can severely limit root access and only have normal
Admins use web-based tools for monitoring/maintaining the services.

Just wondering if a different approach might not be more profitable.

Jon Carnes
  
On Fri, 2005-09-16 at 15:03, Aaron S. Joyner wrote:
> Ian Kilgore wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Dhruv Gami wrote:
> > | Hello Everyone,
> > |
> > | I am trying to setup an account for a user, who is to be given limited
> > | access. For example, this user should be able to run things like 
> > reboot,
> > | useradd, ifconfig, tail, emacs (or vi) ... essentially a list of
> > | programs that I specify, and only those programs.
> > |
> >
> > Whups. Be *very* careful with restricted shells. Many programs allow
> > the user to execute external programs (editors like vi and emacs, for
> > example)[1]. There are many different ways to get around a restricted
> > shell, or sudo. If you absolutely have to do this, spend lots of time
> > making sure it really is restricted...
> 
> As Ian alluded to, this is either relatively easy or *really* hard to do 
> well, depending on what the user requires access to. My best suggestion, 
> if possible, would be:
> Start by compiling a list of things the user should be able to do.
> Try and limit that list down, and use rbash (or any restricted shell) 
> and setup a closed down path and closed down set of binaries they have 
> access to.
> Of course, as mentioned, be very careful with powerful editors, scripts, 
> especially scripts you wrote, or scripts you can't read and fully 
> understand in less than 5 mins. And if that script takes arguments, 
> question wether you really understand everything that's possible with 
> shell arguments (I know I don't, but I know enough to break most arg 
> parsing :) ).
> Then, once you've got it setup, get a few trusted testers to try and 
> break out of the restricted environment. You might solicit TriLUG for 
> this, or someone internal to your company (if this is for work 
> purposes). If you need assistance, I'll be glad to spend 5 mins or so 
> trying to break out, and I'm sure you could find a couple volunteers on 
> #trilug. Try of course to get people more knowledgeable than yourself, 
> or particularly people with a security background, but in general the 
> more people that look at it the more likely you are to find someone who 
> knows of "that one last thing" that everyone over looks (which is always 
> different, of course).
> 
> Best of luck,
> Aaron S. Joyner

More information about the TriLUG mailing list