You can also accomplish it via rbash? This too restricts them
from using specific commands.
From:
address@hidden
[mailto:address@hidden On Behalf
Of Luiz Casey
Sent: Thursday, November 19, 2009 8:35 AM
To: 'address@hidden'
Subject: RE: [Jailkit-users] Jailkit questions
There are several commands that are invoked within “bash” such
as “cd, ls, kill”. I too was trying to accomplish something along the lines you
are trying to do. Have a ssh only shell where the only command they can run is
ssh. There are couple road bumps to do so. First is the one you ran into. I
tried to resolve this by having “enable –n kill, enable –n cd” etc in
.bashrc. The second you will notice is that even if you do that they can still
scp their own .bashrc file. To fix this what I did was to remove “write”
access to the home directory. Then you start to think well it would be nice to
have some location for them to actually transfer files to. So what I did was, I
created an “upload” directory. Thus they have write access to scp what they
want to that directory. After doing all that you should get a basic ssh only
shell. The Second issue you will come across is the “ They should be able to
view what is in their “upload” directory. So you will have to enable “ls”. By
doing so you now gave them access to “ls” anything they want if they know the
path, ie “ ls /etc” from their they can still scp file within “etc”. The third
issue is they can still “sftp” to the system and have full access to roam the
jailed environment. This is where I am at right now. The only solution I can
come up with is if they need to transfer files to/from the box they will need
to use a sftp only account using openssh chroot option. Using that they are
restricted to their home directory or whatever directory you set. Somehow allow
ssh access but deny sftp for only specific users.
Not sure if this helped or gave some incites or not. There might
be a better way to do all this and am open to suggestions.
From:
address@hidden
[mailto:address@hidden On Behalf
Of Jon Gullidge
Sent: Thursday, November 19, 2009 3:52 AM
To: address@hidden
Subject: RE: [Jailkit-users] Jailkit questions
Hi Anson,
Look inside {jail}/bin, {jail}/usr/bin, in your case I think {jail} is
/home/jail, so:
/home/jail/bin
/home/hail/usr/bin
Remove anything from in there you do not want. This should work fine as the
jail innitialises outside of the jail so shouldn't be using any commands from
within the jail :)
HTH
> From: address@hidden
> To: address@hidden
> Date: Thu, 19 Nov 2009 13:16:31 +0800
> Subject: [Jailkit-users] Jailkit questions
>
> Hello Oliver,
>
> A thank you for this great piece of code.
> I do have one question however.
>
> I have setup the jail using the following:
>
> mkdir /home/jail
> chown root:root /home/jail
>
> MODIFIED jk_init.ini like so -
>
---------------------------------------------------------------------------
> [basicshell]
> comment = bash based shell with several basic utilities
> paths = /bin/sh, /bin/bash, /bin/false, /etc/motd, /etc/issue,
> /etc/bash.bashrc, /etc/bashrc, /etc/profile, /usr/lib/locale/en_US.utf8
> users = root
> groups = root
> includesections = netbasics, uidbasics
>
---------------------------------------------------------------------------
>
>
> jk_init -v -j /home/jail basicshell
> jk_jailuser -m -j /home/jail example
>
> /home/jail/etc/passwd looks like this:
> sample:x:1000:1000::/home/sample:/bin/bash
>
> Well it works... mostly!
> Most attempts to do anything end up with a "bad command etc
etc..."
>
> However, "cd" "pwd" "kill" etc still work...
> I'm guessing it's because they are tied in to the core bash shell
functions
> somehow.
> Is there anyway to disable all these and any other "core"
functions that
> don't have to exist in /bin/bash?
>
> I'm guessing one way to go around it would be to create a .bashrc that
would
> create aliases with the same command names to "divert" the real
function?
> Like a "kill" alias that would actually do nothing. Have not
tried it yet
> but was hoping for something better from you.
> I'm sure I missed something as I've only been using Linux for about 2
months
> but have setup a VPS for a few friends (who need port forwarding SSH but
> don't need to do anything inside the VPS)
>
> Thanks again for your great code and seasons greetings in advance to your
> family!
> Anson
>
>
>
> _______________________________________________
> Jailkit-users mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/jailkit-users
View
your other email accounts from your Hotmail inbox. Add them
now.