I asked this question on stack overflow, but I thought it might be more appropriate here on serverfault, because it has to do with system administration and security.
I am looking to prototype a webservice, without having to deal with HTTP and other web headaches, so that users can login and use a simple program that only interacts through stdin and stdout.
After some research, I realized, this is what a "shell" does(ie it provides user interaction with a system through stdin and stdout), so I decided that creating a specific user and setting their shell to my program, I can easily prototype this kind of "webservice", even potentially allowing many users different users to authenticate inside of the program itself, and all use the same ssh user.
My question is, is setting a user's shell to my custom program, and not calling any other scripts or programs from within that program, is that sufficient to limit access to the system, so that users couldn't directly read or write files, for example?
In order to play around with this, I wrote a custom "shell" which reads an integer n, from stdin, and outputs the nth fibonacci number. After setting that as the user's shell, it appears that sftp and running custom commands over ssh does not work, but I do not know enough about ssh or telnet to be confident there isn't some other way for users to escalate access to the system.
As an example, here is my custom "fibonacci shell" program:
#include <stdio.h>
long fibonacci(int n){
long a = 0;
long b = 1;
for(int i=0; i<n; ++i){
if(i%2) a += b;
else b += a;
if(a<0 || b<0) return -1;
}
return (long[]){a, b}[n%2];
}
int main(int argc, char * argv[]){
char line[1024];
int x;
printf("Welcome to the fibonacci shell.\n");
printf("Type an integer n, and I will tell you the nth fibonacci number.\n");
while(1){
printf("> ");
if(fgets(line, sizeof line, stdin) <= 0) break;
int result = sscanf(line, "%d", &x);
if(result <= 0){
printf("fibshell: Please type a number.\n"); }
else{
printf("fib(%d) = %ld\n", x, fibonacci(x)); }
}
return 0;
}
Due to other security concerns, I will not be writing my prototype in c, but I was hoping to get some insight on this.
I have done some research into the ssh "ForceCommand" setting, but that doesn't seem appropriate here, as it appears it invokes a command using the user's configured shell.
Is setting a user's shell to a simple program that doesn't invoke other commands, sufficient to limit access to other facilities like sftp, etc? Would it be possible to even securely do this at scale, to say hundreds or thousands of users, with maybe up to 5-10 simultaneous users accessing this program with the same ssh login?
I know that telnet services aren't very common, but I have seen them in a couple different contexts. I found an online telnet service for playing chess, and a manufacturing company I worked at briefly used a telnet service internally for reporting on order status. How are "telnet services" or "ssh services" typically written? Is writing a custom shell for a user, and otherwise limiting the user's permissions and system access, typically how this is done?
Edit: I should mention I am using a linux system, in this case manjaro(ie arch), but I would like to know in general for openssh and unix systems, whether there are ways to get around the user's shell settings and run other commands or programs directly.
