2

Suppose use can ssh to the server and can execure FTP and connect to other sources, download a virus and execute it.

Is it possible to force user to execute only some known commands?

user24912
  • 237
  • 1
  • 4
  • 9
  • It would be really helpful if you included more details about what users normally will be using this server for. What are some of the typical activities you wish to permit. – Zoredache Apr 16 '10 at 21:18

3 Answers3

4

from man sshd_config:

ForceCommand

Forces the execution of the command specified by ForceCommand ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of “internal-sftp” will force the use of an in-process sftp server that requires no support files when used with ChrootDirectory

this lets you use a shell wrapper that lets only do specific things. one example is rssh.

If you only want this restriction for specific users, use the command=cmd option in the known_hosts file (documented in man sshd)

Community
  • 1
Javier
  • 9,078
  • 2
  • 23
  • 24
  • 1
    If you want to restrict ForceCommand to specific users,groups or hosts, you can also use the Match directive in sshd_config. – Marie Fischer Apr 16 '10 at 22:02
0

One method, while not perfect, would be to create a separate partition for the users home directories any locations which they have write access. The simply mount those partitions noexec.

Proper setup of file-system permissions will generally be very effective to limit the damage that can be done.

If the users are not at least somewhat trusted, then perhaps it is a bad idea to give them SSH access at all. Perhaps you need to setup VMs for them and confine each to their own environment.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • Perhaps you mean `noexec`? – Phil Miller Apr 16 '10 at 22:52
  • Also, this general suggestion can giver a false sense of security. You'd need to lock down `/tmp` as well as any other globally writable directories, such as `/var/tmp`. This causes trouble for some package managers, which need someplace to unpack scripts that need to be run for proper configuration. – Phil Miller Apr 16 '10 at 22:54
  • Yes, noexec. The typo has been corrected. – Zoredache Apr 16 '10 at 23:17
  • RE: Sense of security the restricted shell alternative also has problems. People aren't careful and they permit applications which are able to launch sub-shells. If you are really paranoid, you really need to combine all of the above. A restricted shell and strong well-audited permissions setup. – Zoredache Apr 16 '10 at 23:18
0

Maybe setting up a chroot environment for your users could help. See How can I chroot ssh connections?

Community
  • 1
Marie Fischer
  • 1,943
  • 1
  • 13
  • 13