1

We have an environment where our users ssh into the system and their shell is set to simply launch Mutt on their $HOME/Maildir. We want to restrict our users to only be able to send/receive mail. We realize they can't arbitrary commands since they don't have a shell prompt, but some users may be untrusted and may find some way to break out of Mutt and gain shell access through code execution. We're basically thinking of the worst case scenario. We are aware of SELinux and guest_u accounts but we came across a better solution. Since our users are all part of one group, say "users", we can use the following iptables rule to disable outbound packets. ping, dig, wget, etc do not work but mailing outbound does. This is exactly what we want but why are the users allowed any outbound access at all through Mutt if they are prevented to use the other tools such as dig, host, ping, etc?

Here is the rule we added:

$IPT -A OUTPUT -p all -m owner --gid-owner users -j DROP

unixpipe
  • 11
  • 1
  • Why do you think they have outbound access, if all they do is interact with their own Maildir and with sendmail/postfix/wev on the server? – Jenny D May 14 '14 at 08:01
  • I was under the assumption that the users are sending packets outbound but you bring up a good point in that they are merely interacting with the MTA on the server to do that – unixpipe May 14 '14 at 08:07

1 Answers1

0

As long as the users are only using Mutt to access the local Maildir folder and to send mail using the mailserver, then they aren't communicating with the outside world.

However, Mutt does allow for running shell commands. You may want to change the default shell to e.g. rbash, or use a chrooted environment, to further limit what the users can try to do. Changing the default shell is done with 

shell /local/bin/rbash

in /etc/Muttrc.

Jenny D
  • 27,358
  • 21
  • 74
  • 110