How do I secure screen for use with a menu script?

I'm launching screen with the following command, inside a shell script that is set as a user's shell to keep them from escaping.

screen -dRRq -S ${USER}_MC -s $HOME/runthis.sh

Is there a way to secure screen, to keep the user from being able to even use the escape sequence, or at worst, prevent them from running commands like exec?

Edit: It's not that the user should have access to an actual command-prompt shell. I only want them to be able to run a single program that runs persistently, and as far as I know screen is the easiest way to do that. However, getting out of this is as easy as C-a : exec bash.

Right now I've just unbound most of the keys using .screenrc (especially colon), I just want to make sure I'm not missing something easier.

Jess

Posted 2010-12-10T02:51:21.767

Reputation: 470

if the users must not run programs, why is it they need the shell? There is always a way around the shell exec. You could try to trap them on a noexec filesystem. – matthias krull – 2010-12-10T07:33:53.770

@mugen I don't want them to have a command prompt, I'm just setting the "shell" to my script so it runs on login. Being noexec would prevent them from starting the target application. – Jess – 2010-12-10T14:38:08.893

Answers

If you do want to run screen, you could run the application a some other user (let's call her Alice) and allow the restricted user (let's call him Bob) to attach the screen session. (I don't know if it's possible to do this with a single user.) Use the ACL feature of screen to limit what Bob can do. You would put something like the following in .screenrc (warning, do check the documentation and test the security, I may have omitted an important step):

multiuser on
aclchg bob -w-x #,?
aclchg bob +x copy,detach,help
exec $HOME/runthis.sh

If you don't necessarily want to run screen, you can go through a restricted shell (yes, even though you're not interested in giving them shell access). You would give the users the possibility to run the application, nohup, and perhaps a way to see log files if that's relevant. A restricted shell you can use is rbash (man rbash locally will show you the relevant portion of the bash man page). You might also consider rssh (Ubuntu package ).

Gilles 'SO- stop being evil'

Posted 2010-12-10T02:51:21.767

Reputation: 58 319

if I got your question right - try using Iron Bars Shell, it basicly denies everything

"Iron Bars Shell (ibsh) is a free, open-source restricted system shell for Linux and Unix. It is small, secure, and is based on a whole new perspective: DENY EVERYTHING!! If something is needed, allow it."

if you want to enable something/anything for a certain user(s) at some point, you will be able to do so...

pootzko

Posted 2010-12-10T02:51:21.767

Reputation: 613

See edit to the question. I'm not interested in giving the user a command prompt. – Jess – 2010-12-10T14:36:42.360