Restricted Shell

From WorldGuard

Jump to: navigation, search

[edit] Overview

Created 2009, Brendan Grieve

This is a simple program that provides a very restricted set of commands to a login process. It was designed to be used when allowing a user to use SSH to communicate with a server and specifically was designed to run on my web server which hosts many different web sites. I don't like suid root executables and building a chroot is too much of a pain. This provides a good compromise without needing any privileges.

Unlike other restricted shells that are around this tries to give flexibility about what we wish to restrict and more importantly ensures that we have full control over what is actually run on a server. This is done for the most part without needing suid root or a chroot.

Specifically, this can allow the following: -

  • Restricted shell for bzr+ssh access (gives illusion that the home directory is the 'root') without the need for a chroot
  • Restricted access to sftp (even better with the suid chroot patch to sftp)
  • Restricted shell for svn+ssh access. Gives illusion that the home directory is the 'root') without the need for a chroot
  • Allow 'ssh-copy-id' to still work.

By illusion of root, one on a remote location can run: 

 bzr branch bzr+ssh://username@server.com/bzr/myproject

Instead of this more messy: 

 bzr branch bzr+ssh://username@server.com/home/username/bzr/myproject

or (this doesn't work except with a minor patch. I still think its not as pretty as the root illusion) 

 bzr branch bzr+ssh://username@server.com/~/bzr/myproject

Another example: 

 scp username@server.com:/myfile

(This will retrieve the file 'myfile' located in the users home directory and NOT from the root.)

Feel free to use any part of this program in any way you wish. Its licence is PUBLIC DOMAIN. If you have any useful command syntaxes please feel free to create an account on my public wiki and add your recipes here. Please don't forget to leave a note who you are so you can get some credits. Likewise if you have any modifications that you feel would be useful to merge into the main code please feel free to send me a message.

I stress once again that this program should NOT be run SUID ROOT. It does not need any additional privileges.


[edit] Download

You can download it from my bazaar repository by doing the following: - 

 bzr branch http://code.worldguard.com.au/public/bzr/brg_restrictedshell

Recipes can be found at: 

 Restricted Shell Recipes
Retrieved from "http://code.worldguard.com.au/public/wiki/Restricted_Shell"
Personal tools