Restricted Shell Recipes

From WorldGuard

Contents 1 Overview 2 Recipes 2.1 Bazaar 2.2 scp 2.3 Subversion 2.4 sftp 2.5 ssh-copy-id

[edit] Overview

This page lists any 'configuration' recipes that can be used with the Restricted Shell.

The recipes are added into the python code into the commands list in a specific format.

The format is as follows: -

 {'base name of command':[
     "full path to command",
     ['forced','parameters'],
     {'allowed parameter':'actual parameter'}
   ]
 }
   

Where:

• 'Base name of command'

The base name of the command. For example of the command is '/usr/bin/bzr', then the basename of that command is 'bzr'. The reason for this parameter is that whatever the user actually tries to execute, we first reduce it to its basename and match it on this list. This eliminates issues of them trying to run a different command with the same name!

• 'full path to command'

This is the full path to the command to execute. For example it could be '/usr/bin/bzr', if that is where that command is located. The reason for this is that regardless of what the user thinks they're trying to execute, if the basename of their command matches this line, THIS is the command that is actually run. It doesn't even need to be the same command. For example you can put '/usr/bin/svnserve' if you really want to mess with the users heads.

• ['force','parameters']

This is a list of parameters that are always included when running the real command. These are added on first and you can use variable subsitution. If you want 'svnserve' to ALWAYS have the '--root' param always point to the users home dir you can use ['--root %H']

• {'allowedparam':'actualparam'}

This is a list of optional parameters. If a user passes a parameter that matches 'allowedparam', then the 'actualparam' will be added to the command. The 'allowedparam' field can contain regular expressions. The 'actualparam' field can contain variable subsitution. For example, the 'bzr' command may be passed the parameter '--allow-writes', you can simple put {'--allow-writes':'--allow-writes'} to add it to the command line if the user uses it.

Nearly all parameters can contain variables that are expanded. The following are available: -

• %H - Expands to the logged in users home directory ending with a '/'
• %O - Expands to the original matched parameter.
• %1-%9 - Expands to the positional parameter of the original command. It will be made safe (unsafe characters are converted to '_')

[edit] Recipes

[edit] Bazaar

My inspiration for this shell in the first place. We just run bzr with the directory set to the users home dir. This ensures that all paths are relative to that. Optionally add the '--allow-writes' option if the user requested it.

 "bzr": [
   "/usr/bin/bzr",
   ['serve', '--inet', '--directory=%H'],
   {'--allow-writes':'--allow-writes'}   
 ],

Brendan 19:24, 16 April 2009 (UTC)

[edit] scp

Run the scp on the server side. We simply prepend the home directory to the second paramter passed to the original command which forces all files to be under the users home directory. Note that %2 will convert '..'s to a safe character.

 "scp": [
   "/usr/bin/scp",
   ['-t', '%H%2'], # Ensure home dir is prepended to path
   {}
 ],  

Brendan 19:24, 16 April 2009 (UTC)

[edit] Subversion

Run SVN server with its root set to the users home directory. This way all the paths passed through will be forced to remain under the users home directory

 "svnserve": [   
   "/usr/bin/svnserve",
   ['-t', '--root=%H'],
   {}
 ],  

Brendan 19:24, 16 April 2009 (UTC)

[edit] sftp

Run sftp-server. This is actually a patched version that is setuid root but chroots to the users home dir and drops all perms once it runs. I use this so that when one sftp's in, the root of their directory is their home directory. Sorry its a bit of a useless recipe without the patch. I'll try dig it out.

 "sftp-server-chroot":[
   "/usr/local/bin/sftp-server-chroot",
   [],
   {}
 ],

Brendan 19:24, 16 April 2009 (UTC)

[edit] ssh-copy-id

Interesting hack to allow 'ssh-copy-id' command to work from a remote system. The 'basename' of the command that 'ssh-copy-id' sends through resolves to 'umask', so we use that to trigger on and put down exactly what WE want to happen. We don't use ANY of the parameters from the user at all.

 "umask":[
   "/bin/sh",
   ['-c', 'umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys'],
   {}
 ],

Brendan 19:24, 16 April 2009 (UTC)