Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 30th November 2006, 18:50
LeoLinux LeoLinux is offline
Senior Member
 
Join Date: Jul 2006
Location: Ellwangen
Posts: 119
Thanks: 16
Thanked 0 Times in 0 Posts
Send a message via ICQ to LeoLinux
Default Shell access not really secure...

Ola there,

szenario: I access my webspace via ssh. noproblem ... works fine so far....
so I did my remote work and got the idea to change the directory to the top

... just watch....

Code:
login as: web1_admin
web1_admin@www.leolinux.de's password:
Linux server1.pc1mail.de 2.6.16-xen #2 SMP Sat Jun 10 20:17:18 CEST 2006 i686 GN                                                                             U/Linux
############################

        Ubuntu Breezy

###########################
No mail.
Last login: Sun Nov 19 21:38:10 2006 from p54a4d5c6.dip.t-dialin.net

web1_admin@server1:~$ cd /

^^ why is that possible?! I think it would be better to denie that ?!

web1_admin@server1:/$ ls -lach
total 128K
drwxr-xr-x   21 root root 4.0K Nov 10 16:39 .
drwxr-xr-x   21 root root 4.0K Nov 10 16:39 ..
drwxr-xr-x    3 root root 4.0K Nov 10 16:41 ISPconfig
drwxr-xr-x    2 root root 4.0K Nov 29 22:29 bin
drwxr-xr-x    2 root root 4.0K Jun 20 01:00 boot
drwxr-xr-x   11 root root  12K Nov 30 06:25 dev
drwxr-xr-x   72 root root 4.0K Nov 29 22:29 etc
drwxr-xr-x    5 root root 4.0K Nov 10 16:24 home
drwxr-xr-x    2 root root 4.0K Jun 20 00:57 initrd
drwxr-xr-x   16 root root 8.0K Nov 10 15:39 lib
drwxr-xr-x    2 root root 4.0K Jun 20 00:57 media
drwxr-xr-x    2 root root 4.0K Jun 20 00:57 mnt
drwxr-xr-x    2 root root 4.0K Jun 20 00:57 opt
dr-xr-xr-x  109 root root    0 Nov 23 18:28 proc
-rw-------    1 root root 2.0M Nov 30 15:15 quota.group
-rw-------    1 root root 2.0M Nov 30 15:15 quota.user
drwxr-xr-x    5 root root 4.0K Nov 23 21:40 root
drwxr-xr-x    2 root root 4.0K Nov 10 16:27 sbin
drwxr-xr-x    2 root root 4.0K Jun 20 00:57 srv
drwxr-xr-x   12 root root    0 Nov 23 18:28 sys
drwxrwxrwt    2 root root 4.0K Nov 30 18:01 tmp
drwxr-xr-x   13 root root 4.0K Nov 10 15:20 usr
drwxr-xr-x   14 root root 4.0K Nov 10 15:53 var
web1_admin@server1:/$ mkdir /tmp/blub

^^ ahhm good ... lets create some new webspace for me .... :-)

web1_admin@server1:/$ ls -lach /tmp/
total 16K
drwxrwxrwt   3 root         root         4.0K Nov 30 18:36 .
drwxr-xr-x  21 root         root         4.0K Nov 10 16:39 ..
[...]
drwxr-xr-x   2 web1_admin   web1         4.0K Nov 30 18:36 blub
[...]
web1_admin@server1:/$ln -s /tmp/blub /ISPconfig/www/web1/web/MoreSpace
I thinkit's not good to give users read/write access outside their web .. otherwise they could use a little more webspace on teh system storage ;-)

and they are also allowed to have a look in webs of other costumers and watch their "secret" folders (.htpasswd) and stuff like that.

I think the best would be to give them a shell without _all_ commands ... only what they need ... like cp, mv, rm and stuff like that ... I like to call that "PissShell" because you cannot do much with it.


Leander

Last edited by LeoLinux; 30th November 2006 at 18:53.
Reply With Quote
Sponsored Links
  #2  
Old 30th November 2006, 19:17
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 260
Thanked 145 Times in 127 Posts
Default

I used this: http://www.howtoforge.com/chrooted_ssh_howto_debian and users are now chrooted on my system..
Reply With Quote
  #3  
Old 30th November 2006, 19:34
LeoLinux LeoLinux is offline
Senior Member
 
Join Date: Jul 2006
Location: Ellwangen
Posts: 119
Thanks: 16
Thanked 0 Times in 0 Posts
Send a message via ICQ to LeoLinux
Default

thx - sounds great - but did I understand it correct that I have to do this manual for _every_ new user that I create in ISPconfig? Or will all users automatically chrootet in their allready excisting home directory?!

thx for helping

Leander

;-)
Reply With Quote
  #4  
Old 30th November 2006, 19:44
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 260
Thanked 145 Times in 127 Posts
Default

Thet are (on my Debian system) automatically chrootet in their allready excisting home directory!
Reply With Quote
  #5  
Old 30th November 2006, 23:47
LeoLinux LeoLinux is offline
Senior Member
 
Join Date: Jul 2006
Location: Ellwangen
Posts: 119
Thanks: 16
Thanked 0 Times in 0 Posts
Send a message via ICQ to LeoLinux
Default

allright - sounds great!

.. :-/ but I tried this how to two times and I'm allways failing here:

Code:
root@server1:/home/chroot# APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors"
root@server1:/home/chroot# for prog in $APPS;  do
>         cp $prog ./$prog
>
>         # obtain a list of related libraries
>         ldd $prog > /dev/null
>         if [ "$?" = 0 ] ; then
>                 LIBS=`ldd $prog | awk '{ print $3 }'`
>                 for l in $LIBS; do
>                         mkdir -p ./`dirname $l` > /dev/null 2>&1
>                         cp $l ./$l
>                 done
>         fi
> done
cp: cannot stat `(0xbfffe000)': No such file or directory
cp: cannot stat `(0xbfffe000)': No such file or directory
cp: cannot stat `(0xbfffe000)': No such file or directory
cp: cannot stat `(0xbfffe000)': No such file or directory
cp: cannot stat `(0xbfffe000)': No such file or directory
cp: cannot stat `(0xbfffe000)': No such file or directory
cp: cannot stat `(0xbfffe000)': No such file or directory
cp: cannot stat `(0xbfffe000)': No such file or directory
cp: cannot stat `(0xbfffe000)': No such file or directory
cp: cannot stat `(0xbfffe000)': No such file or directory
root@server1:/home/chroot#

the script doesn't work for me ... and if I go on anyway users will not be chrootet - I allready tried ;-(

any idea?

Thx !

Leander


[edit]

P.S.

I want to remind that the OS was a debootstrabt Ubu Brezzy (before I installed ISPconfig and stuff) where nothing except the essential things where installed ... so could it be that there's something missed at?

.. I allready tried the programms:

Code:
root@server1:/home/chroot# which bash ls mkdir mv pwd rm id ssh ping dircolors
/bin/bash
/bin/ls
/bin/mkdir
/bin/mv
/bin/pwd
/bin/rm
/usr/bin/id
/usr/bin/ssh
/bin/ping
/usr/bin/dircolors
root@server1:/home/chroot#
They're all there and also working - sowhat's the matter? ;-/

Thx !

Leander

Last edited by LeoLinux; 30th November 2006 at 23:55.
Reply With Quote
  #6  
Old 1st December 2006, 16:27
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

What's the output of

Code:
APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors"
for prog in $APPS;  do
         ldd $prog > /dev/null
         if [ "$?" = 0 ] ; then
                 LIBS=`ldd $prog | awk '{ print $3 }'`
                 for l in $LIBS; do
                         echo $l
                 done
         fi
 done
?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
LeoLinux (15th April 2007)
  #7  
Old 3rd December 2006, 22:42
LeoLinux LeoLinux is offline
Senior Member
 
Join Date: Jul 2006
Location: Ellwangen
Posts: 119
Thanks: 16
Thanked 0 Times in 0 Posts
Send a message via ICQ to LeoLinux
Default

Thx Falko - the script seems nearly to work now - only some errors

Code:
root@server1:/home/chroot# APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors"
root@server1:/home/chroot# for prog in $APPS;  do
>          ldd $prog > /dev/null
>          if [ "$?" = 0 ] ; then
>                  LIBS=`ldd $prog | awk '{ print $3 }'`
>                  for l in $LIBS; do
>                          echo $l
>                  done
>          fi
>  done
(0xbfffe000)
/lib/libncurses.so.5
/lib/libdl.so.2
/lib/libc.so.6
(0xbfffe000)
/lib/librt.so.1
/lib/libacl.so.1
/lib/libc.so.6
/lib/libpthread.so.0
/lib/libattr.so.1
(0xbfffe000)
/lib/libc.so.6
(0xbfffe000)
/lib/libacl.so.1
/lib/libc.so.6
/lib/libattr.so.1
(0xbfffe000)
/lib/libc.so.6
(0xbfffe000)
/lib/libc.so.6
(0xbfffe000)
/lib/libc.so.6
(0xbfffe000)
/lib/libresolv.so.2
/usr/lib/i686/cmov/libcrypto.so.0.9.7
/lib/libutil.so.1
/usr/lib/libz.so.1
/lib/libnsl.so.1
/lib/libcrypt.so.1
/lib/libc.so.6
/lib/libdl.so.2
(0xbfffe000)
/lib/libresolv.so.2
/lib/libc.so.6
(0xbfffe000)
/lib/libc.so.6
root@server1:/home/chroot#
but if I go on in your howto and create this testuser the ssh login with it will fail... or better said - the login is ok, but the shell closes it self if I entered the password for the user and hit enter.
The login only works if I do this in a already opened shell ( if I change user from eg. admin to testuser) but even then the testuser is not chrootet ;-/

the login with the already existing ISPconfig users is still working - but nothing changed .. they can still access the root file tree and ake changes in some folders.

here is an output of the /etc/passwd after your how to - I changed nothing by myself:

Code:
testuser:x:10010:100:testuser:/home/chroot/./home/testuser:/bin/bash
web1_blub:x:10011:10001:blub:/ISPconfig/www/web1:/bin/bash
There is no A inside of it - but even if I change it to:

Code:
testuser:x:10010:100:testuser A:/home/chroot/./home/testuser:/bin/bash
web1_blub:x:10011:10001:blub A:/ISPconfig/www/web1:/bin/bash


and:
root@server1:/home/chroot# /etc/init.d/ssh restart
^^ it's still the same ;-/

I'm confuesd - what's my mistake? I guess it's still because of some errors in the script

Thx a lot!

Leander

;-)
Reply With Quote
  #8  
Old 4th December 2006, 13:20
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

What's the output of

Code:
APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors"
for prog in $APPS;  do
         ldd $prog > /dev/null
         if [ "$?" = 0 ] ; then
                 LIBS=`ldd $prog | awk '{ print $3 }' | grep -v "("`
                 for l in $LIBS; do
                         echo $l
                 done
         fi
 done
?

Quote:
There is no A inside of it - but even if I change it to:
Why should there be an A?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
LeoLinux (15th April 2007)
  #9  
Old 5th December 2006, 22:18
LeoLinux LeoLinux is offline
Senior Member
 
Join Date: Jul 2006
Location: Ellwangen
Posts: 119
Thanks: 16
Thanked 0 Times in 0 Posts
Send a message via ICQ to LeoLinux
Default

Hi Falko,

thx - the script is working now!
... but I did a mistake when I executed it the last time ... I did it in the
Code:
root@server1:/#
instead of
Code:
root@server1:/home/chroot#
I hope I didn' destroy anything - if yes where do I have to delete those copied stuff?


ok so the script is working now and I went on in your howto ... but it's still not woring ... :-/ I forgot anything and because of that I read your how to min 5 times ;-) and I still didn't work it out ..

here is my actual output of my /etc/passwd all the web users should be chrooted except the root and the admin ones ...

Code:
testuser@server1:/$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:101:101::/nonexistent:/bin/false
syslog:x:102:102::/home/syslog:/bin/false
klog:x:103:103::/home/klog:/bin/false
admin:x:1000:1000:Administrator,,,:/home/admin:/bin/bash
sshd:x:100:65534::/var/run/sshd:/bin/false
postfix:x:104:108::/var/spool/postfix:/bin/false
fetchmail:x:105:65534::/var/run/fetchmail:/bin/sh
bind:x:106:110::/var/cache/bind:/bin/false
mysql:x:107:111:MySQL Server,,,:/var/lib/mysql:/bin/false
ftp:x:108:65534::/home/ftp:/bin/false
admispconfig:x:1001:1001:Administrator ISPConfig:/home/admispconfig:/bin/bash
web2_burr_peter:x:10002:10002:Burr_Peter:/ISPconfig/www/web2:/bin/bash
web3_milios_stefan:x:10003:10003:Milios_Stefan:/ISPconfig/www/web3:/bin/bash
web5_koeder_steffen:x:10007:10005:Koeder_Steffen:/ISPconfig/www/web5:/bin/false
web5_anderer:x:10009:10005:anderer:/ISPconfig/www/web5/user/web5_anderer:/bin/false
testuser:x:10010:100:testuser:/home/chroot/./home/testuser:/bin/bash
web1_admin:x:10001:10001:Schaefer_Leander:/ISPconfig/www/web1:/bin/bash
web1_blub:x:10011:10001:blub:/ISPconfig/www/web1/user/web1_blub:/bin/bash
testuser@server1:/$
I'm not sure if there is the mistake ... but I hope you could give me a clue where to search ;-/

Why there should be an A inside?!

Quote:
4 Create A Chrooted User

Even with the chrooted SSH that we have just installed you can log in without being chrooted (which makes sense if you log in as root, for example). Now, how does the chrooted SSH decide whom to chroot and whom not? That's easy: the chrooted SSH looks up the user who is trying to log in in /etc/passwd. If the user's home directory in /etc/passwd has a . in it, then the user is going to be chrooted.

Example (from /etc/passwd):

user_a:x:2002:100:User A:/home/user_a:/bin/bash

This user will not be chrooted.

user_b:x:2003:100:User B:/home/chroot/./home/user_b:/bin/bash

This user will be chrooted.
^^ I looked up the /etc/passwd and tried to get it like that ... but it didn't work out.

Thx a lot

Leander

Last edited by LeoLinux; 5th December 2006 at 22:23.
Reply With Quote
  #10  
Old 6th December 2006, 18:11
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
 
Default

Quote:
testuser:x:10010:100:testuser:/home/chroot/./home/testuser:/bin/bash
That user should work. Did you test it?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig on a RaQ2 mattm Installation/Configuration 12 23rd January 2008 18:17
Installation Problem irpr Installation/Configuration 21 13th December 2006 11:55
Questions in regards to ISP-Server Setup - Ubuntu 5.10 "Breezy Badger" rbrantley HOWTO-Related Questions 16 10th April 2006 18:26
Update to 2.2.0 question brianetilley Installation/Configuration 10 4th March 2006 17:02
regarding proftpd and users with shell access Ovidiu Server Operation 2 5th December 2005 13:03


All times are GMT +2. The time now is 07:03.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.