This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
wiki:security:rbash [2014/10/31 20:40] woglinde [Set rbash as default shell] |
wiki:security:rbash [2014/11/01 09:21] woglinde [Fix session clean up] |
||
---|---|---|---|
Line 22: | Line 22: | ||
- | ===== Set the shell with Samba ===== | + | |
- | For samba set the following parameter in the smb.conf: | + | |
- | <note important> | + | |
Line 30: | Line 28: | ||
====== secure ssh access ====== | ====== secure ssh access ====== | ||
+ | To make sure the users can only access rbash, setup ssh to use **ForceCommand**, | ||
+ | ssh. | ||
+ | |||
+ | Therefore edit / | ||
+ | <code bash> | ||
+ | Match group rbrowser | ||
+ | ForceCommand sshcommand | ||
+ | </ | ||
+ | ForceCommand only works for a sshd matching section. So you can dedicate the rbash to a certain group. | ||
+ | |||
+ | **sshcommand** is a small shell script to wrap the rbash usage, | ||
+ | |||
+ | <code bash> | ||
+ | #!/bin/sh | ||
+ | PATH=/ | ||
+ | if test -n " | ||
+ | /bin/rbash -c " | ||
+ | else | ||
+ | /bin/rbash | ||
+ | fi | ||
+ | </ | ||
+ | |||
+ | We set the **PATH** to a new directory, so the users can only access the commands from this dir. | ||
+ | |||
+ | ====== Link the needed programs to setup a session ====== | ||
+ | The following programs are needed to link to the new created directory. | ||
+ | |||
+ | <code bash> | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | |||
+ | mkdir / | ||
+ | cd / | ||
+ | x2goruncommand, | ||
+ | </ | ||
+ | |||
+ | Because some programs are written in perl and need fragments from the x2go-lib dir and it is searched relative, the lib-directory needs to be linked too. | ||
+ | <code bash> | ||
+ | mkdir / | ||
+ | cd / | ||
+ | </ | ||
+ | |||
+ | ====== Bring the path back to some scripts ====== | ||
+ | Because we set the PATH to / | ||
+ | |||
+ | <code bash> | ||
+ | x2gopath | ||
+ | x2goruncommand | ||
+ | x2gostartagent | ||
+ | x2goterminate-session | ||
+ | </ | ||
+ | |||
+ | After the license header add the following to all files mentioned above | ||
+ | <code bash> | ||
+ | export PATH=/ | ||
+ | </ | ||
+ | |||
+ | ====== rbash as default shell (optional)====== | ||
+ | |||
+ | If rbash is also set as the default shell via /etc/passwd or some other mechanism, the sessioncleanup skripts needs | ||
+ | to be fixed too. | ||
+ | |||
+ |