Sidebar
wiki:security:rbash
This is an old revision of the document!
The way x2go works, allows every user to get a ssh access to the x2go server.
This can be a big problem when, you can not use the broker, to prevent certain actions on the server. The users can browse the x2go-server and have the access to nearly all directiores.
There are serval options to prevent the user doing it. One would be the use of selinux, but it is hard to understand and hard to setup correctly. Another option is the use of rbash, but with the current state of x2go-server there are serval steps so setup it up working correctly.
rbash short feature overview
rbash has some intressting features:
- cd is disabled
- no redirections via > and » are allowed
- no calls of binaries via complete path
- no changes on the PATH variable are allowed
But be aware, if rbash detects that a executebale is a shell-script it will be run with full bash. This means if you are able to access the bash executebale via the PATH-variable (remind full path like /bin/bash are not allowed), you can break out the rbash.
secure ssh access
To make sure the users can only access rbash, setup ssh to use ForceCommand, otherwise the usrs can run any other shell or commands over ssh.
Therefore edit /etc/ssh/sshd_config and put the the following lines at the end.
Match group rbrowser
ForceCommand sshcommand
ForceCommand only works for a sshd matching section. So you can dedicate the rbash to a certain group.
wiki/security/rbash.1414788512.txt.gz · Last modified: 2014/10/31 20:48 by woglinde
Imprint & Legal Disclaimer -
Data Protection & Privacy Statement
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3