[clue-admin] User setup for "member" accounts

Collins Richey crichey at gmail.com
Tue Dec 28 22:05:13 MST 2004 

On Tue, 28 Dec 2004 21:43:30 -0700, Jeff Cann <j.cann at isuma.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Tuesday 28 December 2004 9:32 pm, Collins Richey wrote:
> >
> > As Jed mentioned, however, this isn't a perfectly secure environment.
> > Users can create scripts that run bash to do things outside their home
> > environment. They can't run ./xxx, but they can run bash xxx to do
> > some unrestricted things, i.e. stuff any normal user could do.
> 
> I'm wondering what other options there are besides restricted shell?
> 
> I asked Lynn about it and he seemed determined to make it work.  In my
> experience with other ISPs, the offered ssh access to what appeared to be a
> 'normal' shell account - ie., I could run stuff, create directories, etc.
> However, due to UNIX permissions, I was unable to leave my directory.
> 
> My point:  was I using a normal bash account or some other type of restricted
> shell.  Perhaps these ISPs figured that I wouldn't abuse the servers (since
> I'm paying for access).

I think you were using a normal shell account. Restricted accounts
can't even issue cd. Obviously, they had other directory level
restrictions and/or they provided a front end for some of the
commands.

> 
> I don't care how you guys decide to set up the member accounts, just curious
> more than anything.
> 

My impression at this point is that the restricted shell setup can
work, but according to the link Jed posted, there are some gotchas. I
would recommend that we think this over a little more carefully, or
the result may not be overly secure. Who in our group is the best
security guru? It would be nice to have a fairly rigid setup in place
before we fire this off to the users. The information from Debian
provides a couple of suggestions for locking things down, but I for
one would like to understand the security implications before
proceeding. One rootkit is enough fun for a while. Perhaps we could
get someone to try to crack the site after we've done the setup for a
handful of users?

-- 
 Collins

More information about the clue-admin mailing list