There are several commands that are invoked within “bash”
such as “cd, ls, kill”. I too was trying to accomplish something
along the lines you are trying to do. Have a ssh only shell where the only
command they can run is ssh. There are couple road bumps to do so. First is the
one you ran into. I tried to resolve this by having “enable –n
kill, enable –n cd” etc in .bashrc. The second you will notice is
that even if you do that they can still scp their own .bashrc file. To
fix this what I did was to remove “write” access to the home
directory. Then you start to think well it would be nice to have some location
for them to actually transfer files to. So what I did was, I created an “upload”
directory. Thus they have write access to scp what they want to that directory.
After doing all that you should get a basic ssh only shell. The Second issue
you will come across is the “ They should be able to view what is in
their “upload” directory. So you will have to enable “ls”.
By doing so you now gave them access to “ls” anything they want if
they know the path, ie “ ls /etc” from their they can still scp
file within “etc”. The third issue is they can still “sftp”
to the system and have full access to roam the jailed environment. This is
where I am at right now. The only solution I can come up with is if they need
to transfer files to/from the box they will need to use a sftp only account
using openssh chroot option. Using that they are restricted to their home
directory or whatever directory you set. Somehow allow ssh access but deny sftp
for only specific users.
Not sure if this helped or gave some incites or not. There might
be a better way to do all this and am open to suggestions.
From:
address@hidden
[mailto:address@hidden On Behalf
Of Jon Gullidge
Sent: Thursday, November 19, 2009 3:52 AM
To: address@hidden
Subject: RE: [Jailkit-users] Jailkit questions
Hi Anson,
Look inside {jail}/bin, {jail}/usr/bin, in your case I think {jail} is
/home/jail, so:
/home/jail/bin
/home/hail/usr/bin
Remove anything from in there you do not want. This should work fine as the
jail innitialises outside of the jail so shouldn't be using any commands from
within the jail :)
HTH
> From: address@hidden
> To: address@hidden
> Date: Thu, 19 Nov 2009 13:16:31 +0800
> Subject: [Jailkit-users] Jailkit questions
>
> Hello Oliver,
>
> A thank you for this great piece of code.
> I do have one question however.
>
> I have setup the jail using the following:
>
> mkdir /home/jail
> chown root:root /home/jail
>
> MODIFIED jk_init.ini like so -
> ---------------------------------------------------------------------------
> [basicshell]
> comment = bash based shell with several basic utilities
> paths = /bin/sh, /bin/bash, /bin/false, /etc/motd, /etc/issue,
> /etc/bash.bashrc, /etc/bashrc, /etc/profile, /usr/lib/locale/en_US.utf8
> users = root
> groups = root
> includesections = netbasics, uidbasics
>
---------------------------------------------------------------------------
>
>
> jk_init -v -j /home/jail basicshell
> jk_jailuser -m -j /home/jail example
>
> /home/jail/etc/passwd looks like this:
> sample:x:1000:1000::/home/sample:/bin/bash
>
> Well it works... mostly!
> Most attempts to do anything end up with a "bad command etc
etc..."
>
> However, "cd" "pwd" "kill" etc still work...
> I'm guessing it's because they are tied in to the core bash shell
functions
> somehow.
> Is there anyway to disable all these and any other "core"
functions that
> don't have to exist in /bin/bash?
>
> I'm guessing one way to go around it would be to create a .bashrc that
would
> create aliases with the same command names to "divert" the real
function?
> Like a "kill" alias that would actually do nothing. Have not
tried it yet
> but was hoping for something better from you.
> I'm sure I missed something as I've only been using Linux for about 2
months
> but have setup a VPS for a few friends (who need port forwarding SSH but
> don't need to do anything inside the VPS)
>
> Thanks again for your great code and seasons greetings in advance to your
> family!
> Anson
>
>
>
> _______________________________________________
> Jailkit-users mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/jailkit-users
View
your other email accounts from your Hotmail inbox. Add them
now.