RE: ForceCommand executes shell

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If you only ever want the user account to perform the one function, override their system shell.

example:
oper:x:519:519::/home/oper:/usr/local/bin/oper-only-ever-gets-to-do-this.sh

Regardless of how the account logs in, telnet, ssh, &c they'll only execute that one thing.



________________________________________
From: listbounce@xxxxxxxxxxxxxxxxx [listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Walter de Jong [walter@xxxxxxx]
Sent: Tuesday, April 19, 2011 8:23 AM
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: ForceCommand executes shell

Hi,

I have set up a sshd_config that uses an alternate port number and
ForceCommand to force the execution of a home-made service to our users.

ForceCommand executes the command using 'shell' '-c', and as a result
the user's .bashrc, .tcshrc, .whateverrc is being loaded -- which is
something I was trying to prevent, because I'm trying to "force a
command" upon them. In my case loading a .bashrc can be considered as a
security hole.

Is there any way around this? Maybe a different kind of setup would be
better?
I like using ssh for the service because of its excellent authentication
mechanisms.

I even made a patch to sshd session.c (see below) but I'd rather not
have to maintain local mods to the source.


Greets,

     --Walter


void do_child()

/*
    argv[0] = (char *) shell0;
    argv[1] = "-c";
    argv[2] = (char *) command;
    argv[3] = NULL;
*/
    argv[0] = "/bin/bash";
    argv[1] = "--norc";
    argv[2] = "--noprofile";
    argv[3] = "-c";
    argv[4] = (char *)command;
    argv[5] = NULL;

    execve(shell, argv, env);
    perror(shell);
    exit(1);


--
                  *** If you build it, they will come ***

HPC Systems Programmer at SARA Computing and Network Services
People should be able to e-mail me, spambots should not.



[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux