[linux] scp
Ing. Jan ONDREJ
ondrejj na upjs.sk
Středa Listopad 26 08:32:28 CET 2003
On Wed, Nov 26, 2003 at 08:20:22AM +0100, Martin Vana wrote:
> Zdravim,
>
> snazim sa najst - zatial neuspesne - ako vyriesit nasledovny problem.
> Potrebujem zabezpecit klientovi pristup cez scp do adresara, ale
> nechcem aby mohol volne browsovat po disku. Zatial som hladal riesenie
> marne ...
Riesenim je chrootovane ssh. :-)
Konkretne pre Fedoru (RedHat) - iba pisem nazov suboru a co tam pridat:
/etc/pam.d/sshd
session required pam_chroot.so debug onerr=fail
/etc/security/chroot.conf
^jehologin$ /home/chroots/jehologin
Nuz a pre daneho usera vytvorit home nieco ako toto (do /home/chroots/jehologin)
./bin/cat
./bin/cp
./bin/cpio
./bin/dd
./bin/df
./bin/bash
./bin/gzip
./bin/chmod
./bin/ls
./bin/mkdir
./bin/mv
./bin/pwd
./bin/rm
./bin/rmdir
./bin/tar
./bin/compress
./bin/groups
./bin/id
./bin/scp
./bin/true
./lib/ld-2.2.4.so
./lib/libc-2.2.4.so
./lib/libdl-2.2.4.so
./lib/libnsl-2.2.4.so
./lib/libnss_files-2.2.4.so
./lib/libcrypto.so.0.9.6b
./lib/libpam.so.0.75
./lib/libutil-2.2.4.so
./lib/libz.so.1.1.3
./lib/libtermcap.so.2.0.8
./lib/libncurses.so.5.2
./etc/group
./etc/ld.so.cache
./etc/passwd
./etc/pam.d/system-auth
./etc/localtime
Dalej modifikujes to ./etc/passwd a group, aby si tam nemal zbytocnosti.
Staci nechat roota a daneho usera.
Dalej tusim treba vypnut PriviledgeSeparation v sshd, pretoze s nim
to zatial nechodi:
/etc/ssh/sshd_config
UsePrivilegeSeparation no
Restart a malo by to fungovat. :-)
Pravdaze pristup bude len cez WinSCP, pre niektorych guruov aj cez
ssh. Aj ked sa tam user dostane, nema tam ziaden suidnuty program,
takze si moze robit len volovinky v svojich veciach.
Ak som na nieco zabudol, tak sorry. :-)
SAL
Další informace o konferenci linux