[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: Shell restricted access
From: Michal G <gonda.miso () gmail ! com>
Date: 2016-05-18 8:11:18
Message-ID: CADMiy=J01enOS+M4HgQy0JQrSOoFYP43wKTtrHmgwuwY7+OCZg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
It was just an example but I got the point. I mainly wanted to restrict
user access to as few commands as possible and "ls / cat" only their home
folder. Those are persons with no Linux experience whatsoever.
But thanks as lot for help!
On Tue, May 17, 2016 at 5:31 PM, Jackmcbarn <jackmcbarn+bb@gmail.com> wrote:
> Why are you trying to hide the contents of /etc/passwd? It's designed so
> there's no security implications of it being readable by anyone (since
> everything sensitive is in /etc/shadow).
>
> On Tue, May 17, 2016 at 8:00 AM, Michal G <gonda.miso@gmail.com> wrote:
>
>> I will go this way than. But if I am correct I cannot change for example
>> read permissions for some files like /etc/passwd etc. to totally isolate
>> users so there is no way how to prevent them to do "cat /etc/passwd" or
>> similar. Is there any security flaw I should be aware of if I just create
>> those users and keep everything as it is without settings more file
>> permissions on the system? For binaries I will use setuid as you said.
>>
>>
>> On Fri, May 13, 2016 at 7:42 PM, Jackmcbarn <jackmcbarn+bb@gmail.com>
>> wrote:
>>
>>> The best approach here is to use file permissions to prevent them from
>>> accessing files and directories they shouldn't. If there need to be
>>> exceptions for certain programs, implement them as setuid binaries.
>>>
>>> On Wed, May 11, 2016 at 8:17 AM, Michal G <gonda.miso@gmail.com> wrote:
>>>
>>>> Hi,
>>>> I am using Buildroot with Busybox on my system and I would like to
>>>> implement some serious restrictions for the users. I have 3~4 more users
>>>> and each of them should have an access only to their own folders and couple
>>>> of shell scripts. I would use shell scripts to change content of other
>>>> files. Nothing more.
>>>> Is it possible to achieve this in Buildroot ash? Or what would be the
>>>> best approach?
>>>> Thank you very much.
>>>>
>>>> BR
>>>> Michal Gonda
>>>>
>>>> _______________________________________________
>>>> busybox mailing list
>>>> busybox@busybox.net
>>>> http://lists.busybox.net/mailman/listinfo/busybox
>>>>
>>>
>>>
>>> _______________________________________________
>>> busybox mailing list
>>> busybox@busybox.net
>>> http://lists.busybox.net/mailman/listinfo/busybox
>>>
>>
>>
>> _______________________________________________
>> busybox mailing list
>> busybox@busybox.net
>> http://lists.busybox.net/mailman/listinfo/busybox
>>
>
>
> _______________________________________________
> busybox mailing list
> busybox@busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox
>
[Attachment #5 (text/html)]
<div dir="ltr"><div>It was just an example but I got the point. I mainly wanted to \
restrict user access to as few commands as possible and "ls / cat" only \
their home folder. Those are persons with no Linux experience \
whatsoever.<br></div>But thanks as lot for help!<br><div><div><div \
class="gmail_extra"><br><div class="gmail_quote">On Tue, May 17, 2016 at 5:31 PM, \
Jackmcbarn <span dir="ltr"><<a href="mailto:jackmcbarn+bb@gmail.com" \
target="_blank">jackmcbarn+bb@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Why are you trying to hide the contents of \
/etc/passwd? It's designed so there's no security implications of it being \
readable by anyone (since everything sensitive is in /etc/shadow).<br></div><div \
class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div \
class="gmail_quote">On Tue, May 17, 2016 at 8:00 AM, Michal G <span dir="ltr"><<a \
href="mailto:gonda.miso@gmail.com" \
target="_blank">gonda.miso@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">I will go this way than. But if I am correct I \
cannot change for example read permissions for some files like /etc/passwd etc. to \
totally isolate users so there is no way how to prevent them to do "cat \
/etc/passwd" or similar. Is there any security flaw I should be aware of if I \
just create those users and keep everything as it is without settings more file \
permissions on the system? For binaries I will use setuid as you \
said.<div><div><br><div><div><div><div><div><div><div><div \
class="gmail_extra"><br><div class="gmail_quote">On Fri, May 13, 2016 at 7:42 PM, \
Jackmcbarn <span dir="ltr"><<a href="mailto:jackmcbarn+bb@gmail.com" \
target="_blank">jackmcbarn+bb@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">The best approach here is to use file \
permissions to prevent them from accessing files and directories they shouldn't. \
If there need to be exceptions for certain programs, implement them as setuid \
binaries.</div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On \
Wed, May 11, 2016 at 8:17 AM, Michal G <span dir="ltr"><<a \
href="mailto:gonda.miso@gmail.com" \
target="_blank">gonda.miso@gmail.com</a>></span> wrote:<br></div></div><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div><div><div \
dir="ltr"><div><div><div><div><div>Hi,<br></div>I am using Buildroot with Busybox on \
my system and I would like to implement some serious restrictions for the users. I \
have 3~4 more users and each of them should have an access only to their own folders \
and couple of shell scripts. I would use shell scripts to change content of other \
files. Nothing more.<br></div>Is it possible to achieve this in Buildroot ash? Or \
what would be the best approach?<br></div>Thank you very \
much.<br><br></div>BR<br></div>Michal Gonda<br></div> \
<br></div></div>_______________________________________________<br> busybox mailing \
list<br> <a href="mailto:busybox@busybox.net" \
target="_blank">busybox@busybox.net</a><br> <a \
href="http://lists.busybox.net/mailman/listinfo/busybox" rel="noreferrer" \
target="_blank">http://lists.busybox.net/mailman/listinfo/busybox</a><br></blockquote></div><br></div>
<br>_______________________________________________<br>
busybox mailing list<br>
<a href="mailto:busybox@busybox.net" target="_blank">busybox@busybox.net</a><br>
<a href="http://lists.busybox.net/mailman/listinfo/busybox" rel="noreferrer" \
target="_blank">http://lists.busybox.net/mailman/listinfo/busybox</a><br></blockquote></div><br></div></div></div></div></div></div></div></div></div></div></div>
<br>_______________________________________________<br>
busybox mailing list<br>
<a href="mailto:busybox@busybox.net" target="_blank">busybox@busybox.net</a><br>
<a href="http://lists.busybox.net/mailman/listinfo/busybox" rel="noreferrer" \
target="_blank">http://lists.busybox.net/mailman/listinfo/busybox</a><br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
busybox mailing list<br>
<a href="mailto:busybox@busybox.net">busybox@busybox.net</a><br>
<a href="http://lists.busybox.net/mailman/listinfo/busybox" rel="noreferrer" \
target="_blank">http://lists.busybox.net/mailman/listinfo/busybox</a><br></blockquote></div><br></div></div></div></div>
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic