Creating a Restricted Environment


Creating a Restricted Environment


Created by Pete Nesbitt pete@linux1.ca
October 27, 2003

This document is intended to be a guide for creating a very restricted user account 
that can be used for a number of different purposes. It's prime function is to 
allow access to a system by an untrusted user that needs to perform a specific 
predefined task. 

This is a bit of a hack to say the least and I know there are better ways, such as 
rbash, but there is some problem with rbash in Red Hat so I used bash -r, and then 
a whole lot of lockdown.

Here is the file overview, with permissions listed afterwards:

 The restricted users home contains:
FILE 1, ".bashrc" (note, only one active line)
   # .bashrc
   # User specific aliases and functions
   # Source global definitions
   #if [ -f /etc/bashrc ]; then
   #       . /etc/bashrc
   #fi
   #Resticted Shell
   set -r

FILE 2: ".bash_profile"
   # remove global environment
   /usr/bin/env -
   # set restricted Path
   PATH=/home/some_user/bin

   # local bashrc sets restricted shell
   # Get the aliases and functions
   if [ -f ~/.bashrc ]; then
           . ~/.bashrc
   fi
   # User specific environment and startup programs
   #PATH=$PATH:$HOME/bin
   export PATH
   unset USERNAME

FILE 3: ".bash_logout" (just clears screen on exit)
   # ~/.bash_logout
   clear

Create a /home/some_user/bin dir and add to it:
   clear (copy of /usr/bin/clear)
   ssh   (copy of /usr/bin/ssh)

Create /home/some_user/.ssh and add to it:
   known_hosts
   -you should populate this with the keys for the target system.

There may be some auto generated files such as .kde or .gnome in the users home dir, 
you can remove them if you like, but they will never be accessed.

 

FILE OWNERSHIP AND PERMISSIONS:
This is the most important step in creating the restricted environment. Here we 
remove the users chance to add her own binaries or scripts.

All files are to be owned by a different, non-privileged, non login account such as 
"nobody". Use "chown -R nobody:nobody /home/some_user" to accomplish this.


Set the following permissions:
/home:
dr-x--x--x    5 nobody   nobody       4096 Oct 24 11:38 some_user

/home/some_user:
-rw-r--r--    1 nobody   nobody         24 Oct 27 18:34 .bash_logout
-rw-r--r--    1 nobody   nobody        318 Oct 27 18:33 .bash_profile
-rw-r--r--    1 nobody   nobody        152 Oct 27 18:33 .bashrc
dr-x--x--x    2 nobody   nobody       4096 Sep 18 10:52 .ssh
dr-x--x--x    2 nobody   nobody       4096 Sep 18 10:17 bin

/home/some_user/.ssh:
-r--r--r--    1 nobody   nobody        230 Sep 18 10:52 known_hosts

/home/some_user/bin:
-r-x--x--x    1 nobody   nobody       3348 Sep 18 10:17 clear
-r-x--x--x    1 nobody   nobody     219932 Sep 18 10:17 ssh

As you can see, we have created an environment where the restricted user can not see 
what is availble, cannot write, over-write or errase files, nor can they upload 
anything. they cannot leave their home directory, not even to look in their bin. They 
can simply ssh out (or to local host) and they can clear the screen (if all their 
attempts get too messy looking :)


This account is now a good candidate to use as a single purpose task, say to ssh to a 
more guarded system. You may want to see my notes on restricting inbound SSH access 
to a single remote host.