HowTo Disable execution of commands whit ssh and scp/sftp

John Haxby jch at thehaxbys.co.uk
Thu Mar 11 20:54:50 UTC 2004 

Dario Lesca wrote:

>Hi, someone know howto disable the execution of any command via ssh and
>disable the scp/sftp service?
>
>OK; ssh user at host 
>NO: ssh user at host cat /etc/passwd
>NO: scp user at host:/etc/passwd /tmp
>NO: sftp user at host
>  
>
Apart from sftp (which as someone else said), the short answer is "no".

You can't realistically control all the commands like this.   SELinux 
might help, but I'm not sure and it's very hard to restrict a user's 
environment.    Take the password file -- suppose you do prevent a user 
from just looking at it with cat, less, more, vi, view, emacs, xemacs, 
joe, jed, pico, dd, etc etc but still have ls work.   "ls -l /home" will 
give you a fair slice of the password file in a different form.   Type 
"echo ~<tab><tab>" in the shell and you'll also get a list of users.    
You could remove global read access from the password file, but you'll 
be surprised how many things break if you do.   I once had the 
displeasure of maintaining a program that gave specified users access to 
a limited set of commands as root.    It had a list of proscribed 
programs to stop you getting a shell to do what you like unaudited, 
things like sh, csh, ksh, bash, tcsh and so on.   Of course, it didn't 
proscribe less, more, vi, view, emacs, xemacs, xterm, hpterm, dxterm 
etc.   I simply removed the feature in the new version of the program, 
there's not much worse than having supposed security that is so easy to 
get around you'd hardly notice it was there.

However, as someone else suggested.   There is another way.   A chrooted 
environment (like the one used for anonymous ftp) will lock a user into 
a limited environment.    The only files that the user can get at are 
the ones in that chroot'd environment and there's no way to get out, you 
can't "cd .." from /.   There are some really serious downsides to 
this.   It's really quite difficult to set up and I'm not even sure that 
ssh has the right hooks to enforce it ("ssh host ls" runs /bin/ls 
directly, it doesn't go through a chrooting shell entry in /etc/passwd 
an I don't recall anything in the sshd config that forces a chroot.    
You could patch sshd to do it, but it's a measure of the difficulty of 
getting it to work effectively that it hasn't been done.

That was a long no.   Although I don't know much about it, I think 
you're better off looking at SELinux which almost certainly solves the 
security problems that you actually want to solve even if you don't know 
what they are -- yet.

jch

More information about the users mailing list