February 5, 2006 No comments

Darren Moffat: Using Solaris RBAC to only allow scp/sftp

Just posting this here for my own reference:

Darren Moffat: Using Solaris RBAC to only allow scp/sftp:

The RBAC functionality in Solaris is normally used to empower users but it can also be used to restrict what commands they may run.

It is possible to use RBAC to restrict access to the sshd(1m) subsystems. This is normally done to create a user who can use sftp but can not login.

Since sshd(1m) starts the subsystems listed in sshd_config(4) using the users login shell it isn’t possible to restrict the user by giving them a bogus shell (eg /bin/false). However if the user is assigned one of the profile shells (pfsh,pfksh,pfcsh) then they can be configured with only the commands necessary for the relvant sshd(1m) subsystems.

Create a new execution profile that contains only the scp and sftp-server commands thus:

$ cat <<_EOM_ >> /etc/security/exec_attr
Restricted Secure Shell:suser:cmd:::/usr/bin/scp:
Restricted Secure Shell:suser:cmd:::/usr/lib/ssh/sftp-server:
_EOM_

$ cat <<_EOM_ >> /etc/security/prof_attr
Restricted Secure Shell:::scp/sftp access only:
_EOM_

Update /etc/security/policy.conf to remove the “Basic Solaris User” profile from the PROFS_GRANTED entry, this ensures that by default users with profile shells can not run commands except those listed in their profile.

Set the users login shell to be one of the profile shells (eg /bin/pfsh). Give the user the “Restricted Secure Shell” profile eg.

        upload::::profiles=Restricted Secure Shell

Note the user can still login to the system and move around using cd but they can only issue the commands in the profile and shell builtins. Since ssh isn’t in the profile they won’t be able to use scp to get out of the machine again (In current Solaris implementations ssh is exec’d by scp to make the connection). The restricted feature of ksh allows stopping this behaviour as well. It is possible to have both a restricted shell and a profile shell out of the same binary. Unfortunately though we didn’t ship /bin/rpfksh in Solaris but it is trivial to implement as a one line shell script:

#!/bin/ksh
exec /bin/pfksh -r

You can now use /bin/rpfksh as the login shell rather than /bin/pfksh. Note that this will not stop the user using sftp to browse the filesystem via “cd” only a login shell. It is intended to make the login shell rather useless.

If we added a “-c” argument to /bin/pfexec we could achive an even better result for the login shell but would still have the issue of sftp-server allowing the user to “wander” around the filesystem. To fix that either sshd or sftp-server would need to chroot the user into their home directory. Neither Solaris or OpenSolaris supports that today.

[composed and posted with ecto]

You may Leave a comment or Subscribe to Comments RSS or Trackback this entry.

Leave a comment

Please be polite and on topic. Your e-mail will never be published.

Recent Posts

Blogroll