Restricted Shell RBASH for Aspera Enterprise Server, Connect Server or Point to Point

by Michael Wallman

Introduction

RBASH is only part of a security solution. It works by limiting the commands that a user can execute, but it does not change the actual security settings of that account as commands like chroot would do. If a user is able to break out of the RBASH environment by executing an unrestricted shell, they will have regular access to the system.

If the intended subset of commands includes only ascp (Aspera’s transport utility), then Aspera’s aspshell is by far the best choice. See your Enterprise Server/Connect Server/Point to Point documentation for more information on the aspshell.

Environment

This document will outline the setup and configuration of the restricted bash shell. It is based on GNU bash, version 3.2.25, installed on a Red Hat 5.5 server, but similar concepts can be applied to most *NIX systems.

Configuration Steps

One of the fundamental properties of the restricted shell is to not allow a user to change their defined SHELL, PATH, ENV, or BASH_ENV variables. By statically configuring a user's PATH, an Administrator can control which programs a user can execute.

Note: This procedure assumes that all restricted shell users access a same subset of commands, although, the same principles can be extended to apply unique configurations on a per user basis.

1. Determine bash shell location:

# which bash /bin/bash 
# ls -la /bin/bash
-rwxr-xr-x 1 root root 801512 Jan 21 2009 /bin/bash

2. Create symlink rbash, which links to bash:

# ln -s /bin/bash /bin/rbash 
# ls -la /bin/rbash
lrwxrwxrwx 1 root root 9 Feb 10 19:04 /bin/rbash -> /bin/bash

3. If file /etc/shells exists, add rbash to the shells file:

# echo “/bin/rbash” >> /etc/shells

4. Create a directory for the rbash user(s) programs.

# mkdir /usr/rbin

5. Create a standard bash profile file that all users will source on login, located at the following:

  • /etc/rbash_profile

Copy the following into the file. Notice that the PATH includes the Aspera bin directory, and the custom /usr/rbin directory created above:

# Get the aliases and functions 
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=/opt/aspera/bin:/usr/rbin
export PATH
unset USERNAME

6. For each rbash user, one must modify the bash startup files: ~/.bash_logout, ~/.bashrc, and ~/.bash_logout. (See: useradd --skel). This example references user asp1:

# cd /home/asp1 
# rm .bash_profile 
# chown root: .bash_logout .bashrc 
# ln -s /etc/rbash_profile .bash_profile

7. In Redhat, .bash_logout executes the /usr/bin/clear program. To maintain this behavior, one must call clear without the path, and add clear to the /usr/rbin directory (see step 8).

# ~/.bash_logout clear

8. Allow access to programs by creating symlinks from within the /usr/rbin directory. This example allows a minimal subset:

# ln -s /usr/bin/clear /usr/rbin/clear 
# ln -s /bin/ls /usr/rbin/ls 
# ln -s /bin/mkdir /usr/rbin/mkdir 
# ln -s /bin/rm /usr/rbin/rm 
# ln -s /bin/cp /usr/rbin/cp 
# ln -s /bin/mv /usr/rbin/mv 
# ln -s /bin/touch /usr/rbin/touch

9. Set the users shell to rbash.

# grep “^asp1:” /etc/passwd asp1:x:502:502::/home/asp1:/bin/rbash

10. To perform a few simple tests, one can use the following commands:

# su - asp1 
$ cd /
-rbash: cd: restricted
$ ssh 192.168.1.1
-rbash: ssh: command not found

User/File Permissions

Along with system security measures, one can add another level of security through Aspera’s transfer control mechanisms. For more information see this article (Managing User and File Permissions for Aspera Enterprise Server and Aspera Point-to-Point).

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk