User Tools

Site Tools


wiki:security:rbash

The way x2go works, allows every user to get ssh access to the x2go server.

This can be a big problem when, you can not use the broker, to prevent certain actions on the x2go-server.

The users can browse the x2go-server and have the access to nearly all directiores.

There are serval options to prevent the user doing it. One would be the use of selinux, but it is hard to understand and hard to setup correctly. Another option is the use of rbash, but with the current state of x2go-server there are serval steps so setup it up working correctly.

This guide is focused on a single application approach, no audio, remote/mounted dirs and printing are involved.

rbash short feature overview

rbash has some intressting features:

  • cd is disabled
  • no redirections via > and » are allowed
  • no calls of binaries via complete path
  • no changes off the PATH variable are allowed

But be aware, if rbash detects that a executebale is a shell-script it will be run with full bash. This means if you are able to access the bash executebale via the PATH-variable (remind full path like /bin/bash are not allowed), you can break out the rbash.

secure ssh access

To make sure the users can only access rbash, setup ssh to use ForceCommand, otherwise the users can run any other shells or commands over ssh.

Therefore edit /etc/ssh/sshd_config and put the the following lines at the end.

    Match group rbrowser
        ForceCommand sshcommand

ForceCommand only works for a sshd matching section. So you can dedicate the rbash to a certain group.

sshcommand is a small shell script to wrap the rbash usage,

#!/bin/sh
PATH=/opt/rbash/bin
if test -n "$SSH_ORIGINAL_COMMAND"; then
    /bin/rbash -c "$SSH_ORIGINAL_COMMAND"
else
    /bin/rbash
fi

We set the PATH to a new directory, so the users can only access the commands from this dir.

Link the needed programs to setup a session

The following programs are needed to link to the new created directory.

/usr/bin/setsid
/usr/bin/whoami
/usr/bin/x2goagent
/usr/bin/x2golistsessions
/usr/bin/x2gopath
/usr/bin/x2goruncommand
/usr/bin/x2gostartagent
/usr/bin/x2goterminate-session
 
mkdir /opt/rbash/bin
cd /opt/rbash/bin && ln -s /usr/bin/{setsid,whoami,x2goagent,x2golistsessions,x2gopath,\
x2goruncommand,x2gostartagent,x2goterminate-session} .

Because some programs are written in perl and need fragments from the x2go-lib dir and it is searched relative, the lib-directory needs to be linked too.

mkdir /opt/rbash/lib
cd /opt/rbash/lib && ln -s /usr/lib/x2go .

Bring the path back to some scripts

Because we set the PATH to /opt/rbash/bin some scripts needs to set it back to be functional again.

x2gopath
x2goruncommand
x2gostartagent
x2goterminate-session

After the license header add the following to all files mentioned above

export PATH=/bin:/usr/bin:/sbin:/usr/sbin

Security concerns

There could be still problems to brake out of rbash, no one yet made a security audit of the linked x2go scripts, if they allow the execution of a real shell via options.

wiki/security/rbash.txt · Last modified: 2014/11/03 13:07 by woglinde