| delorie.com/archives/browse.cgi | search |
I have been doing some playing with ssh and found a good way to sand box a
user.
History:
Essbase DBA wants terminal services to do their job. Audit standards say
that DBA, Developers, and SAs all have separate jobs and tasks and must be
separted.
Problem:
I can't give the DBA terminal services access to the servers.
Issue:
They cry they pout and get very angry.
Solution:
Sandboxing
----------
1. Create a local user called Essbase.
2. Change the service so that the Essbase user is the SID with starts and
stops the service.
3. Add Essbase user to powerusers group
4. modify passwd file so that the shell points to a script I called bash.sh
5. Write bash.sh script
#! /bin/sh
{other login stuff}
chroot /cygdrive/d/essbase /bin/bash -i
6. copy needed files to new root /bin folder (ie. ls, tail, grep, kill)
7. link /usr folder to new root
8. mkdir /temp in new root
Sandbox is all set.
The user can't get out of the new "/" area and can only run what you allow
them to run, In my case I needed to give them net.exe so they can start
and stop the essbase service. The nice thing is with this setup they can
only start and stop the essbase service and thats it.. they will get
access denied on anything else.
I would realy like to fine tune this process and use it for other things.
If someone see's areas of improvement please feel free to comment or send
me a direct e-mail: Nordlus AT ilive4code DOT net
--
Regards,
Stephen Nordlund, MCP
nordlus AT ilive4code DOT net
Systems Engineer
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |