Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <4306.65.31.30.238.1027697660.squirrel@mail.ilive4code.net>
Date: Fri, 26 Jul 2002 11:34:20 -0400 (EDT)
Subject: ssh - sandboxing
From: "Stephen Nordlund" <nordlus AT ilive4code DOT net>
To: <cygwin AT cygwin DOT com>
In-Reply-To: <VA.00000c2a.004a6713@thesoftwaresource.com>
References: <VA DOT 00000c0e DOT 002c0d59 AT thesoftwaresource DOT com>
        <20020724163138 DOT F3921 AT cygbert DOT vinschen DOT de>
        <VA DOT 00000c10 DOT 00aec8ba AT thesoftwaresource DOT com>
        <20020724201757 DOT GC21112 AT redhat DOT com>
        <VA DOT 00000c11 DOT 0214eedd AT thesoftwaresource DOT com>
        <00da01c2336a$b940b210$0100a8c0 AT wdg DOT uk DOT ibm DOT com>
        <20020725112023 DOT B14134 AT cygbert DOT vinschen DOT de>
        <VA DOT 00000c2a DOT 004a6713 AT thesoftwaresource DOT com>
X-Priority: 3
Importance: Normal
X-MSMail-Priority: Normal
Cc: <sidelit AT nationwide DOT com>, <gate AT live4code DOT net>
Reply-To: nordlus AT ilive4code DOT net
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

I have been doing some playing with ssh and found a good way to sand box a
user.

History:

Essbase DBA wants terminal services to do their job.  Audit standards say
that DBA, Developers, and SAs all have separate jobs and tasks and must be
separted.

Problem:

I can't give the DBA terminal services access to the servers.

Issue:

They cry they pout and get very angry.

Solution:

Sandboxing
----------
1.  Create a local user called Essbase.

2.  Change the service so that the Essbase user is the SID with starts and
stops the service.

3.  Add Essbase user to powerusers group

4.  modify passwd file so that the shell points to a script I called bash.sh

5.  Write bash.sh script
            #! /bin/sh

            {other login stuff}
            chroot /cygdrive/d/essbase /bin/bash -i

6.  copy needed files to new root /bin folder (ie. ls, tail, grep, kill)
7.  link /usr folder to new root
8.  mkdir /temp in new root


Sandbox is all set.

The user can't get out of the new "/" area and can only run what you allow
them to run, In my case I needed to give them net.exe so they can start
and stop the essbase service.  The nice thing is with this setup they can
only start and stop the essbase service and thats it.. they will get
access denied on anything else.

I would realy like to fine tune this process and use it for other things. 
If someone see's areas of improvement please feel free to comment or send
me a direct e-mail:  Nordlus AT ilive4code DOT net
-- 
Regards,
Stephen Nordlund, MCP
nordlus AT ilive4code DOT net
Systems Engineer




--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/