X-Spam-Check-By: sourceware.org
Date: Thu, 1 Mar 2007 09:55:07 -0500
From: Christopher Faylor <cgf-use-the-mailinglist-please AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Remove user access to local drives?
Message-ID: <20070301145507.GA10226@trixie.casa.cgf.cx>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <loom DOT 20070227T203610-344 AT post DOT gmane DOT org> <200703011428 DOT l21ESF4S026963 AT beta DOT mvs DOT co DOT il>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200703011428.l21ESF4S026963@beta.mvs.co.il>
User-Agent: Mutt/1.5.11
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Thu, Mar 01, 2007 at 04:28:15PM +0200, Ehud Karni wrote:
>On Tue, 27 Feb 2007 19:37:25, Francis wrote:
>>I am running a OpenSSH server for some friends on my machine, and I was
>>hoping to disable access to /cygdrive (local drives.) Is there a way to
>>prevent them from modifying any files also?  this is intended just as a
>>SSH tunneling method to get us around some Websense.
>
>I have restricted ssh users to a some directory with some commands only
>on GNU/Linux by using `chroot' and restricted shell (bash). This won't
>work on Cygwin, because there is no `chroot' jail (not supported by the
>underlying OS).
>
>You have 2 options:
>1. Use the /etc/passwd to specify your own shell which will check the
>   input and execute only the allowed commands (by being filter to a
>   shell or by calling `system').
>
>2. Use cgf advice and restrict the ssh user to one command only (by the
>   authorized_keys file which will be a filter (same as in 1). This has
>   some drawbacks on Cygwin (unlike UNIX), but for your purpose it is
>   not significant.

Cygwin emulates chroot so, depending on your needs, it may be adequate
although since, as noted, it isn't handled at the OS level, it is not
foolproof.

I still think that the best solution is to only allow tunneling and
disallow other commands.  Looking at the documentation for sshd_config,
another option is to use "ForceCommand" option in sshd_config, possibly
in conjunction with the "Match" keyword.

"man sshd_config" would probably be useful reading.

cgf

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/