Ondrej Valousek | 1 Jun 09:50 2012

ssh & control groups

Hi List,

I am looking for an option for sshd to start user's shell (when logging in interactively to a remote host) in a
control group via cgexec - 
so for example:

/bin/cgexec -g <username> /bin/bash

This would be extremely handy on linux Terminal servers to control users access to the system resources
(protect system from a malicious 
user hogging the machine by running cpu/memory intensive applications).

Is something like that possible to achieve?
Thanks,

Ondrej

The information contained in this e-mail and in any attachments is confidential and is designated solely
for the attention of the intended recipient(s). If you are not an intended recipient, you must not use,
disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in
error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s).
Please direct any additional queries to: communications <at> s3group.com.
Thank You.
Silicon and Software Systems Limited. Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18
Iain Morgan | 1 Jun 19:02 2012
Picon

Re: ssh & control groups

On Fri, Jun 01, 2012 at 02:50:41 -0500, Ondrej Valousek wrote:
> Hi List,
> 
> I am looking for an option for sshd to start user's shell (when logging in interactively to a remote host) in
a control group via cgexec - 
> so for example:
> 
> /bin/cgexec -g <username> /bin/bash
> 
> This would be extremely handy on linux Terminal servers to control users access to the system resources
(protect system from a malicious 
> user hogging the machine by running cpu/memory intensive applications).
> 
> Is something like that possible to achieve?
> Thanks,
> 
> Ondrej
> 

Hello,

Unfortunately, OpenSSH doesn't support aa option which could handle
this. The closest would be the ForceCommand option, but it does not have
the flexibility you need and the command is invoked with the user's
shell.

Something which I have been contemplating submitting as a feature
enhancement is a ForceShell option. The original motivation was to
provide a means of overriding a user's shell from withing an
sshd_config(5) Match block. This could be used to conditionally force
(Continue reading)

Bert Wesarg | 1 Jun 20:34 2012

Re: ssh & control groups

Hi,

On Fri, Jun 1, 2012 at 9:50 AM, Ondrej Valousek <ondrejv <at> s3group.com> wrote:
> Hi List,
>
> I am looking for an option for sshd to start user's shell (when logging in
> interactively to a remote host) in a control group via cgexec - so for
> example:
>
> /bin/cgexec -g <username> /bin/bash
>
> This would be extremely handy on linux Terminal servers to control users
> access to the system resources (protect system from a malicious user hogging
> the machine by running cpu/memory intensive applications).

Shouldn't this be handles by PAM. A quick search reveals this:

http://fedoraproject.org/wiki/Features/ControlGroups

Bert

>
> Is something like that possible to achieve?
> Thanks,
>
> Ondrej
>
Ondrej Valousek | 4 Jun 11:48 2012

Re: ssh & control groups

On 06/01/2012 08:34 PM, Bert Wesarg wrote:
> Shouldn't this be handles by PAM. A quick search reveals this:
>
> http://fedoraproject.org/wiki/Features/ControlGroups
>
> Bert
Hi,
Thanks for the tip. Installing libcgroup-pam did the job, indeed!
The only remaining thing is the Control group creation upon user login - and that one I can obviously handle
with pam_exec.so

Thanks all,
Ondrej

The information contained in this e-mail and in any attachments is confidential and is designated solely
for the attention of the intended recipient(s). If you are not an intended recipient, you must not use,
disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in
error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s).
Please direct any additional queries to: communications <at> s3group.com.
Thank You.
Silicon and Software Systems Limited. Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18
Corinna Vinschen | 5 Jun 14:04 2012
Picon

[patch/cygwin]: Explicitely add user right to start service

Hi,

could somebody with checkin rights please apply the below patch to the
Cygwin service creator script?  It patches a problem when using an
existing account to start the sshd service.  In that case the script
so far doesn't make sure that the user has th right to logon as a 
service.

Index: contrib/cygwin/ssh-host-config
===================================================================
RCS file: /cvs/openssh/contrib/cygwin/ssh-host-config,v
retrieving revision 1.31
diff -u -p -r1.31 ssh-host-config
--- contrib/cygwin/ssh-host-config	21 Feb 2011 10:41:32 -0000	1.31
+++ contrib/cygwin/ssh-host-config	5 Jun 2012 12:04:22 -0000
 <at>  <at>  -493,6 +493,7  <at>  <at>  install_service() {
 			      -a "-D" -y tcpip "${cygwin_env[ <at> ]}" \
 			      -u "${run_service_as}" -w "${password}"
 	then
+	  /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight
 	  echo
 	  csih_inform "The sshd service has been installed under the '${run_service_as}'"
 	  csih_inform "account.  To start the service now, call \`net start sshd' or"

Thanks,
Corinna

--

-- 
Corinna Vinschen
Cygwin Project Co-Leader
(Continue reading)

Raghu Udupa | 7 Jun 18:40 2012

While using internal sftp server, need to access files outside chroot

Hi,

I need to make a custom code change in sftp-server module to copy the received file outside the
chroot-setup.  I am trying to chroot repeatedly to get physical root directory and the copy received file
to a directory outside chrooted directory.

The children processes are owned by the sftp-user and so, sftp child process does not have permission to
escape out of chroot.

Is there a simple way where I can spawn child processes for sftp so that these processes are owned by root.

I tried to change user to root, but user root is not defined in chroot environment and so, setting setuid and
becoming root to chroot is not an option.

Thanks,
Raghu
Ángel González | 7 Jun 18:58 2012
Picon

Re: While using internal sftp server, need to access files outside chroot

On 07/06/12 18:40, Raghu Udupa wrote:
> Hi,
>
> I need to make a custom code change in sftp-server module to copy the received file outside the
chroot-setup.  I am trying to chroot repeatedly to get physical root directory and the copy received file
to a directory outside chrooted directory.
>
> The children processes are owned by the sftp-user and so, sftp child process does not have permission to
escape out of chroot.
Heh, that's precisely the point of placing it in a chroot.

> Is there a simple way where I can spawn child processes for sftp so that these processes are owned by root.
>
> I tried to change user to root, but user root is not defined in chroot environment and so, setting setuid and
becoming root to chroot is not an option.
>
> Thanks,
> Raghu
It doesn't matter. You can make a binary setuid from outside the chroot.
When you run it from the inside, it will become root, even if there's no
"user named root" inside. You can then use the classical technique to
exit a chroot(), and copy the file you wanted, *being very careful*, as
that script will be a weak point in your security (you don't want to
allow it to copy files anywhere, or to overwrite configuration files,
for instance).

Some reasons this might not work include that the mount doesn't allow
setuid, and that your kernel is security-enhanced to avoid chroot-escaping.
Raghu Udupa | 7 Jun 22:47 2012

RE: While using internal sftp server, need to access files outside chroot

Angel,

When you say "You can make a binary setuid from outside the chroot" do you mean making my custom sshd (with
patches required for sftp) to have setuid flag set?

If I turn on setuid bit, sshd does not run properly.
Could you give me some more detail regarding providing access out of chroot in ssh-sftp (internal sftp) environment?

Thanks,
Raghu

-----Original Message-----
From: Ángel González [mailto:keisial <at> gmail.com] 
Sent: Thursday, June 07, 2012 12:58 PM
To: Raghu Udupa
Cc: 'openssh-unix-dev <at> mindrot.org'
Subject: Re: While using internal sftp server, need to access files outside chroot

On 07/06/12 18:40, Raghu Udupa wrote:
> Hi,
>
> I need to make a custom code change in sftp-server module to copy the received file outside the
chroot-setup.  I am trying to chroot repeatedly to get physical root directory and the copy received file
to a directory outside chrooted directory.
>
> The children processes are owned by the sftp-user and so, sftp child process does not have permission to
escape out of chroot.
Heh, that's precisely the point of placing it in a chroot.

> Is there a simple way where I can spawn child processes for sftp so that these processes are owned by root.
(Continue reading)

Raghu Udupa | 7 Jun 23:14 2012

RE: While using internal sftp server, need to access files outside chroot

Angel,

I need to provide a set of users only SFTP access. But files these users put need to be copied to a generic queue directory.

Your first solution of having a custom script to copy the file to generic queue dir would work. 

Can you think of a better way to move files given my requirements?

Thanks,
Raghu

-----Original Message-----
From: Ángel González [mailto:keisial <at> gmail.com] 
Sent: Thursday, June 07, 2012 5:03 PM
To: Raghu Udupa
Cc: 'openssh-unix-dev <at> mindrot.org'
Subject: Re: While using internal sftp server, need to access files outside chroot

On 07/06/12 22:47, Raghu Udupa wrote:
> Angel,
>
> When you say "You can make a binary setuid from outside the chroot" do you mean making my custom sshd (with
patches required for sftp) to have setuid flag set?
>
> If I turn on setuid bit, sshd does not run properly.
> Could you give me some more detail regarding providing access out of chroot in ssh-sftp (internal sftp) environment?
>
> Thanks,
> Raghu
No. I was thinking on another program which lived inside the chroot and
(Continue reading)

Ángel González | 7 Jun 23:02 2012
Picon

Re: While using internal sftp server, need to access files outside chroot

On 07/06/12 22:47, Raghu Udupa wrote:
> Angel,
>
> When you say "You can make a binary setuid from outside the chroot" do you mean making my custom sshd (with
patches required for sftp) to have setuid flag set?
>
> If I turn on setuid bit, sshd does not run properly.
> Could you give me some more detail regarding providing access out of chroot in ssh-sftp (internal sftp) environment?
>
> Thanks,
> Raghu
No. I was thinking on another program which lived inside the chroot and
was called to copy files outside.

I begin to wonder why you need to do so, though. Why do you chroot to a
folder if you then need to move the files anywhere else? What's your use
case?
If it's a simple drop box, you could use a unchrooted process watching
the folder and moving out new files.

Gmane