Jail usera

[kUdtiHaEX]

Putem SSH moze da se loguje samo jedan korisnik koji se (za sada) autentifikuje putem usera i passa. E sad, ja hocu da mu ubijem sve komande koje postoje sem su, cijim pozivanjem bi ga sistem pitao za root sifru i ako je pogodi - postaje root.

Kako to najlakse da izvedem?

 

[Stator]

Od verzije 4.9p1 OpenSSH-a (backportovano u RHEL/CentOS 5.4) moguce je raditi chroot usera koji se loguju preko ssh-a.

evo sta kaze man

ChrootDirectory
Specifies a path to chroot(2) to after authentication. This path, and all its components, must be root-owned directories that
are not writable by any other user or group.

The path may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is
replaced by a literal ’%’, %h is replaced by the home directory of the user being authenticated, and %u is replaced by the user-
name of that user.

The ChrootDirectory must contain the necessary files and directories to support the users’ session. For an interactive session
this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
arandom(4) and tty(4) devices. For file transfer sessions using “sftp”, no additional configuration of the environment is nec-
essary if the in-process sftp server is used (see Subsystem for details).

The default is not to chroot(2).