Comments on: Shared SSH Sessions, Update for Jaunty (Ubuntu 9.04) http://blog.bodhizazen.net/linux/shared-ssh-sessions-update-for-jaunty-ubuntu-904/ A LAMP in the Samsara Tue, 07 Sep 2010 07:48:01 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Controlling Shells http://blog.bodhizazen.net/linux/shared-ssh-sessions-update-for-jaunty-ubuntu-904/comment-page-1/#comment-1680 Controlling Shells Tue, 20 Apr 2010 22:23:33 +0000 http://blog.bodhizazen.net/?p=148#comment-1680 [...] management (and defeated by updates). As chroot and rbash are mentioned maybe see rbash+apparmor (http://blog.bodhizazen.net/linux/sha...ty-ubuntu-904/, https://apparmor.wiki.kernel.org/ind...am_apparmor.so, [...] [...] management (and defeated by updates). As chroot and rbash are mentioned maybe see rbash+apparmor (http://blog.bodhizazen.net/linux/sha…ty-ubuntu-904/, https://apparmor.wiki.kernel.org/ind…am_apparmor.so, [...]

]]> By: bodhi.zazen http://blog.bodhizazen.net/linux/shared-ssh-sessions-update-for-jaunty-ubuntu-904/comment-page-1/#comment-656 bodhi.zazen Thu, 30 Apr 2009 18:40:05 +0000 http://blog.bodhizazen.net/?p=148#comment-656 Mike: I am not seeing this when I look at my setup. Screen is launched from jailbash. In terms of your comment re: "AppArmor here is silly" I guess that is a matter op opinion and how you feel about security. I use this shared session to demo apparmor. In terms of a "terrible flaw in this procedure", I wonder if you are not understanding how apparmor works. Small snippets of code, all run as root, in the screen session: <code> root@ufbt:~#echo $SHELL /bin/bash root@ufbt:~#id uid=0(root) gid=0(root) groups=0(root) root@ufbt:~#cp ~guru/.bashrc ~.gugu.bashrc.bak root@ufbt:~#rm ~guru/.bashrc.bak rm: cannot remove `/home/guru/.bashrc.bak': No such file or directory root@ufbt:~#rm -rf ~guru/.bashrc rm: cannot remove `/home/guru/.bashrc': Permission denied root@ufbt:~#echo "test" >> ~guru/.bashrc -bash: /home/guru/.bashrc: Permission denied</code> As you can see, apparmor is working perfectly and as expected, in screen, even when switching to root and starting a new bash shell. I use this as I allow members of the Ubuntu Forums Beginners Team to use the screen session for teaching. guest access is available to anyone and everyone. Your choices may vary, and that is fine, but I hope this little demo has alleviated your concerns. If you would like to try to crack the system you are free to try it out. Mike: I am not seeing this when I look at my setup.

Screen is launched from jailbash.

In terms of your comment re: “AppArmor here is silly” I guess that is a matter op opinion and how you feel about security. I use this shared session to demo apparmor.

In terms of a “terrible flaw in this procedure”, I wonder if you are not understanding how apparmor works.

Small snippets of code, all run as root, in the screen session:


root@ufbt:~#echo $SHELL
/bin/bash
root@ufbt:~#id
uid=0(root) gid=0(root) groups=0(root)
root@ufbt:~#cp ~guru/.bashrc ~.gugu.bashrc.bak
root@ufbt:~#rm ~guru/.bashrc.bak
rm: cannot remove `/home/guru/.bashrc.bak': No such file or directory
root@ufbt:~#rm -rf ~guru/.bashrc
rm: cannot remove `/home/guru/.bashrc': Permission denied
root@ufbt:~#echo "test" >> ~guru/.bashrc
-bash: /home/guru/.bashrc: Permission denied

As you can see, apparmor is working perfectly and as expected, in screen, even when switching to root and starting a new bash shell.

I use this as I allow members of the Ubuntu Forums Beginners Team to use the screen session for teaching. guest access is available to anyone and everyone.

Your choices may vary, and that is fine, but I hope this little demo has alleviated your concerns.

If you would like to try to crack the system you are free to try it out.

]]> By: Mike http://blog.bodhizazen.net/linux/shared-ssh-sessions-update-for-jaunty-ubuntu-904/comment-page-1/#comment-654 Mike Thu, 30 Apr 2009 16:57:54 +0000 http://blog.bodhizazen.net/?p=148#comment-654 There is terrible flaw in this procedure, at least for Ubuntu 9.04. Let me explain. When a client logins via ssh the execution sequence is as follows: 1. sshd invokes shell with arguments "sh -c /usr/local/bin/jailbash" 2. sh now reads users configuration files (flaw is here) 3. jailbash should be run - this is after the config files are fully executed Now, just take a look what we did in step 2 - invoke screen - this stops our sequence, so number 3 is not executed in proper place. Conclusion - screen is not run from jailbash but from usuall shell. This can be seen on server with 'ps A f' - parent of screen is sh not jailbash. This could be overcome with SHLEVEL but I don't like that idea. Either way, using AppArmor here is silly, since the sh shell has to be executed I propose to invoke a script which in turn uses 'exec' command with screen so there is no shell to return to. Salut my linux friends! There is terrible flaw in this procedure, at least for Ubuntu 9.04. Let me explain.

When a client logins via ssh the execution sequence is as follows:
1. sshd invokes shell with arguments “sh -c /usr/local/bin/jailbash”
2. sh now reads users configuration files (flaw is here)
3. jailbash should be run – this is after the config files are fully executed

Now, just take a look what we did in step 2 – invoke screen – this stops our sequence, so number 3 is not executed in proper place. Conclusion – screen is not run from jailbash but from usuall shell. This can be seen on server with ‘ps A f’ – parent of screen is sh not jailbash. This could be overcome with SHLEVEL but I don’t like that idea.

Either way, using AppArmor here is silly, since the sh shell has to be executed I propose to invoke a script which in turn uses ‘exec’ command with screen so there is no shell to return to.

Salut my linux friends!

]]> By: acilmkab http://blog.bodhizazen.net/linux/shared-ssh-sessions-update-for-jaunty-ubuntu-904/comment-page-1/#comment-582 acilmkab Fri, 10 Apr 2009 20:02:52 +0000 http://blog.bodhizazen.net/?p=148#comment-582 formidable site this blog.bodhizazen.net formidable to see you have what I am actually looking for here and this this post is exactly what I am interested in. I shall be pleased to become a regular visitor :) formidable site this blog.bodhizazen.net formidable to see you have what I am actually looking for here and this this post is exactly what I am interested in. I shall be pleased to become a regular visitor :)

]]> By: Fewamidwaydek http://blog.bodhizazen.net/linux/shared-ssh-sessions-update-for-jaunty-ubuntu-904/comment-page-1/#comment-543 Fewamidwaydek Sat, 04 Apr 2009 02:57:14 +0000 http://blog.bodhizazen.net/?p=148#comment-543 Great site this blog.bodhizazen.net and I am really pleased to see you have what I am actually looking for here and this this post is exactly what I am interested in. I shall be pleased to become a regular visitor :) Great site this blog.bodhizazen.net and I am really pleased to see you have what I am actually looking for here and this this post is exactly what I am interested in. I shall be pleased to become a regular visitor :)

]]> By: Shadows of epiphany » Blog Archive » Shared Terminal Sessions over SSH http://blog.bodhizazen.net/linux/shared-ssh-sessions-update-for-jaunty-ubuntu-904/comment-page-1/#comment-513 Shadows of epiphany » Blog Archive » Shared Terminal Sessions over SSH Sat, 28 Mar 2009 06:26:31 +0000 http://blog.bodhizazen.net/?p=148#comment-513 [...] Note: Due to changes in screen, this tutorial is outdated for Ubuntu 9.04 , Jaunty. I posted an updated tutorial here. [...] [...] Note: Due to changes in screen, this tutorial is outdated for Ubuntu 9.04 , Jaunty. I posted an updated tutorial here. [...]

]]>