Solved Permissions related question

Hi everyone,

I was wondering, how do I restrict a user (which is currently in the wheel group), to only 1 command (in this case 'su')? I have a 'log in account' for my server, but I don't know how/where to limit this user account. I know in linux, I can do this in the sudoers file, but where do I do this in Freebsd?

Thanks and kind regards,
 
Let me reiterate what I want...

The account I log in with. I would like to limit to one command (namely su), as I would like to change user to root and that is it. I don't want this account to be able to do anything else other than su.

I know what su does, and I know what sudo does. I do not want to use sudo, as that is granting admin/root privileges to the user (and I would like to possibly remove the user from the wheel group, but if I cannot, because of su, then I would like to limit it) and I have to add a lot of commands to deny, just in order to use one (editing the sudoers file and adding the commands, or adding the bin and sbin dir and only allowing su). There is a reason for this, as I have a script to temporarily lock the account it tries to log into root (3 attempts for 30 min).

Does that make more sense?

Or is this impossible on freebsd?
 
The account I log in with. I would like to limit to one command (namely su), as I would like to change user to root and that is it. I don't want this account to be able to do anything else other than su.
You're trying to "over-engineer" things. Once the user has done a su(1) it can do everything anyway with a lot more power. So why limit the user?
 
You're trying to "over-engineer" things. Once the user has done a su(1) it can do everything anyway with a lot more power. So why limit the user?

Nope. To you it might be "over-engineering", but to me, it is BAU. And by limit the user, I mean unauthorized people logging into my server. I don't want the to try privilege escalations of any sort. Only if there is a way of doing that with just su. Then I will look into other methods. If I keep it simple, instead of "over-engineered", then it makes it easier for script kiddies with powerful rigs, to login to my server. Where currently, I want to SSH (with a key, no password, this is already set up) -> login account -> su root (long password, ) -> "do whatever I need to do". That is my model. If someone manages to log in, then they have to guess my password, they have 3 attempts, after the 3rd attempt, it logs the user out and locks the account for 30 minutes. I have console access to the server, in case something like this happens to manually intervene, or make an emergency change.

The only thing I want to do, is limit this one user account from doing anything else (like copying/moving files, trying to access DB's, edit config files, etc). It's sole purpose, is a login account. I am the only one logging in. It is an extra layer of security for me *Edit to add: Even the username is something very few people would be able to guess.

Thanks Juha, if I can use su as a login shell, that would be great. It limits the account from doing anything else. Can you tell me how to that exactly, that is something I haven't done before... unless I got your point all mixed up :) PM me if you'd like :)
 
The only thing I want to do, is limit this one user account from doing anything else (like copying/moving files, trying to access DB's, edit config files, etc).
A regular user account already can't do any of this unless that account is the owner or has specific write access to it.
 
A regular user account already can't do any of this unless that account is the owner or has specific write access to it.

can a user navigate directories and cat files? can it touch files? scp files to my server with that user account? can it execute the file it scp'd, if it has the right permissions?
 
Thanks Juha, if I can use su as a login shell, that would be great. It limits the account from doing anything else.
Nope. Since the user can login over SSH they can already run arbitrary commands. Changing the login shell won't prevent that. SSH normally runs the login shell, but it doesn't have to (see third paragraph in ssh(8)). EDIT: I am wrong the ssh command is passed to the login shell. So if su is the login shell it still is always executed, just maybe not with the arguments you'd expect.

You can lock down your login user's ~/.ssh/authorized_keys to only allow running of a specific command per key. See section AUTHORIZED_KEYS FILE FORMAT in sshd(8).
 
Thank you tobik and Juha. That helped a lot. This is exactly what I was looking for. You 2 were the most helpful and understanding :)
 
That's actually nice if it works like that. You can set the "shell" to be a small script, which can raise the LAAARM if unexpected arguments were passed. And it can test that stdin is a pty too. And all those other things only a true pervert can want to test ;) and if all is good, exec su at the end.

Juha
 
So far so good. I will do some more testing/hacking, to see if I can find anymore holes. so far ssh -N user@hostname just hangs halfway through the ssh negotiation, which is good (removing -N takes you straight to changing to root and asks for a password as intended). I will add some "restrict,command" commands to add an extra layer.

Any other suggestions to try and bypass ForceCommand (before adding the restrict,command into the Authorized_keys file)?
 
Back
Top