ruser-startup - Control file to start restricted user.

This is a PERL script that should be run when starting a restricted user. It is intended to run commands from an incoming ssh connections.

There are two key files that control the access to applications for the restricted user. They are the:

• The PERL script itself (ruser-startup.pl).
• The control file that specifies which command the user may run (ruser-startup.allow).

ruser-startup.pl PERL script.

The ruser-startup.pl may not live in any directory that is owned or writable by the restricted user.

This file should not be owned by the restricted user, and should be readable and executable by the user but not writable by the restricted user.

The /etc/passwd file should be edited so that the line pertaining to the restricted user should have the 7th field (that specifies the login shell) set to point to this PERL script.

ruser-startup.allow control file.

The ruser-startup.allow file should live in the users home directory.

This file should be owned by the same owner as the ruser-startup.pl PERL script, and should be readable by the user but not writable by the user.

An example of what this file might look like is included in this repository.

Log files

When running the script logging messages will be sent to the syslog file, as well as being written to ruser-startup.log file in the home directory of the user.

If any command that is executed writes to stderr then these messages will be written to ruser-startup.msg in the user's home directory.

Changes to /etc/passwd

Assuming the restricted user is ruser (with numeric user and group ids of 1004) and the user set up to manage the restricted users is 'controluser' (with numeric user and group ids of 1003) then the lines in the /etc/passwd file should look something like:

    controluser:x:1003:1003:User that controls rusers:/home/controluser:/bin/bash
    rusert:x:1004:1004:Restricted user:/home/ruser:/home/controluser/ruser-startup.pl

The exact details will depend on circumstances, the above is merely a generic example.

In the above example, both the ruser-startup.pl and ruser-startup.allow should be owned by user controluser, and neither file should be writable by user ruser.

If you wish to further increase security you might mark both files as immutable by using the commands:

    sudo chattr -i /home/controluser/ruser-startup.pl
    sudo chattr -i /home/ruser/ruser-startup.allow

Running the script with ssh

Firstly, it is strongly advised that you configure ssh to work without passwords (by including the client public certificate in the list of authorised certificate in the ruser list of authorised keys.

Then setup the ruser account listing the applications you wish the client to be allowed to use in the ruser allow control file.

For instance, if you want to allow the client to use the whoami command then you can include in the /home/ruser/ruser-startup.allow file the following line:

    whoami:/usr/bin/whoami

Then on the client machine you can issue the command:

    ssh ruser@server.local whoami

and receive the response:

    ruser

ruser-add - Add new user that will be controlled by ruser-startup

This is a PERL script that can be run to undertake much of the work in create a new user that can be used by ruser-startup.pl.

You can run ruser-add.pl --help to display the command line options for this script.

When run:

• A new user is created that is controlled by ruser-startup.pl

• An empty user-startup.allow file is created for the user. You will have to manually edit this file to specify the commands allowed for the new user.

• Public and private ssh keys are created for the user. You will have to copy the public keys to the client user accounts which are expected to connect to this user.