Restricted (rbash) users and sshfs?
in [Suse]
|
Prev: Automatic check if Internet is up before running a script?
Next: Kpowersave icon - suspend option greyed out
From: Vahis on 30 Dec 2009 02:06 Before attempting this I'd like to aks if anyone already knows: Can an rbash restricted user mount using sshfs? I know rbash allows scp sftp and rsync, but what about sshfs? Vahis -- "Sunrise 9:28am (EET), sunset 3:17pm (EET) at Espoo, FI (5:49 hours daylight)" http://waxborg.servepics.com Linux 2.6.25.20-0.5-default #1 SMP 2009-08-14 01:48:11 +0200 x86_64 9:01am up 60 days 14:02, 10 users, load average: 1.28, 0.81, 0.54
From: Vahis on 30 Dec 2009 02:34 On 2009-12-30, Vahis <waxborg(a)gmail.com.invalid> wrote: > Before attempting this I'd like to aks if anyone already knows: > > Can an rbash restricted user mount using sshfs? > > I know rbash allows scp sftp and rsync, but what about sshfs? > I just couldn't wait :) I installed rssh and tried it. When attempting normal ssh I get this (as expected): ---------------- This account is restricted by rssh. Allowed commands: scp sftp cvs rdist rsync If you believe this is in error, please contact your system administrator. Connection to waxborg.servepics.com closed. ---------------- Those services above I had enabled in /etc/rssh.conf Now mounting sshfs worked fine :) So I'm getting with this where I'm aiming, a restricted secure directory share :) It's sftp that needs to be allowed, nothing else is needed for it to work. Vahis -- "Sunrise 9:28am (EET), sunset 3:17pm (EET) at Espoo, FI (5:49 hours daylight)" http://waxborg.servepics.com Linux 2.6.25.20-0.5-default #1 SMP 2009-08-14 01:48:11 +0200 x86_64 9:21am up 60 days 14:22, 11 users, load average: 0.24, 0.42, 0.43
From: Vahis on 30 Dec 2009 03:34 On 2009-12-30, houghi <houghi(a)houghi.org.invalid> wrote: > Vahis wrote: >> Before attempting this I'd like to aks if anyone already knows: >> >> Can an rbash restricted user mount using sshfs? >> >> I know rbash allows scp sftp and rsync, but what about sshfs? > > You must not be awake, otherwise you would have just tried it. I wasn't, but then I was. Then I tried. > I did and > did not even know of the existance of rbash. Also be aware that many > scripts might not work or need to be rewritten > > houghi(a)penne : rbash > [~] > houghi(a)penne : sshfs houghi(a)pizza:/home/houghi /home/houghi/pizza > [~] > houghi(a)penne : l pizza/ > total 192 > drwxr-xr-x 1 houghi users 4096 2009-12-30 01:46 ./ > drwxr-xr-x 69 houghi users 4096 2009-12-30 09:04 ../ > -rw------- 1 houghi users 2475 2009-12-30 01:44 .bash_history > > Remember that you can't do a cd to the directory, so first check if all > the rest works. I installed rssh. The user can now mount the directory via sshfs (which uses sftp) when sftp is allowed in /etc/rssh.conf. I also allow rsync and scp for now. I may forbid them later though :) But the user can not ssh to the machine. Just what I wanted. Just read the files, no shell. I also created a group for these users which I may or may not need in the future :) Now all I need to do is test the connection/disconnection/reconnection and see what issues there will be. I want the user to have a clickety button like "Music on" The whole thing needs to be behind that button. BTW did you know they're going to drop XMMS? It's a pity but they say it's badly or not maintained upstrem. Audicious is a candidate to replace. That one seems to run nicely, so no real biggie... Vahis -- "Sunrise 9:28am (EET), sunset 3:17pm (EET) at Espoo, FI (5:49 hours daylight)" http://waxborg.servepics.com Linux 2.6.25.20-0.5-default #1 SMP 2009-08-14 01:48:11 +0200 x86_64 10:17am up 60 days 15:18, 10 users, load average: 0.07, 0.26, 0.27
From: Vahis on 30 Dec 2009 09:39 On 2009-12-30, houghi <houghi(a)houghi.org.invalid> wrote: > Vahis wrote: >> I installed rssh. >> >> The user can now mount the directory via sshfs (which uses sftp) when sftp >> is allowed in /etc/rssh.conf. <snip> That can also be done without password with the aid of keys. >> Now all I need to do is test the connection/disconnection/reconnection >> and see what issues there will be. I'm working on testing these situations. It seems that I'll need to 'umount -l' this directory in the beginning of the script in case it's been mounted and the connection has dropped. If the directory is mounted and the connection drops it will never come back without forced umount first. So I'll let the user do mount and umount without password on her own machine. I should think there's no po problem with that. >> >> I want the user to have a clickety button like "Music on" > > I understand that, but remember that the user can not do a `cd` with > rbash. This means that you can mount /home/user/music, but you can not > cd after that to /home/user/music Once the user has mounted my music directory to hers she can open any directories there to her player (audacious) After all, it's a remote directory mounted locally, so it works like a local one. I have tested that and everything works perfectly. It's the aim that the user can't do anything else than add files and directories in the player's playlists and just play them. That's the whole idea. I particularly want the user not to go outside /music. I'm sure you guess why. (Hint: She has a pair of big ones herself, she won't need to see my collection) She could, of course mount any other directory, but then she would have to know the path/to/that/special/directory and mount it directly. She has limited privileges only on my server, she's a full user on her own machine (and I'm god there, too :)) The risk is, of course that she would pick a geek and let him play with the machine. It wouldn't be such a hard job to mount some other directories, guessing paths is not _that_ hard. That I'm considering at the moment as a severe risk. I need to think of that before setting up this for real. Maybe a jail or something. >> The whole thing needs to be behind that button. This is why I don't think the user herself is a risk for me. >> >> BTW did you know they're going to drop XMMS? >> It's a pity but they say it's badly or not maintained upstrem. > > I have not used it in at least 2 years. It's great in this case. Like also Audacious seems to be. Both light weight and adding files and directories to playlists by browsing them works nicely, pretty quicly. > >> Audicious is a candidate to replace. >> That one seems to run nicely, so no real biggie... > > Using Amarok, which does things nicely. It even shows what music is > playing now in my sig. (For those who speak Dutch: sorry.) In this case Amarok is no good. Of course I tried it, that's what I've been using for years :) The client machine is low spec and the connection is 3G. Ever tried to scan the music collection of nearly 100 GB and 15.000 files in 1.500 subdirectories over 3G? It takes ages over LAN, even locally if the machine is not a supercomputer. And scanning the directories and running the database is a must in Amarok. Vahis -- "Sunrise 9:28am (EET), sunset 3:17pm (EET) at Espoo, FI (5:49 hours daylight)" http://waxborg.servepics.com Linux 2.6.25.20-0.5-default #1 SMP 2009-08-14 01:48:11 +0200 x86_64 4:01pm up 60 days 21:02, 10 users, load average: 0.03, 0.06, 0.08
From: Vahis on 31 Dec 2009 00:03 On 2009-12-30, houghi <houghi(a)houghi.org.invalid> wrote: > Vahis wrote: > That I'm considering at the moment as a severe risk. >> I need to think of that before setting up this for real. >> Maybe a jail or something. > > Jail would be the way to go. The ONLY way to go if you want limitations. > What you can do is look how the person logs in. If it is ssh then jail > and if local, then the 'normal' way to log in. > But that is probably not needed. I also thought about setting up a dedicated vm for this. There could be only one restricted user, musiclover. The simplest fileserver. Some port for ssh redirected there. > > I have zero experience with jailed users. Me neither, maybe here's a chance to get some knowledge. But as the matter of fact letting my in-law play my music just became a side path in my original issue, my own access from the road. I guess this project has given me all I was missing from that and your following suggestion would be good for the sister-in-law in question. > I think that perhaps we go at it from the wrong angle. Take a few steps > back. What you want is not so much to automate sshfs, what you want is > to share music. So what you need is not so much sshfs, but a way to > chare the love, uh, music. It's really music this time. It's the sister-in-law. But it's also more, she's a quinea pig here. I carry a tiny PC with me a lot, behing 3G or sometimes even just GPRS. And I want full access to my "big machine" at any given time. I have basically everything, cli and NX (for killing puppies). But I need a decent network filesystem, too. My experience is that sshfs is the way to go, I've tried everything. Anything else requires more setting up on the server side. I've experienced many inconveniences with basic cli, while en route the connection drops often. So I need as much automagic as possible for resuming. I have an audio cable going from it to my car radio AUX, so basically I have all my music with me at all times. But I don't like cli while driving :) I also sometimes make road versions of movies with handbrake. That is with lower bit rate. I guess I've now got all that is needed for my own purposes. > > So I did a little search and one I saw was: http://sockso.pu-gh.com/ > Or amache. There will be other streamers. If music is all you want to > stream, my best guess is that such a thing is much easier to use. Also > because those are accessible via a browser and are login and password > safe, so no others will be able to steal you music. > That looks like something for her, I'll test, thanks. Vahis -- "Sunrise 9:28am (EET), sunset 3:19pm (EET) at Espoo, FI (5:51 hours daylight)" http://waxborg.servepics.com Linux 2.6.25.20-0.5-default #1 SMP 2009-08-14 01:48:11 +0200 x86_64 6:22am up 61 days 11:23, 10 users, load average: 0.14, 0.15, 0.15
|
Next
|
Last
Pages: 1 2 Prev: Automatic check if Internet is up before running a script? Next: Kpowersave icon - suspend option greyed out |