Bugzilla – Attachment 733 Details for
Bug 5141
recommending thinlinc-login for preventing shell access is confusing
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Combined patch of this work
5141.patch (text/plain), 6.32 KB, created by
Peter Åstrand
on 2016-08-24 17:03:07 CEST
(
hide
)
Description:
Combined patch of this work
Filename:
MIME Type:
Creator:
Peter Åstrand
Created:
2016-08-24 17:03:07 CEST
Size:
6.32 KB
patch
obsolete
>--- doc/external/auth.xml (revision 31551) >+++ doc/external/auth.xml (revision 31558) >@@ -81,14 +81,6 @@ > against Windows domains and LDAP databases. > </para> > >- <para> >- An user connecting to ThinLinc needs executable access to the ThinLinc >- login shell <emphasis>thinlinc-login</emphasis> and if you don't have >- any intentions to allow a regular shell access to the server you should >- set default login shell for the users to >- <filename>/usr/bin/thinlinc-login</filename>. >- </para> >- > <sect2 id="authentication_pam-files"> > > <title> >--- doc/external/configuration.xml (revision 31551) >+++ doc/external/configuration.xml (revision 31558) >@@ -2539,6 +2539,37 @@ > > </sect1> > >+ <sect1 id="configuration_noshell"> >+ >+ <title> >+ Restricting Shell Access >+ </title> >+ >+ <para> >+ Like other login methods, ThinLinc requires a functional shell for the >+ user trying to log in. Setting a non-functional shell such as >+ <command>/bin/false</command> will prevent ThinLinc from >+ working.However, ThinLinc also includes a special shell that still >+ allows users to log in using ThinLinc, but prevents all other shell >+ access. User's that should be restricted should be configured to have >+ <command>/opt/thinlinc/bin/noshell</command> as their shell. See the >+ documentation for your user database for information on how to >+ configure a user's shell. >+ </para> >+ >+ <para> >+ It is also possible to restrict the shell when accessed via SSH, but >+ still permit shell usage locally or inside ThinLinc sessions. Configure >+ <filename>/etc/ssh/sshd_config</filename> with the following for the >+ users that should be restricted: >+ </para> >+ >+<screen> >+ForceCommand /opt/thinlinc/bin/noshell >+</screen> >+ >+ </sect1> >+ > </chapter> > > <!-- Tail start --> >--- vsm/noshell (revision 0) >+++ vsm/noshell (revision 31558) >@@ -0,0 +1,47 @@ >+#!/bin/bash >+# -*- mode: shell-script; coding: utf-8 -*- >+# >+# Copyright 2016 Cendio AB. >+# For more information, see http://www.cendio.com >+ >+# >+# Dummy shell that prevents login to anything but ThinLinc >+# >+ >+end() >+{ >+ echo "Shell access has been prohibited" >&2 >+ exit 1 >+} >+ >+# Invoked via ForceCommand >+if [ $# -eq 0 -a -n "$SSH_ORIGINAL_COMMAND" ]; then >+ set -- -c "$SSH_ORIGINAL_COMMAND" >+ unset SSH_ORIGINAL_COMMAND >+fi >+ >+# FIXME: Check that we are a login shell. >+# argv[0] is not preserved with shebang. >+# May have to rewrite in C. >+ >+# There must be a command, and no voodoo >+[ $# -eq 2 ] || end >+[ "$1" == "-c" ] || end >+ >+# If we are both the user's shell, and ForceCommand, then we >+# will get a request to execute ourselves >+# ($0 cannot be used since we are a login shell) >+if [ "$2" == "${BASH_SOURCE[0]}" ]; then >+ exec "${BASH_SOURCE[0]}" >+fi >+ >+# thinlinc-login is invoked from sshd, and may have arguments >+case "$2" in >+ thinlinc-login|thinlinc-login\ *) >+ set -- $2 >+ shift >+ exec thinlinc-login "$@" >+ ;; >+esac >+ >+end >--- vsm/thinlinc-vsm.spec.in (revision 31551) >+++ vsm/thinlinc-vsm.spec.in (revision 31558) >@@ -81,6 +81,7 @@ > %dir /opt/thinlinc/etc/conf.d > %dir /opt/thinlinc/etc/sessionstartup.d > %dir /opt/thinlinc/etc/sessionreconnect.d >+/opt/thinlinc/bin/noshell > /opt/thinlinc/bin/tl-config > /etc/profile.d/thinlinc.sh > /etc/profile.d/thinlinc.csh >--- vsm/Makefile (revision 31551) >+++ vsm/Makefile (revision 31558) >@@ -140,10 +140,12 @@ > echo "ThinLinc $(VERSION)" > $(PREFIX)/etc/thinlinc-release > $(INSTALL) -m 644 thinlinc.hconf $(PREFIX)/etc/ > $(INSTALL) -m 644 vsm.hconf $(PREFIX)/etc/conf.d/ >+ $(INSTALL) noshell $(PREFIX)/bin/ > $(INSTALL) tl-config $(PREFIX)/bin/ > $(INSTALL) install_service $(PREFIX)/libexec/ > $(INSTALL) remove_service $(PREFIX)/libexec/ > $(INSTALL) service $(PREFIX)/libexec/ >+ $(OINSTALL) thinlinc-login $(PREFIX)/libexec/ > $(OINSTALL) -m 644 modules/thinlinc/vsm/__init__.py $(PREFIX)/modules/thinlinc/vsm/ > $(OINSTALL) -m 644 modules/thinlinc/crypt.py $(PREFIX)/modules/thinlinc/ > $(OINSTALL) -m 644 modules/thinlinc/crypto.py $(PREFIX)/modules/thinlinc/ >@@ -183,7 +185,6 @@ > $(INSTALL) -s lsh-pam-checkpw $(PREFIX)/sbin/ > mkdir -p $(PREFIX)/libexec > $(INSTALL) -s xprop/xprop $(PREFIX)/libexec/ >- $(OINSTALL) thinlinc-login $(PREFIX)/libexec/ > mkdir -p $(ROOTDIR)/etc/pam.d/ > $(INSTALL) -d $(ROOTDIR)/var/lib/vsm > $(OINSTALL) -m 644 modules/thinlinc/vsm/vsmxmlrpccall.py $(VSMMOD)/ >@@ -283,6 +284,7 @@ > encrypt-vnc-pw.c\ > Makefile\ > Makefile.defines\ >+ noshell\ > thinlinc.hconf\ > vsm.hconf\ > vsmagent.hconf\ >--- vsm/thinlinc-login (revision 31551) >+++ vsm/thinlinc-login (revision 31558) >@@ -1,7 +1,7 @@ > #!/usr/bin/env python-thinlinc > # -*-mode: python; coding: utf-8 -*- > # >-# Copyright 2002-2014 Cendio AB. >+# Copyright 2002-2016 Cendio AB. > # For more information, see http://www.cendio.com > > import sys >@@ -13,6 +13,7 @@ > import hiveconf > import xmlrpclib > from thinlinc import ctccommon >+from thinlinc import prefix > > # > # Various notes: >@@ -110,31 +111,17 @@ > if len(sys.argv) == 2: > return sys.argv[1] > >- # The following cases are with thinlinc-login as the shell >- if len(sys.argv) == 3: >- if sys.argv[1] != '-c': >- print >>sys.stderr, PROG + ": ERROR: Invalid syntax" >- sys.exit(1) >- >- # FIXME: Support full shell syntax? >- command = sys.argv[2].split() >- >- if (len(command) < 1) or not command[0].endswith("thinlinc-login"): >- print >>sys.stderr, PROG + ": ERROR: Invalid syntax" >- sys.exit(1) >- >- # Case 3: Old client with thinlinc-login as the shell >- if len(command) == 1: >- return "master" >- >- # Case 4: New client with thinlinc-login as the shell >- if len(command) == 2: >- return command[1] >- > print >>sys.stderr, PROG + ": ERROR: Invalid syntax" > sys.exit(1) > > def main(): >+ # Backwards compatibility for when we recommended people to use >+ # thinlinc-login as a locked down shell >+ if len(sys.argv) == 3 and sys.argv[1] == '-c': >+ # Redirect to noshell >+ noshell = os.path.join(prefix.get_tl_prefix(), "bin", "noshell") >+ os.execv(noshell, sys.argv) >+ > # Read configuration. FIXME: Use relative paths. > hive = hiveconf.open_hive("/opt/thinlinc/etc/thinlinc.hconf") >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=733">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 5141
: 733
