Re: Monitoring users cd'ing out of their ~



On Tue, 13 Mar 2007, Tarkin wrote:

On Mar 7, 5:43 pm, Sir Jackery <roeh...@xxxxxxxxxxxxxx> wrote:
On Wed, 7 Mar 2007, Unruh wrote:
Sir Jackery <roeh...@xxxxxxxxxxxxxx> writes:

On Wed, 7 Mar 2007, Unruh wrote:

robert <slackwarerob...@xxxxxxxxxxxx> writes:

But if you chroot the logins you will never
get to suitably punnish the offender.

How about rewriting the 'cd' command
to check the home path against going outside, and log it.
Then you get to punnish people now and then,

cd is a builtin in most shells. You would have to rewrite the shells.

Thank god for open source!

But of course that would not be enough since the user can just do
/usr/bin/wgatever
to run wgatever without using cd at all. Ie, cd would only be the first of
your worries.

You eitehr need to set up a chroot jail ( in which case you have to make
sure that ALL opf the libraries, /etc filed, programs, etc are in that
jail) or trust your users.

Right, but the OP only wants to know when a user uses the command cd.
Besides, it's a trap! The user doesn't know not to use cd, and when he
does, POW, he is criticized by a script (-:. Obviously a hole covered
with leaves in the wilderness doesn't work if you walk around it, but if
you don't know it's there then you'll end up as one of Stewie's lost
children.



Of course with the new virtual hardware cpu's, which home directory
on which virtual machine are you checking?
Robert

On Tue, 06 Mar 2007 11:46:36 -0800, Sir Jackery wrote:

On Mon, 5 Mar 2007, Colin McKinnon wrote:

Adam wrote:

I'm running a fairly strict hosting server

(not yet you're not)

and I'd like to be able to
monitor when users cd out of their home dir and then write a perl
daemon to automatically do something suitably punishing.

Sounds a lot like hard work. Why not just give them chroot logins?

C.

That's what I would do. A chroot jail is the textbook way to allow others
command line access securely.

--Sir Jackery

Here's a dumb idea to be picked apart:
in ~/.bashrc :
##somewhere near the end....
alias cd='/path/to/my/replacement/cd'

the aliased 'cd' could be a binary or script,
which does the 'punishing'.

Sounds like a good idea to me.


Seems like like it would just be easier to
use the chroot suggestins, though.

Not as secure though. The user could easily change it. But would they know or think to do so? Probably not. If I were a malicious person, I wouldn't routinely check aliases before doing something malicious.

--Sir Jackery
.



Relevant Pages

  • Re: Monitoring users cding out of their ~
    ... get to suitably punnish the offender. ... to check the home path against going outside, ... does, POW, he is criticized by a script (-:. ... cd' to execute, and once it has executed, no matter what it did, the ...
    (comp.os.linux.security)
  • Re: Monitoring users cding out of their ~
    ... get to suitably punnish the offender. ... to check the home path against going outside, ... but the OP only wants to know when a user uses the command cd. ... does, POW, he is criticized by a script (-:. ...
    (comp.os.linux.security)
  • Re: Monitoring users cding out of their ~
    ... get to suitably punnish the offender. ... to check the home path against going outside, ... You eitehr need to set up a chroot jail (in which case you have to make ... but the OP only wants to know when a user uses the command cd. ...
    (comp.os.linux.security)
  • Re: Monitoring users cding out of their ~
    ... get to suitably punnish the offender. ... to check the home path against going outside, ... You would have to rewrite the shells. ... You eitehr need to set up a chroot jail (in which case you have to make ...
    (comp.os.linux.security)