Back to Article Listing

rksh - restricted shell

What is it?

Instead of giving the user everything and taking away a few command, this is the opposite. Give them nothing and add a few selected commands.

It is a variant of the ksh shell in OpenBSD. A shell is "restricted" if the '-r' option is used; if the basename the shell was invoked with was 'rksh'; or if the SHELL parameter is set to 'rksh'. The following re-strictions come into effect after the shell processes any profile and ENV files:

  • The cd command is disabled.
  • The SHELL, ENV, and PATH parameters cannot be changed.
  • Command names can't be specified with absolute or relative paths.
  • The -p option of the built-in command command can't be used.
  • Redirections that create files can't be used.

Plainly, this keeps the user to a very limited list of commands; only the ones granted by the superuser. In fact, without a PATH, they could do absolutely nothing; except log in. This is not very normal and usually set up for specific cases.

How it fits our needs

We needed console access in a shared cabinet in a datacenter.

To paraphrase wikipedia: Most commonly, a console server provides a number of serial ports, which are then connected to the serial ports of other equipment; such as servers, routers, or switches. The consoles of the connected devices can then be accessed by connecting to the console server over a serial link, maintaining survivable connectivity that allows remote users to log in the various consoles without being physically nearby.

More specific to this case: We wanted to be able to get to a box that may not be accessible by ssh; for whatever reason. It is also particularly useful to get to things that are only available to the console, like.. bios, boot messages, error messages, etc.

Dedicated console server appliances are available from a number of manufacturers, like..
Avocent (including Cyclades), Cisco, Digi International, Lantronix, Opengear, Perle, Raritan, Tibbo, Uplogix

But these are way too expensive to for our needs. So, we set up a home grown console server in the datacenter. Our console server is a tiny box (Soekris 4801) with the sole purpose of listening for SSH connections from the internet and allowing serial access to attached boxen. Ideally, it would be hooked to a modem to be completely out-of-band. But hooking it to the switch with an external IP works fine for our needs. All told, it is an inexpensive solution. The price of the Soekris and a serial octopus hardly compares to the price of a dedicated appliance. [*]

           +---------+
           |         |----> serial to Tom`s box
internet-->| soekris |----> serial to Dick`s box
           |         |----> serial to Harry`s box
           +---------+

It was decided that when a user logged on to the soekris, they would only be able to connect to their box via serial (using cu [1]) - and nothing else.

This is where rksh makes that easy.

Setting it up

  1. do a normal install of OpenBSD, only 'base' is needed

  2. add '/bin/rksh' to /etc/shells

  3. create users and make rksh the default shell

  4. create a directory to hold links to specific commands (something like: /var/rsh/)

  5. add links to above directory

    ln -sf /usr/bin/cu /var/rsh/cu

    ln -sf /usr/bin/passwd /var/rsh/passwd (if you allow password logons)

  6. chg PATH in each user .profile to:

    PATH=/var/rsh:/var/spool/lock

    export PATH HOME TERM

  7. chg group ownership on /dev/cuaUn to specific user

  8. chg permissions on /var/spool/lock and /var/log/aculog

  9. add external IP, set up packet filter to your needs, etc, etc

  10. remind users to logout of the remote machine before disconnecting their cu session

Step 6 is specific to our setup. The serial devices were recognized as cuaU[0-7]

What does the user see?

 (from remote box)

$ ssh user@soekris
 user@soekris`s password:
 Last login: Sat Nov  3 19:26:01 2007 from pc.domain.tld
 OpenBSD 4.2-current (GENERIC) #475: Thu Nov  1 18:32:48 MDT 2007

 Welcome to OpenBSD: The proactively secure Unix-like operating system.

 Please use the sendbug(1) utility to report bugs in the system.
 Before reporting a bug, please try to reproduce it with the latest
 version of the code.  With bug reports, please try to ensure that
 enough information to reproduce the problem is enclosed, and if a
 known fix for it exists, include that as well.

$ .

 (That is the stock MOTD.. so far, completely normal)

$ cd ../
rksh: cd: restricted shell - can`t cd

$ /usr/bin/sudo cd ../
rksh: /usr/bin/sudo: restricted

$ ls ./
rksh: ls: not found

$ cat .profile
rksh: cat: not found

$ ssh user@somebox
rksh: ssh: not found

$ /usr/bin/cu -l cuaU5 -s 19200
rksh: /usr/bin/cu: restricted

..and finally, a successful command

$ cu -l cuaU5 -s 19200
 Connected

Wrap up

A user can ssh to the soekris. When they log in, they can only do one thing; connect to their private box via serial.


[1]cu "call UNIX" establishes a full-duplex connection to another machine, giving the appearance of being logged in directly on the remote CPU. It goes without saying that you must have a login on the machine (or equivalent) to which you wish to connect. It comes standard in OpenBSD.
[*]We received an anonymous email taking exception to the above paragraphs. First of all, we were thrilled that anyone actually reads these articles! And then to find that this one would elicit enough emotion to warrant such a long (albeit misguided) response; we were overjoyed.

We began reading the response with excitement. But we were quickly disappointed to find that it was just an advertisement. Further more, we discovered we were being scolded and told what we 'should do'. What a let-down - we actually, and seriously, considered their products several years ago when this was originally written. Oh well..

On careful review, we still stand by the words written. The solution fit our needs, full stop. As a bonus, we could load the OS of our choice on the console server.. and use rksh.. without which, there would be no article!



Copyright © 20071103 genoverly
(db datestamp: 20100711)

nautical_flag_icon
Copyright © 2003-2015 genoverly