[Systrace] Basic usage of systrace

[Kevin]

On Mon, 31 Jan 2005 17:15:47 +0200, Kim Onnel <karim.adel at gmail.com> wrote:
> i intend to restrict users to only be able to telnet (it would be
> great if i can restrict them to my network subnet range as well)

You'll want to look at Jose Nazario's stsh (systrace shell).

If you really want to get fancy, you could limit what the user can do
on the network via a complex 'pf' policy limiting outbound
connections based on the UID opening the socket.

As to generating systrace policy, the easy way is to use systrace 
with '-A', and just run all of the commands and connections you
want to permit, then go back over the generated policy and find places
where it makes sense to replace 'eq' lines with 'match' lines.  
Lather, rinse, repeat.


> no need for anything else, ls or basic bash commands,

Have you thought about setting as the user's shell a program
(compiled or perl or tcl or your favorite scripting language) which
takes user input, validates it, then if it matches an allowed action,
exec() telnet or ssh or hangman or the like?

You'd still want to wrap this in systrace...


Kevin Kadow


(P.S. You'll probably want to let your users ssh to hosts on your
network, telnet, even on a private network, is deprecated. )

(P.P.S Many months ago I found (and then lost again)
an article on how to use a bastion host to enable ssh to internal 
destinations without requiring the user to type the login password
of the final destination such that it could be intercepted at the
bastion host...)