I have a user that has a rbash as default shell (in order to limit his privileges). I also changed his default bin directory to cut-off most binaries from his PATH. User should time to time change his password. So which binaries should be reachable to give him the possibility to change password via ssh. I created a symbolic link to passwd in his bin directory but he still can't change password using ssh.
Asked
Active
Viewed 161 times
1
Piotr Zych
- 111
1 Answers
1
A user in a restricted bash shell should be able to successfully run the passwd command as long as they have the location(full path of containing directory) of a working passwd binary in their search path.
That is the usual with rbash as the restrictions by default apply only to:
• changing directories with cd
• setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
• specifying command names containing /
• specifying a filename containing a / as an argument to the . builtin command
• specifying a filename containing a slash as an argument to the -p option to the hash builtin command
• importing function definitions from the shell environment at startup
• parsing the value of SHELLOPTS from the shell environment at startup
• redirecting output using the >, >|, <>, >&, &>, and >> redirection operators
• using the exec builtin command to replace the shell with another command
• adding or deleting builtin commands with the -f and -d options to the enable builtin command
• using the enable builtin command to enable disabled shell builtins
• specifying the -p option to the command builtin command
• turning off restricted mode with set +r or set +o restricted.
If,however, you are adding some extra strict measures other than using rbash as the user's shell, you might want to look at what passwd actually needs to access, open, or write to with strace like so:
strace -e open,openat,write,access passwd
Raffa
- 34,963