From: Ralf Jung Date: Sun, 1 Jun 2014 16:52:15 +0000 (+0200) Subject: Change README to reStructuredText format X-Git-Url: https://git.ralfj.de/schsh.git/commitdiff_plain/99d40029c416c5f3a677961e148fa371103413fe?ds=sidebyside;hp=ee2713792d210cf285ca0e82fb1a00ab3e5da213 Change README to reStructuredText format --- diff --git a/README b/README deleted file mode 100644 index 66fa61d..0000000 --- a/README +++ /dev/null @@ -1,98 +0,0 @@ -Introduction ------------- - -Welcome to [schsh][SCHSH], a schroot-based shell. - -Its purpose is simple: I want to provide users with scp, sftp and rsync access -to my server, such that they can only operate in a certain subdirectory. -There are plenty of solutions for this problem out there, and all have one -drawback in common: -You need to manually set up a bunch of chroots, and copy the files needed for -scp, sftp and rsync into them. - -I didn't like that, so here is my alternative solution: Use schroot for the -chroots. This gets OpenSSH out of the loop when it comes to chroots, instead -the relevant users get a special shell (schsh, the schroot shell). That shell -essentially calls schroot and runs the desired command inside the chroot. It -also provides some very basic command restriction (so that you can allow scp, -sftp and rsync and nothing else). - -Unfortunately, this still needs a (s)chroot to be set up for each user, but at -least no files have to be copied: Instead, schroot is configured to bind-mount -the relevant system folders into the user-chroot. Hence no files are -duplicated, and system updates to the relevant tools are applied inside the -chroots automatically. For additional hardening, these bind-mounts are -configured to be read-only and no-setuid, while the only user-writeable folder -is no-exec. - -[SCHSH]: http://www.ralfj.de/projects/schsh/ - -Setup ------ - -Before you start, make sure you have the dependencies installed: -schsh needs [Python 3][PYTHON] (I tested it with version 3.2) and -[schroot][SCHROOT] (version 1.6 or newer). - -Installation is simple: Just run ```make install```. That will copy some files -to ```/usr/local/bin```, and some configuration to ```/etc/schroot/```. -Before you create any users, make sure the directory ```/var/lib/schsh``` and a -group called ```schsh``` exist. - -You should also set up SSH to disallow port forwarding for users controlled by -schsh. See ```sshd_config``` in the source folder for an appropriate snippet -of OpenSSH configuration. - -Before you can set up schsh for a user, you need to create it first: - - adduser sandboxed --disabled-password - -Any existing user can be "sandboxed" by running - - makeschsh sandboxed - -This does the following: - -* Change the user's shell to ```/usr/local/bin/schsh``` -* Create a chroot base in ```/var/lib/schsh/sandboxed``` with some empty - subfolders as well as ```/etc/passwd``` and ```/etc/group``` containing - only root, this user and the ```schsh``` group -* Add the user to the ```schsh``` group -* Set up a schroot called ```schsh-sandboxed``` for the given folder, and an - fstab file in ```/etc/schroot/schsh``` used by this schroot - -Now if the user logs in via SSH, ```/usr/local/bin/schsh``` will be executed, -and it will lock the user into the schroot ```schsh-sandboxed```. It will -only see some system folders and a folder called ```/data``` mapped to -```/home/sandboxed/data```. If you want to give the user access to more -folders, or another folder, simply edit ```/etc/schroot/schsh/sandboxed.fstab```. -The only part of schsh writing any files is ```makeschsh```, so you can change -the users' schroot configurations at your will. - -[PYTHON]: http://www.python.org -[SCHROOT]: https://wiki.debian.org/Schroot - -Configuration -------------- - -There is not much to configure at the moment. However, there are some -global variables at the top of both ```schsh``` and ```makeschsh``` to -change the base paths, and to tell which commands are allowed. - -Source, License ---------------- - -You can find the sources in the [git repository][GIT]. They are provided under -the [GPLv3][GPL3]. In addition, all files except for ```schsh-rrsync``` are -provided under the [GPLv2][GPL2] or (at your option) any later version of the -GPL. - -[GIT]: http://www.ralfj.de/git/schsh.git -[GPL3]: https://www.gnu.org/licenses/gpl.html -[GPL2]: https://www.gnu.org/licenses/old-licenses/gpl-2.0.html - -Contact -------- - -If you found a bug, or want to leave a comment, please send me a mail: -```post AT ralfj DOT de```. diff --git a/README.rst b/README.rst new file mode 100644 index 0000000..991ed6a --- /dev/null +++ b/README.rst @@ -0,0 +1,102 @@ +schsh: Restricted file access via SSH +===================================== + +Introduction +------------ + +Welcome to schsh_, a schroot-based shell. + +Its purpose is simple: I want to provide users with scp, sftp and rsync access +to my server, such that they can only operate in a certain subdirectory. +There are plenty of solutions for this problem out there, and all have one +drawback in common: +You need to manually set up a bunch of chroots, and copy the files needed for +scp, sftp and rsync into them. + +I didn't like that, so here is my alternative solution: Use schroot for the +chroots. This gets OpenSSH out of the loop when it comes to chroots, instead +the relevant users get a special shell (schsh, the schroot shell). That shell +essentially calls schroot and runs the desired command inside the chroot. It +also provides some very basic command restriction (so that you can allow scp, +sftp and rsync and nothing else). + +Unfortunately, this still needs a (s)chroot to be set up for each user, but at +least no files have to be copied: Instead, schroot is configured to bind-mount +the relevant system folders into the user-chroot. Hence no files are +duplicated, and system updates to the relevant tools are applied inside the +chroots automatically. For additional hardening, these bind-mounts are +configured to be read-only and no-setuid, while the only user-writeable folder +is no-exec. + +.. _schsh: http://www.ralfj.de/projects/schsh/ + +Setup +----- + +Before you start, make sure you have the dependencies installed: +schsh needs `Python 3`_ (I tested it with version 3.2) and +schroot_ (version 1.6 or newer). + +Installation is simple: Just run ``make install``. That will copy some files +to ``/usr/local/bin``, and some configuration to ``/etc/schroot/``. +Before you create any users, make sure the directory ``/var/lib/schsh`` and a +group called ``schsh`` exist. + +You should also set up SSH to disallow port forwarding for users controlled by +schsh. See ``sshd_config`` in the source folder for an appropriate snippet +of OpenSSH configuration. + +Before you can set up schsh for a user, you need to create it first:: + + adduser sandboxed --disabled-password + +Any existing user can be "sandboxed" by running:: + + makeschsh sandboxed + +This does the following: + +* Change the user's shell to ``/usr/local/bin/schsh`` +* Create a chroot base in ``/var/lib/schsh/sandboxed`` with some empty + subfolders as well as ``/etc/passwd`` and ``/etc/group`` containing + only root, this user and the ``schsh`` group +* Add the user to the ``schsh`` group +* Set up a schroot called ``schsh-sandboxed`` for the given folder, and an + fstab file in ``/etc/schroot/schsh`` used by this schroot + +Now if the user logs in via SSH, ``/usr/local/bin/schsh`` will be executed, +and it will lock the user into the schroot ``schsh-sandboxed``. It will +only see some system folders and a folder called ``/data`` mapped to +``/home/sandboxed/data``. If you want to give the user access to more +folders, or another folder, simply edit ``/etc/schroot/schsh/sandboxed.fstab``. +The only part of schsh writing any files is ``makeschsh``, so you can change +the users' schroot configurations at your will. + +.. _Python 3: http://www.python.org +.. _schroot: https://wiki.debian.org/Schroot + +Configuration +------------- + +There is not much to configure at the moment. However, there are some +global variables at the top of both ``schsh`` and ``makeschsh`` to +change the base paths, and to tell which commands are allowed. + +Source, License +--------------- + +You can find the sources in the `git repository`_. They are provided under +the GPLv3_. In addition, all files except for ``schsh-rrsync`` are +provided under the GPLv2_ or (at your option) any later version of the +GPL. + +.. _git repository: http://www.ralfj.de/git/schsh.git +.. _GPLv2: https://www.gnu.org/licenses/old-licenses/gpl-2.0.html +.. _GPLv3: https://www.gnu.org/licenses/gpl.html + +Contact +------- + +If you found a bug, or want to leave a comment, please +`send me a mail `_. +