News, tips, partners, and perspectives for the Oracle Solaris operating system

Using Solaris RBAC to only allow scp/sftp

Darren Moffat
Senior Software Architect

The RBAC functionality in Solaris is normally used to empower users
but it can also be used to restrict what commands they may run.

It is possible to use RBAC to restrict access to the sshd(1m) subsystems.
This is normally done to create a user who can use sftp but can not login.

Since sshd(1m) starts the subsystems listed in sshd_config(4) using the
users login shell it isn't possible to restrict the user by giving them
a bogus shell (eg /bin/false). However if the user is assigned one of the
profile shells (pfsh,pfksh,pfcsh) then they can be configured with
only the commands necessary for the relvant sshd(1m) subsystems.

Create a new execution profile that contains only the scp and sftp-server
commands thus:

$ cat <<_EOM_ >> /etc/security/exec_attr
Restricted Secure Shell:suser:cmd:::/usr/bin/scp:
Restricted Secure Shell:suser:cmd:::/usr/lib/ssh/sftp-server:
$ cat <<_EOM_ >> /etc/security/prof_attr
Restricted Secure Shell:::scp/sftp access only:

Update /etc/security/policy.conf to remove the "Basic Solaris User" profile from the PROFS_GRANTED entry, this ensures that by default users with profile shells can not run commands except those listed in their profile.

Set the users login shell to be one of the profile shells (eg /bin/pfsh).
Give the user the "Restricted Secure Shell" profile eg.

upload::::profiles=Restricted Secure Shell

Note the user can still login to the system and move around using
cd but they can only issue the commands in the profile and shell
builtins. Since ssh isn't in the profile they won't be able to use
scp to get out of the machine again (In current Solaris implementations
ssh is exec'd by scp to make the connection). The restricted feature
of ksh allows stopping this behaviour as well. It is possible to
have both a restricted shell and a profile shell out of the same binary.
Unfortunately though we didn't ship /bin/rpfksh in Solaris but it
is trivial to implement as a one line shell script:

exec /bin/pfksh -r

You can now use /bin/rpfksh as the login shell rather than /bin/pfksh.
Note that this will not stop the user using sftp to browse the filesystem
via "cd" only a login shell. It is intended to make the login shell
rather useless.

If we added a "-c" argument to /bin/pfexec we could achive an even
better result for the login shell but would still have the issue of
sftp-server allowing the user to "wander" around the filesystem. To
fix that either sshd or sftp-server would need to chroot the user into
their home directory. Neither Solaris or OpenSolaris supports that today.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.