Securing the restricted shell environment

There are many ways sophisticated users can get around limitations placed on a restricted shell environment. For example, most text editors, such as vi and emacs, allow shell escapes. Giving users permission to run programs that allow shell escapes in a restricted shell enables them to open a new unrestricted shell environment with none of the restrictions placed on them in their defined environment, Similarly, giving users access to commands that set or modify local time and date settings might allow users to avoid time constraints for running commands or the expiration date and time for specific role assignments.

In some cases, even individual command line options might provide users with the means to run commands not defined in their restricted shell environment. For example, defining a command right that allows users to run the tar command with the ‑‑use‑compress‑program program_name option allows user to run the specified program_name even though the program_name is not an allowed command in their restricted shell environment.

In choosing the commands to allow in a restricted shell, therefore, you should carefully consider ways to plug potential security holes the commands might introduce or whether there are alternative commands that provide the same functionality more securely. For example, if you need to give a user access to an editor, such as vi or vim, you could restrict the ability to execute nested commands to prevent users from opening a new shell from within the editor. Alternatively, you could add the rvi command to the restricted environment instead of vi or vim because rvi doesn’t allow the user to open a new shell.

For more information about setting attributes that control command executions, see Customizing command execution attributes.

Steps for completing this task

The following instructions illustrate how to define a command right for use in a restricted shell using Access Manager. For more information about any step, see Defining rights to run privileged commands. Examples of scripts that use the Access Module for Windows PowerShell, ADEdit, or the Centrify Windows API are available in other guides, the Centrify Software Developer’s Kit, or in community forums on the Centrify website.

To define a command right for restricted shell access

  1. Open Access Manager.
  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to define a command right.
  3. Expand Authorization and UNIX Right Definitions, then select Commands.
  4. Right-click, then click New Command.
  5. Type a short descriptive name for the command right, and optionally, a more detailed description for the command right.
  6. Type the command you want to add.
  7. Select the type of pattern matching to use for the “Command” and “Specific path” fields.
  8. Select an appropriate path for matching the command on the different operating environments you support.
  9. Specify an integer that determines the priority of the command—the lower the number, the higher the priority.
  10. Click the Restricted Shell tab, then select Can be used in a restricted role to allow the command to be added to a role that runs in a restricted shell environment.
  11. Select whether commands are executed using the user’s logon account or using a specific the user name or UID.

    If you want to configure commands to be executed using dzdo in a restricted shell environment, you can click the Run As tab to specify a user or group for command execution.

  12. Click OK to save the new command right.

    In most cases, you can use the default settings for environment variables and execution attributes.