Results 1 to 29 of 29
  1. #1
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319

    Restricting shell commands

    I'm trying to figure out how I could go about letting users have SSH access to run TMUX and only allow them to run a few commands like starting the game server.

    These are bare bones servers runnin Ubuntu server 12.04 with Lighttpd for map hosting for custom maps download for the client. There's no ftp (users will use sftp/scp) or any scripting languages.

    I can probably do the initial install of the game server software using git but I guess the user should be able to do updates.

    The normal commands for starting the server are

    ./all run dedicated

    To update the git you have to use ./all update and then ./all compile dedicated.

    I'd also need to them be able to start Tmux and start the server in tmux and then execute some of the game server commands in the server console when its running.

    Can this be done with RSSH?


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  2. #2
    There are three things that need to be in place to fully do what you're asking for:

    A custom shell that lacks the commands you're interested in. This is a hard thing to get, but if you really truly don't want users to have access to some shell primitives, this is the only way to remove them.
    Correctly set file permissions. Don't want users to damage the system? Set the permissions so they can't damage the system even if they have the right tools. Of these three steps, this is the easiest step.
    Use a mandatory access control technoloy like AppArmor. MACs like AppArmor and SELinux embed permissions in the kernel. These prevent users from running the right tools even if they find them somewhere (and like file permissions, prevent them from using them outside of the restricted box).

  3. #3
    Join Date
    Jun 2002
    Posts
    1,166
    You can use Webmin/Usermin to allow your users to execute only the custom commands that you define. They can execute the commands with a click of a button while you maintain the security you wish.

  4. #4
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Quote Originally Posted by Xenos View Post
    You can use Webmin/Usermin to allow your users to execute only the custom commands that you define. They can execute the commands with a click of a button while you maintain the security you wish.

    Hmm that looks interesting and might do the trick for now. http://www.boxcontrol.net/using-cust...in-webmin.html


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  5. #5
    Join Date
    Jun 2013
    Posts
    430
    Quote Originally Posted by Xenos View Post
    You can use Webmin/Usermin to allow your users to execute only the custom commands that you define. They can execute the commands with a click of a button while you maintain the security you wish.
    I have used this feature and it works. I think a dedicated control panel would be better but hey you cant beat free right?

    I have a lot of experience with cloudmin/virtualmin and they work great. They have their flaws but free is free.

  6. #6
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Quote Originally Posted by saschoen View Post
    I have used this feature and it works. I think a dedicated control panel would be better but hey you cant beat free right?

    I have a lot of experience with cloudmin/virtualmin and they work great. They have their flaws but free is free.
    Well I looked at some of the game panels and since this is a free/super cheap service I don't want to spend extra otop of the servers, for the cost of the game panel license I could get a MUCH better cpu and host even most people.

    I till might have to go with a restricted shell as it would be nice to have access to the game console though tmux to control the server. THe use can use the games console and loginto the server using that but I think its a bit more difficult and awekward.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  7. #7
    Quote Originally Posted by Evolver View Post
    Hmm that looks interesting and might do the trick for now.
    I use this for game server's, and actually I have wrote that tutorial

    You can add command to edit server.cfg and file manager for users to upload new maps, so they wont need ssh access to server, and this way its more secure for you.
    Last edited by 5n1p; 10-02-2013 at 06:11 AM.

  8. #8
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Quote Originally Posted by 5n1p View Post
    I use this for game server's, and actually I have wrote that tutorial

    You can add command to edit server.cfg and file manager for users to upload new maps, so they wont need ssh access to server, and this way its more secure for you.
    Hmm sounds interesting do you have any other write ups? What I like about Webmin vs the other game panesl I don't need php or mysql so keep the package requirements down.

    The game I'm running is Xonotic. Normally to run it you need to use Tmux or Screen and type in either ./all run dedicated for the GIT versions and ./server_linux.sh for the DL Compiled version.

    There are commands you can run in the server console to control the server settings/cfg file as well as using rcon through the game console once you are authenticated (Although I've never tired controlling it through the game console)

    The main thing I need is to not have to give SSH/shell access to the user and allow them to start and stop the server (which won't be required too much) and be able to upload maps and edit the cfg files though webmin. With that they can then control the server through the game console although it does require they have the game open and this is where SSH comes in handy I had see what going on with the server from anywhere I have access but don't need to dl the game itself.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  9. #9
    Well you can use that tutorial for start and restart server, if I understand good you start server with:

    ./server_linux.sh start

    and restart

    ./server_linux.sh restart

    just use that tutorial and change ./ts3server_startscript.sh with ./server_linux.sh . For server.cfg then use button "Create new file editor." in webmin put description (I would use "Edit server.cfg") and type path to file:

    /home/game_server/path/to/file/server.cfg or something like that, leave everything else default and click "Create".

    For file upload you go to "Webmin" > "Webmin Users" > "your_user" > "Available Webmin modules" and find "File manager" its in "Others" category, find "Only allow access to directories" and type path for your maps directory, that should be it. Make sure you read all settings about file permissions and check what you want.

    If this seems hard to follow you can PM me and I could find 5 minutes this days to do this for you over Team Viewer, maybe it would be easiest.

  10. #10
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Quote Originally Posted by 5n1p View Post
    Well you can use that tutorial for start and restart server, if I understand good you start server with:

    ./server_linux.sh start

    and restart

    ./server_linux.sh restart

    just use that tutorial and change ./ts3server_startscript.sh with ./server_linux.sh . For server.cfg then use button "Create new file editor." in webmin put description (I would use "Edit server.cfg") and type path to file:

    /home/game_server/path/to/file/server.cfg or something like that, leave everything else default and click "Create".

    For file upload you go to "Webmin" > "Webmin Users" > "your_user" > "Available Webmin modules" and find "File manager" its in "Others" category, find "Only allow access to directories" and type path for your maps directory, that should be it. Make sure you read all settings about file permissions and check what you want.

    If this seems hard to follow you can PM me and I could find 5 minutes this days to do this for you over Team Viewer, maybe it would be easiest.
    That seems pretty simple although I've ran into another dilema, how do I lock down the port that the server is on as this can be changed though the cfg file and even if I did restrict write to the cfg Xonotic allows executing of custom cfg files along with the normal sever.cfg Changing it wont affect other servers but don't need the users from messing around with it just in case.

    I think I can get around the git versions needing to be started with ./all run dedicated but using a shell script to start tmux and then use it to kill the tmux session.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  11. #11
    Why you don't put stuff you want your members to edit in one cfg lets say public.cfg and only let them edit that file?

    Then you could call this cfg from server.cfg witch they can't touch or change, and in server.cfg you leave port.

  12. #12
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Quote Originally Posted by 5n1p View Post
    Why you don't put stuff you want your members to edit in one cfg lets say public.cfg and only let them edit that file?

    Then you could call this cfg from server.cfg witch they can't touch or change, and in server.cfg you leave port.
    I'll have to test it out but I think they can still change it by executing a different cfg. Hmm will try it now and see what happens.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  13. #13
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Quote Originally Posted by 5n1p View Post
    Why you don't put stuff you want your members to edit in one cfg lets say public.cfg and only let them edit that file?

    Then you could call this cfg from server.cfg witch they can't touch or change, and in server.cfg you leave port.

    K tested it out and the user can still change the port by executing a custom.cfg file in server console and then forcing a map change. I'll have to see what the Xon devs have to say about it.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  14. #14
    Join Date
    Mar 2005
    Location
    Ten1/0/2
    Posts
    2,509
    set up a chroot jail with just the required commands within the jail, and also use rssh shell for the scp/sftp access.

    Probably not a bad idea to put the game within it's own chroot jail anyway.
    CPanel Shared and Reseller Hosting, OpenVZ VPS Hosting. West Coast (LA) Servers and Nodes
    Running Linux since 1.0.8 Kernel!
    Providing Internet Services since 1995 and Hosting Since 2004

  15. #15
    Quote Originally Posted by Evolver View Post
    K tested it out and the user can still change the port by executing a custom.cfg file in server console and then forcing a map change. I'll have to see what the Xon devs have to say about it.
    I'm not sure how your start script works, but do believe that you could set most important things in script like slots per instance, that way your ./server_linux.sh would override server.cfg.

  16. #16
    Join Date
    Jun 2002
    Posts
    1,166
    Quote Originally Posted by 5n1p View Post
    I'm not sure how your start script works, but do believe that you could set most important things in script like slots per instance, that way your ./server_linux.sh would override server.cfg.
    The issue is an alternate server.cfg file can be loaded within the game's console which would override the server.cfg file the start script uses. The only way I see to prevent that is to block the user from uploading to the directory where the cfg files are located.

  17. #17
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Quote Originally Posted by Xenos View Post
    The issue is an alternate server.cfg file can be loaded within the game's console which would override the server.cfg file the start script uses. The only way I see to prevent that is to block the user from uploading to the directory where the cfg files are located.

    Actually I don't think any lockdown is possible with Xonotic atm unless you fully pre configure the server for the user. If rcon is set up they can still change any server settings with out having to modify the cfg files. Plus not one will be happy with have restrictions on moddifying the game settings.

    If rcon passowrd is not set up they can still do some changes through in game voting but that's basic stuff and anything that involes changing of physics/weapons/gametypes would still have to be first specified in the game cfg files and then can be made votable but the player in game.

    One of the devs said currently its not possible. Hopefully in the future they'll make some settings that can be locked down.

    Actually there is a restricted rcon acccount you can set up and restrict commands so maybe that might work other wise only way I can see is if the the text editor in Webmin would look for certain lines like port, //rcon_password "", net_addess and etc.. and diallow the file to be changed if those are present.
    Last edited by Evolver; 10-03-2013 at 12:17 PM.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  18. #18
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    K so figured out I can give users access to run the git version on Xonotic if they want and to start and stop the server I can use a shell script to start and stop tmux.

    So to start a git version of xonotic you have to type in the following. I then would use custom commands to create the buttons.

    ./all run dedicated or ./all run dedicated -sessionid user1


    so to start and stop the git version in tmux I need to create two shell scripts with the following

    start.sh

    Code:
    #!/bin/sh
    
    tmux new-session -d -s $USER './all run dedicated -sessionid $USER'

    stop.sh

    Code:
    #!/bin/sh
    
    tmux kill-session -t $USER

    I guess I can do the same but no need for tmux for updating and compiling git.

    updategit.sh

    Code:
    #!/bin/sh
    
    ./all update
    compilegit.sh

    Code:
    #!/bin/sh
    
    ./all compile dedicated
    Last edited by Evolver; 10-03-2013 at 09:07 PM.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  19. #19
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Ok I manged to get the custom commands buttons working to start and stop the git server.

    Now haven't been able to find the info but is there a wild card for the Run in directory and Run as user?


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  20. #20
    When you click "Create new custom command" in webmin, new window will open where you setup your command, you have there "Run in directory" and "Run as user", or is this what you wanted too?

  21. #21
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Quote Originally Posted by 5n1p View Post
    When you click "Create new custom command" in webmin, new window will open where you setup your command, you have there "Run in directory" and "Run as user", or is this what you wanted too?
    Yah I have those but is there a wild card I can use for the dir and user so that when a user in Usermin clicks the button it runs as them and in the proper directory which would be /home/example_user/xonotic

    There also seems to be Custom Commnads in usermin settings https://ip:10000/usermin/ but if I clone one of those I can't see it anywhere in the menus.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  22. #22
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Quote Originally Posted by Evolver View Post
    Yah I have those but is there a wild card I can use for the dir and user so that when a user in Usermin clicks the button it runs as them and in the proper directory which would be /home/example_user/xonotic

    There also seems to be Custom Commnads in usermin settings https://ip:10000/usermin/ but if I clone one of those I can't see it anywhere in the menus.
    Ok so maybe I not looking for a user wilcard because of quote below but a directory wild card since xonoitic has to be started from /home/user/xonotic

    In the Run as user field, enter the name of the Unix user that the command should run as. You can select Webmin user instead, which will cause it to run as the Unix user with the same name as the Webmin user who runs it. When the command is executed, it will not normally have access to the same environment variables that the Unix user would have if he logged in via telnet or SSH. However, if you check the Use user's environment option then all variables set in the user's .profile, .cshrc and other login files will be available. Webmin runs the command with su, which switches to the user, executes his shell and then executes the command.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  23. #23
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Ok so I think I got it. Forget about usermin and users have to be Webmin users. ATM seems that I need to clone the module for each user and give them access to it and restrict the right for editing the actions. Seems kinda redundant unless there's still a wild card for the Run in directory option.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  24. #24
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    I think I got it lol

    In the cloned custom commands moduke I haved the following

    Run in directory /home
    I put the start.sh script into /home But I guess as long as the script is executable by everyone I can leave that as default.


    Run as user Webmin user
    Check

    Use user's environment?

    Now I modified the start script to be

    Code:
    #!/bin/sh
    
    tmux new-session -d -s $USER 'cd /home/$USER/xonotic && ./all run dedicated -sessionid $USER'
    This should allow me to only have one copy of the custom commands module and set it to any user or user group with out having to clone it for every user.


    Also I think I can pass commands into the excisting tmux session so I could create buttons for rescanning the file system when new maps are added, execing new cfg files and other things.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  25. #25
    Have you tried it or this is just idea?

  26. #26
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Quote Originally Posted by 5n1p View Post
    Have you tried it or this is just idea?
    Yeah tested it this morning and its working but I might have to switch to Screen from Tmux as apparently you can't send commands to an already running Tmux session bu there is a away with Screen.

    Only draw back of using Tmux/Screen is you cant seen the output in Webmin so have to figure out how to stop/restart/send commands to a running git server with out using screen/tmux
    Last edited by Evolver; 10-04-2013 at 04:12 PM.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  27. #27
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Some more progress. I installed the game into /opt so now when I a user runs the game, the game creates a .xonotic/data directory in their home directory, this is where the server.cfg files go and where the maps go, also the user can adjust the map settings by modifying the map_name.mapinfo file.

    This saves tons of work as I only need one install of the game system wide. Also now I don't have to give user web server access for map upload as I can go and collect maps for the game, place them on the webserver and all the user has do to is use Webmin to import the file into their .xonotic/data folder, run the fs_rescan command through rcon or custom command button to make the maps available. Saves me from having to give users web space.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  28. #28
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Ok couple more ideas.

    Allow ssh connections but set their shell to screen/tmux. The login script would have to detect if a screen/tmux session is running and attach the session if not show a message saying Please start the server from your Webmin account or restrict their shell commands to only allow to start a script in screen/tmux that starts the server. Also in webmin the custom commnd would have to detect an already running tmux session and quit so they either have to start from Webmin or SSH.

    This still gives the user access to the running game server console with out having to use rcon from game console and then restricts them to have to use Webmin to upload/modify their cfg files.

    Forcing them into a screen/tmux session with a predefined session name seems easy but I dont know much about bash to be able to restrict all commands but allowd the execution of one script.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  29. #29
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Ok getting along some more. I tried using screen but was getting some weird things with it so gave up. I managed to send commands from Webmin to a tmux session.

    I can use Webmin custom commnads to send something like this to an excisting Tmux session.

    Code:
    tmux send-keys -t xonotic:0 'restart' ENTER
    This caused the server to accept the restart command in the server console which is running in Tmux. I can do the same for any other command.

    Now is this usefull, hmm not sure but I allows me to give people access to run a server and use rcon with game console for basic commands and the Webmin custom actions for commands not available with rcon. Also keeps me from having to give people shell access on the server.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

Similar Threads

  1. Execute commands in shell
    By rcbandit in forum Dedicated Server
    Replies: 0
    Last Post: 01-16-2011, 11:30 AM
  2. Restricting IPs from the Shell
    By sexyhosting in forum Hosting Security and Technology
    Replies: 2
    Last Post: 12-03-2006, 05:24 AM
  3. Pascal shell commands?
    By effusionx1 in forum Programming Discussion
    Replies: 1
    Last Post: 12-09-2005, 06:33 AM
  4. i need help with some shell commands...
    By deagly in forum Programming Discussion
    Replies: 3
    Last Post: 08-31-2005, 09:47 AM
  5. restricting shell access to ip's
    By Pingu in forum Dedicated Server
    Replies: 0
    Last Post: 02-08-2002, 10:57 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •