Results 1 to 25 of 29
Thread: Restricting shell commands
-
09-30-2013, 03:30 AM #1Web Hosting Master
- Join Date
- Oct 2005
- Location
- Surrey BC
- Posts
- 1,343
Restricting shell commands
I'm trying to figure out how I could go about letting users have SSH access to run TMUX and only allow them to run a few commands like starting the game server.
These are bare bones servers runnin Ubuntu server 12.04 with Lighttpd for map hosting for custom maps download for the client. There's no ftp (users will use sftp/scp) or any scripting languages.
I can probably do the initial install of the game server software using git but I guess the user should be able to do updates.
The normal commands for starting the server are
./all run dedicated
To update the git you have to use ./all update and then ./all compile dedicated.
I'd also need to them be able to start Tmux and start the server in tmux and then execute some of the game server commands in the server console when its running.
Can this be done with RSSH?
+ NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES
-
09-30-2013, 09:32 AM #2Disabled
- Join Date
- Jun 2013
- Posts
- 246
There are three things that need to be in place to fully do what you're asking for:
A custom shell that lacks the commands you're interested in. This is a hard thing to get, but if you really truly don't want users to have access to some shell primitives, this is the only way to remove them.
Correctly set file permissions. Don't want users to damage the system? Set the permissions so they can't damage the system even if they have the right tools. Of these three steps, this is the easiest step.
Use a mandatory access control technoloy like AppArmor. MACs like AppArmor and SELinux embed permissions in the kernel. These prevent users from running the right tools even if they find them somewhere (and like file permissions, prevent them from using them outside of the restricted box).
-
10-01-2013, 09:51 AM #3/home/xenos
- Join Date
- Jun 2002
- Posts
- 1,172
You can use Webmin/Usermin to allow your users to execute only the custom commands that you define. They can execute the commands with a click of a button while you maintain the security you wish.
-
10-01-2013, 10:34 AM #4Web Hosting Master
- Join Date
- Oct 2005
- Location
- Surrey BC
- Posts
- 1,343
Hmm that looks interesting and might do the trick for now. http://www.boxcontrol.net/using-cust...in-webmin.html
+ NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES
-
10-01-2013, 01:00 PM #5Aspiring Evangelist
- Join Date
- Jun 2013
- Posts
- 430
-
10-01-2013, 01:18 PM #6Web Hosting Master
- Join Date
- Oct 2005
- Location
- Surrey BC
- Posts
- 1,343
Well I looked at some of the game panels and since this is a free/super cheap service I don't want to spend extra otop of the servers, for the cost of the game panel license I could get a MUCH better cpu and host even most people.
I till might have to go with a restricted shell as it would be nice to have access to the game console though tmux to control the server. THe use can use the games console and loginto the server using that but I think its a bit more difficult and awekward.
+ NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES
-
10-02-2013, 06:02 AM #7Newbie
- Join Date
- Sep 2013
- Posts
- 22
Last edited by 5n1p; 10-02-2013 at 06:11 AM.
-
10-02-2013, 03:36 PM #8Web Hosting Master
- Join Date
- Oct 2005
- Location
- Surrey BC
- Posts
- 1,343
Hmm sounds interesting do you have any other write ups? What I like about Webmin vs the other game panesl I don't need php or mysql so keep the package requirements down.
The game I'm running is Xonotic. Normally to run it you need to use Tmux or Screen and type in either ./all run dedicated for the GIT versions and ./server_linux.sh for the DL Compiled version.
There are commands you can run in the server console to control the server settings/cfg file as well as using rcon through the game console once you are authenticated (Although I've never tired controlling it through the game console)
The main thing I need is to not have to give SSH/shell access to the user and allow them to start and stop the server (which won't be required too much) and be able to upload maps and edit the cfg files though webmin. With that they can then control the server through the game console although it does require they have the game open and this is where SSH comes in handy I had see what going on with the server from anywhere I have access but don't need to dl the game itself.
+ NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES
-
10-02-2013, 04:47 PM #9Newbie
- Join Date
- Sep 2013
- Posts
- 22
Well you can use that tutorial for start and restart server, if I understand good you start server with:
./server_linux.sh start
and restart
./server_linux.sh restart
just use that tutorial and change ./ts3server_startscript.sh with ./server_linux.sh . For server.cfg then use button "Create new file editor." in webmin put description (I would use "Edit server.cfg") and type path to file:
/home/game_server/path/to/file/server.cfg or something like that, leave everything else default and click "Create".
For file upload you go to "Webmin" > "Webmin Users" > "your_user" > "Available Webmin modules" and find "File manager" its in "Others" category, find "Only allow access to directories" and type path for your maps directory, that should be it. Make sure you read all settings about file permissions and check what you want.
If this seems hard to follow you can PM me and I could find 5 minutes this days to do this for you over Team Viewer, maybe it would be easiest.
-
10-02-2013, 07:08 PM #10Web Hosting Master
- Join Date
- Oct 2005
- Location
- Surrey BC
- Posts
- 1,343
That seems pretty simple although I've ran into another dilema, how do I lock down the port that the server is on as this can be changed though the cfg file and even if I did restrict write to the cfg Xonotic allows executing of custom cfg files along with the normal sever.cfg Changing it wont affect other servers but don't need the users from messing around with it just in case.
I think I can get around the git versions needing to be started with ./all run dedicated but using a shell script to start tmux and then use it to kill the tmux session.
+ NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES
-
10-02-2013, 07:24 PM #11Newbie
- Join Date
- Sep 2013
- Posts
- 22
Why you don't put stuff you want your members to edit in one cfg lets say public.cfg and only let them edit that file?
Then you could call this cfg from server.cfg witch they can't touch or change, and in server.cfg you leave port.
-
10-02-2013, 09:20 PM #12Web Hosting Master
- Join Date
- Oct 2005
- Location
- Surrey BC
- Posts
- 1,343
-
10-02-2013, 09:36 PM #13Web Hosting Master
- Join Date
- Oct 2005
- Location
- Surrey BC
- Posts
- 1,343
-
10-03-2013, 01:07 AM #14Web Hosting Master
- Join Date
- Mar 2005
- Location
- Ten1/0/2
- Posts
- 2,529
set up a chroot jail with just the required commands within the jail, and also use rssh shell for the scp/sftp access.
Probably not a bad idea to put the game within it's own chroot jail anyway.CPanel Shared and Reseller Hosting, OpenVZ VPS Hosting. West Coast (LA) Servers and Nodes
Running Linux since 1.0.8 Kernel!
Providing Internet Services since 1995 and Hosting Since 2004
-
10-03-2013, 10:06 AM #15Newbie
- Join Date
- Sep 2013
- Posts
- 22
-
10-03-2013, 11:02 AM #16/home/xenos
- Join Date
- Jun 2002
- Posts
- 1,172
-
10-03-2013, 12:07 PM #17Web Hosting Master
- Join Date
- Oct 2005
- Location
- Surrey BC
- Posts
- 1,343
Actually I don't think any lockdown is possible with Xonotic atm unless you fully pre configure the server for the user. If rcon is set up they can still change any server settings with out having to modify the cfg files. Plus not one will be happy with have restrictions on moddifying the game settings.
If rcon passowrd is not set up they can still do some changes through in game voting but that's basic stuff and anything that involes changing of physics/weapons/gametypes would still have to be first specified in the game cfg files and then can be made votable but the player in game.
One of the devs said currently its not possible. Hopefully in the future they'll make some settings that can be locked down.
Actually there is a restricted rcon acccount you can set up and restrict commands so maybe that might work other wise only way I can see is if the the text editor in Webmin would look for certain lines like port, //rcon_password "", net_addess and etc.. and diallow the file to be changed if those are present.Last edited by Evolver; 10-03-2013 at 12:17 PM.
+ NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES
-
10-03-2013, 08:52 PM #18Web Hosting Master
- Join Date
- Oct 2005
- Location
- Surrey BC
- Posts
- 1,343
K so figured out I can give users access to run the git version on Xonotic if they want and to start and stop the server I can use a shell script to start and stop tmux.
So to start a git version of xonotic you have to type in the following. I then would use custom commands to create the buttons.
./all run dedicated or ./all run dedicated -sessionid user1
so to start and stop the git version in tmux I need to create two shell scripts with the following
start.sh
Code:#!/bin/sh tmux new-session -d -s $USER './all run dedicated -sessionid $USER'
stop.sh
Code:#!/bin/sh tmux kill-session -t $USER
I guess I can do the same but no need for tmux for updating and compiling git.
updategit.sh
Code:#!/bin/sh ./all update
Code:#!/bin/sh ./all compile dedicated
Last edited by Evolver; 10-03-2013 at 09:07 PM.
+ NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES
-
10-03-2013, 10:57 PM #19Web Hosting Master
- Join Date
- Oct 2005
- Location
- Surrey BC
- Posts
- 1,343
Ok I manged to get the custom commands buttons working to start and stop the git server.
Now haven't been able to find the info but is there a wild card for the Run in directory and Run as user?
+ NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES
-
10-04-2013, 04:37 AM #20Newbie
- Join Date
- Sep 2013
- Posts
- 22
When you click "Create new custom command" in webmin, new window will open where you setup your command, you have there "Run in directory" and "Run as user", or is this what you wanted too?
-
10-04-2013, 04:46 AM #21Web Hosting Master
- Join Date
- Oct 2005
- Location
- Surrey BC
- Posts
- 1,343
Yah I have those but is there a wild card I can use for the dir and user so that when a user in Usermin clicks the button it runs as them and in the proper directory which would be /home/example_user/xonotic
There also seems to be Custom Commnads in usermin settings https://ip:10000/usermin/ but if I clone one of those I can't see it anywhere in the menus.
+ NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES
-
10-04-2013, 05:12 AM #22Web Hosting Master
- Join Date
- Oct 2005
- Location
- Surrey BC
- Posts
- 1,343
Ok so maybe I not looking for a user wilcard because of quote below but a directory wild card since xonoitic has to be started from /home/user/xonotic
In the Run as user field, enter the name of the Unix user that the command should run as. You can select Webmin user instead, which will cause it to run as the Unix user with the same name as the Webmin user who runs it. When the command is executed, it will not normally have access to the same environment variables that the Unix user would have if he logged in via telnet or SSH. However, if you check the Use user's environment option then all variables set in the user's .profile, .cshrc and other login files will be available. Webmin runs the command with su, which switches to the user, executes his shell and then executes the command.
+ NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES
-
10-04-2013, 05:34 AM #23Web Hosting Master
- Join Date
- Oct 2005
- Location
- Surrey BC
- Posts
- 1,343
Ok so I think I got it. Forget about usermin and users have to be Webmin users. ATM seems that I need to clone the module for each user and give them access to it and restrict the right for editing the actions. Seems kinda redundant unless there's still a wild card for the Run in directory option.
+ NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES
-
10-04-2013, 11:30 AM #24Web Hosting Master
- Join Date
- Oct 2005
- Location
- Surrey BC
- Posts
- 1,343
I think I got it lol
In the cloned custom commands moduke I haved the following
Run in directory /home
Run as user Webmin user
Use user's environment?
Now I modified the start script to be
Code:#!/bin/sh tmux new-session -d -s $USER 'cd /home/$USER/xonotic && ./all run dedicated -sessionid $USER'
Also I think I can pass commands into the excisting tmux session so I could create buttons for rescanning the file system when new maps are added, execing new cfg files and other things.
+ NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES
-
10-04-2013, 02:20 PM #25Newbie
- Join Date
- Sep 2013
- Posts
- 22
Have you tried it or this is just idea?
Similar Threads
-
Execute commands in shell
By rcbandit in forum Dedicated ServerReplies: 0Last Post: 01-16-2011, 11:30 AM -
Restricting IPs from the Shell
By sexyhosting in forum Hosting Security and TechnologyReplies: 2Last Post: 12-03-2006, 05:24 AM -
Pascal shell commands?
By effusionx1 in forum Programming DiscussionReplies: 1Last Post: 12-09-2005, 06:33 AM -
i need help with some shell commands...
By deagly in forum Programming DiscussionReplies: 3Last Post: 08-31-2005, 09:47 AM -
restricting shell access to ip's
By Pingu in forum Dedicated ServerReplies: 0Last Post: 02-08-2002, 10:57 AM