scriptreplay_ng
scriptreplay_ng copied to clipboard
Published
20 hours ago •
scoopex
scoopex
Make the patch obsolete
Replace the util-linux patch by something which utilizes apparmor to restrict access.
Quick any dirty hack: (needs additional work)
$ set -x; cat /etc/apparmor.d/restricted-shell ; cat /usr/local/bin/restricted-shell ; sudo aa-enforce /usr/local/bin/restricted-shell ; restricted-shell ; set +x
+ cat /etc/apparmor.d/restricted-shell
#include<tunables/global>
# aa-enforce /usr/local/bin/restricted-shell
/usr/local/bin/restricted-shell {
#include <abstractions/base>
network inet tcp,
/** lrwix,
/bin/bash cx,
profile /bin/bash {
#include <abstractions/base>
#include <abstractions/bash>
network inet tcp,
/** lrwix,
# TCP/UDP network access
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
network netlink raw,
deny /tmp/log/ lrwx,
#include <abstractions/dbus-strict>
dbus send
bus=system
path="/org/freedesktop/resolve1"
interface="org.freedesktop.resolve1.Manager"
member="Resolve{Address,Hostname,Record,Service}"
peer=(name="org.freedesktop.resolve1"),
}
}
+ cat /usr/local/bin/restricted-shell
#!/bin/bash
cd /tmp
cat <<EOF
****************************************************
*** RESTRICTED SHELL START
****************************************************
EOF
script --timing=/tmp/log/timing /tmp/log/typescript -c "/bin/bash"
#/bin/bash
cat <<EOF
****************************************************
*** RESTRICTED SHELL END
****************************************************
EOF
+ sudo aa-enforce /usr/local/bin/restricted-shell
/usr/local/bin/restricted-shell wird in den Erzwingen-Modus versetzt.
+ restricted-shell
****************************************************
*** RESTRICTED SHELL START
****************************************************
Skript gestartet, die Datei ist /tmp/log/typescript
xset: unable to open display ":0"
marc@nb18(2017-10-20 22:22:58) /tmp
$ ls
+~JF2596995564123793764.tmp ssh-AhWjvIlYKNMZ warnings-plugin
marc@nb18(2017-10-20 22:23:00) /tmp
$ ssh 256bit.org
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-93-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
____ ____ __ ____ ___ _____ ___ ____ ____
|___ \| ___| / /_ | __ )_ _|_ _/ _ \| _ \ / ___|
__) |___ \| '_ \| _ \| | | || | | | |_) | | _
/ __/ ___) | (_) | |_) | | | || |_| | _ <| |_| |
|_____|____/ \___/|____/___| |_(_)___/|_| \_\\____|
Last login: Fri Oct 20 22:21:30 2017 from 78.42.71.84
ERR 1 : [email protected](2017-10-20 22:23:12) ~
$ logout
Connection to 256bit.org closed.
ERR 1 : marc@nb18(2017-10-20 22:23:07) /tmp
$ exit
Skript wurde beendet, die Datei ist /tmp/log/typescript
****************************************************
*** RESTRICTED SHELL END
****************************************************
+ set +x
Review: https://github.com/scoopex/puppet-bastion_host
This is implemented by a shellscript in combination with apparmor rules....