Defining a Restricted Shell Command Right

You can also use command rights to strictly control which commands certain users can execute. In a restricted shell environment, users can only execute the specific commands and command-line options that are explicitly allowed. For example, you might want to grant some users permission to run a specific Delinea command-line program, such as adinfo, without allowing them to run any other command-line programs on some computers.

Users who are assigned to a role with the restricted shell environment are not be able to run any other commands, including informational commands such ls, ps, and whoami, unless you explicitly include them in the command right. You are not required to explicitly add basic navigational commands, such as cd and pwd, to the command right.

What the restricted shell provides

For Linux and UNIX computers, Delinea provides a customized Bourne shell, dzsh, to serve as the restricted shell environment. The dzsh restricted shell supports environment variables, job control, command history, and the specific command rights you define. For example, you can use the up-arrow key in the dzsh shell to recall previously-entered commands. You can also set a limit to the command history available by adding HISTSIZE=n to the $HOME/.dzshrc file.

For most operations, working in the dzsh shell is similar to working in an unrestricted shell except that the command set available is limited to the command rights you add to the environment.

Limitations of the restricted shell

The restricted shell environment does not enforce rights for commands that run outside of the shell. For example, if users run a graphical desktop manager, they can run commands and applications that are launched from menu selections in the graphical user interface.

In addition, the command rights defined for the dzsh shell do not prevent users from running built-in shell commands, accessing the file system, or seeing process or system information. For example, even in a restricted shell environment with no rights to run any commands, users in a dzsh shell could get a process listing using the following script:

for i in /proc/[0-9]*;
do read PROC < $i/cmdline;
echo $PROC;
done

Because the shell scripting environment allows the operations, users can effectively access information that the commands defined for the restricted shell environment do not allow.

Securing the restricted shell environment

There are many ways sophisticated users can get around limitations placed on a restricted shell environment. For example, most text editors, such as vi and emacs, allow shell escapes. Giving users permission to run programs that allow shell escapes in a restricted shell enables them to open a new unrestricted shell environment with none of the restrictions placed on them in their defined environment, Similarly, giving users access to commands that set or modify local time and date settings might allow users to avoid time constraints for running commands or the expiration date and time for specific role assignments.

In some cases, even individual command line options might provide users with the means to run commands not defined in their restricted shell environment. For example, defining a command right that allows users to run the tar command with the usecompressprogram program_name option allows user to run the specified program_name even though the program_name is not an allowed command in their restricted shell environment.

In choosing the commands to allow in a restricted shell, therefore, you should carefully consider ways to plug potential security holes the commands might introduce or whether there are alternative commands that provide the same functionality more securely. For example, if you need to give a user access to an editor, such as vi or vim, you could restrict the ability to execute nested commands to prevent users from opening a new shell from within the editor. Alternatively, you could add the rvi command to the restricted environment instead of vi or vim because rvi doesn’t allow the user to open a new shell.

For more information about setting attributes that control command executions, see Customizing command execution attributes.

Steps for completing this task

The following instructions illustrate how to define a command right for use in a restricted shell using Access Manager. For more information about any step, see Defining rights to run privileged commands. Examples of scripts that use the Access Module for Windows PowerShell, ADEdit, or the Delinea Windows API are available in other guides, the Delinea Software Developer’s Kit, or in community forums on the Delinea website.

To define a command right for restricted shell access

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to define a command right.

  3. Expand Authorization and UNIX Right Definitions, then select Commands.

  4. Right-click, then click New Command.

  5. Type a short descriptive name for the command right, and optionally, a more detailed description for the command right.

  6. Type the command you want to add.

  7. Select the type of pattern matching to use for the “Command” and “Specific path” fields.

  8. Select an appropriate path for matching the command on the different operating environments you support.

  9. Specify an integer that determines the priority of the command—the lower the number, the higher the priority.

  10. Click the Restricted Shell tab, then select Can be used in a restricted role to allow the command to be added to a role that runs in a restricted shell environment.

  11. Select whether commands are executed using the user’s logon account or using a specific the user name or UID.

    If you want to configure commands to be executed using dzdo in a restricted shell environment, you can click the Run As tab to specify a user or group for command execution.

  12. Click OK to save the new command right.

    In most cases, you can use the default settings for environment variables and execution attributes.

    • If you want to keep, remove, or add environment variables for command execution, see Customizing environment variables for command execution.

    • If you want customize any of the execution attributes, see Customizing command execution attributes.

Creating a role to run commands in a restricted shell

For Linux and UNIX computers, Delinea provides a customized Bourne shell, dzsh, to serve as a restricted shell environment. The dzsh restricted shell supports environment variables, job control, command history, and the command access rights you define.

To create a role that runs a restricted shell, do the following:

  • Create command rights for the restricted shell commands users are allowed to run.

  • Create a new role definition and set the System Rights for the role to allow password login, nonpassword login, or both, and verify that the Login with Non-Restricted Shell option is not selected, then click OK to save the role definition.

  • Right-click the role, select Add Right, then select login-all or a specific PAM access right and the restricted shell command rights users are allowed to run, then click OK to save the changes to the role definition.

For more information about creating, assigning, and testing custom role definitions, see Customizing command execution attributes.