HowTo: Create a read-only user (Solaris 10)
by Ross Moffatt, May 2010
Contents
Compatibility
Overview
readonlyshell c source and compiling
Directory setup and "/" mounting
User setup
Testing
Conclusion
About The Author
Compatibility
I have tried this on Solaris 10, both sparc and x86. I expect this would work on other versions of Solaris.
Overview
So, not sure how secure your system is, have "write other" permissions all over the place, or just would like to give a user read-only access and know they can't accidently fill up a file system. This article may be for you. There is one small compiled c program, readonlyshell, involved that you can easily compile yourself if you have installed cc or gcc, or email me for a copy.
Note: As the filesystem is read only, some commands won't work, such as vi that requires write access into /var/tmp to create a temporary file.
To setup read-only access I create a "new root" directory such are "/var/read-only". Under this directory I mount "/" under this directory as read-only. Sounds confusing, here is a diagram of the directory structure.
/
| | | |
var usr adm
|
read-only
|
/ (Note: this link is a read-only mount of /)
| | | |
var usr adm
|
read-only
(Note: no it doesn't get cyclic at this point)
So when a user logs in, instead of running a shell such as /sbin/sh, the compiled c program readonlyshell is run which has suid privileges. It changes the root directory for the user to "/var/readonly", sets a couple of shell variables and changes directory to the "/" directory, now "/var/readonly". Lastly it runs a bash shell.
The upshot of all this is a user logs in, they see the root directory and all below as a read-only filesystem.
Note: You may put a "root equivalent" user (UID 0) into this read-only filesystem, but it is very easy for a root user to break out.
readonlyshell c source and compiling
Check if you have cc or gcc installed to compile this c program. I'm not going to cover how to do his here.
Don't worry, you need no compiling experience to make this one work.
Note: There are no checks compiled into this program. So you need to ensure the directory permissions, userids, etc are as per this article.
To create the source file, just use your favorite editor to create a text file called readonlyshell.c
// readonlyshell // By Ross Moffatt 05/2010 // Libraries #include// Type castes char *getlogin(void); // It all starts here int main(int argc, char *argv[]) { // Declare some variables struct passwd *pd; char *lgn; // Get the passwd details for the logged in user if ((lgn = getlogin()) == NULL || (pd = getpwnam(lgn)) == NULL) { exit(1); } // Change directory to the "home directory" // defined in the passwd file for this user chdir(pd->pw_dir); // Change what this user now sees as their root directory to // the "home directory" defined in the passwd file for this user chroot(pd->pw_dir); // Set the UID and GID for the user, ensure root permissions are gone setuid(pd->pw_uid); setgid(pd->pw_gid); // Change some environment variables to suit the new root directory setenv("HOME","/"); setenv("SHELL","/usr/bin/bash"); unsetenv("MAIL"); // print out a message printf("\nreadonlyshell by Ross 5/2010.\n\n"); // run a shell system("/usr/bin/bash"); }
To compile using gcc.
/usr/sfw/bin/gcc -s -o readonlyshell readonlyshell.c
Copy compiled program into place and set ownership, root/root and permissions, suid, read and execute for all.
Copy readonlyshell to /sbin/readonlyshell
chown root:root /sbin/readonlyshell chmod 4555 /sbin/readonlyshell
So now to check, ls -l /sbin/readonlyshell returns:
-r-sr-xr-x 1 root root 6312 Apr 1 07:16 /sbin/readonlyshell
Directory setup and "/" mounting
Create the read-only directory, eg. /var/readonly
mkdir /var/readonly chown root:root /var/readonly chmod 755 /var/readonly
Mount "/" as read only to the read-only directory, eg. /var/readonly
/sbin/mount -o ro -F lofs / /readonly
Edit /etc/vfstab, and add the mount command if you want this filesystem to mount after a reboot of the system.
eg. add the following line.
/ - /var/readonly lofs - yes ro
Now a df -k will show the newly mounted filesystem.
/ 15062276 4204136 10858140 28% /var/readonly
User setup
Here I am only going to show how to setup using files.
I'm sure NIS etc could be setup as well as the only difference my special shell, readonlyshell, been run.
Add the user to /etc/passwd choosing a large uid and gid and these are considered unprivileged users.
Remember to use the special readonlyshell in the "shell" field.
ross:x:10000:10000:Read only user:/var/readonly:/sbin/readonlyshell
Add the user to /etc/shadow.
ross:x:14705::::::
Add the user group.
readonly::10000:
Add a password for the user.
passwd ross New Password:
Testing
Not much to do here, either it will work and you can login as the newly created user and look, but not write, or the login will fail.
You can of course change the shell to be run to, say, /bin/sh and check the logon credentials, etc, are correct.
Conclusion
In this article I have create a read only user. I have done this by mounting the "/" directory read only to a mount point lower in the filesystem. Created and compiled a "c" program that changes the root directory to this mount point and runs a shell. Finally I have detailed the user setup to run this "c" program so the user moves into the read-only filesystem.
About the Author
Ross Moffatt has been a UNIX system administrator for 10+ years and can be contacted at ross.stuff@telstra.com.
SOURCE:
HowTo Create a read-only user (Solaris 10) - BigAdmin - wikis.sun.com
Hiç yorum yok:
Yorum Gönder