1

I have a user that has a rbash as default shell (in order to limit his privileges). I also changed his default bin directory to cut-off most binaries from his PATH. User should time to time change his password. So which binaries should be reachable to give him the possibility to change password via ssh. I created a symbolic link to passwd in his bin directory but he still can't change password using ssh.

Piotr Zych
  • 111
  • passwd is at /usr/bin/passwd. He should have access to that file (and the subdirectories up to that file). A symbolic link alone won't help if he doesn't have access to the file that the symbolic link points to. i.e., A symbolic link doesn't bypass the permissions on the file. – Ray Jan 19 '23 at 13:10
  • @Ray He has access to all sub-directories. Unfortunately it didn't help. I'm still investigating problem. – Piotr Zych Jan 19 '23 at 13:48
  • Is it needed to do that? passwd has an option --expire and that would force inserting a new passwrd – Rinzwind Jan 19 '23 at 13:50
  • What is the actual error behavior you are observing? I just tried it in a WSL instance and it seemed to work – steeldriver Jan 19 '23 at 13:56
  • 1
    I suppose you can try running passwd through strace (i.e., strace passwd) and see if it's trying to load other files. I only have a rudimentary knowledge of strace, so you'll have to read up on it; passwd could be loading shared libraries which you have taken away his access to. – Ray Jan 19 '23 at 14:08

1 Answers1

1

A user in a restricted bash shell should be able to successfully run the passwd command as long as they have the location(full path of containing directory) of a working passwd binary in their search path.

That is the usual with rbash as the restrictions by default apply only to:

• changing directories with cd

• setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV

• specifying command names containing /

• specifying a filename containing a / as an argument to the . builtin command

• specifying a filename containing a slash as an argument to the -p option to the hash builtin command

• importing function definitions from the shell environment at startup

• parsing the value of SHELLOPTS from the shell environment at startup

• redirecting output using the >, >|, <>, >&, &>, and >> redirection operators

• using the exec builtin command to replace the shell with another command

• adding or deleting builtin commands with the -f and -d options to the enable builtin command

• using the enable builtin command to enable disabled shell builtins

• specifying the -p option to the command builtin command

• turning off restricted mode with set +r or set +o restricted.

If,however, you are adding some extra strict measures other than using rbash as the user's shell, you might want to look at what passwd actually needs to access, open, or write to with strace like so:

strace -e open,openat,write,access passwd
Raffa
  • 35,113