Skip to content

scponly: init at 4.8 #109452

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 17, 2021
Merged

scponly: init at 4.8 #109452

merged 1 commit into from
Jan 17, 2021
+62 −0

Conversation

wmertens
Copy link
Contributor

Motivation for this change

This allows setting the shell of a user to `${pkgs.scponly}/bin/scponly", after which they can only use scp and sftp.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@SuperSandro2000
Copy link
Member

Please change the titles to scponly: init at 4.8

SuperSandro2000
SuperSandro2000 requested changes Jan 15, 2021
View reviewed changes
@ofborg ofborg bot added 8.has: package (new) This PR adds a new package 11.by: package-maintainer This PR was created by the maintainer of the package it changes 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 10.rebuild-linux: 1 labels Jan 15, 2021
@wmertens wmertens changed the title scponly shell: add 4.8 scponly: init at 4.8 Jan 15, 2021
@wmertens
Copy link
Contributor Author

@SuperSandro2000 done, thanks!

@SuperSandro2000
Copy link
Member

This is a semi-automatic executed nixpkgs-review which does not build all packages (e.g. lumo, tensorflow or pytorch)
If you find some bugs or got suggestions for further things to search or run please reach out to SuperSandro2000 on IRC.

Result of nixpkgs-review pr 109452 run on x86_64-linux 1

1 package built:
  • scponly

@aanderse
Copy link
Member

@wmertens aren't you supposed to add shellPath to passthru?

Also, this is pretty old software now... is it secure?

@wmertens
Copy link
Contributor Author

Ah, I didn't know about shellPath, I just used the direct path to the shell. Indeed, added now.

As for security - I could only find CVEs for previous versions and it's still used in Ubuntu, so I reasoned that it is more secure than not having anything. At worst you get shell access, which is only marginally more than just having scp access.

@wmertens @SuperSandro2000
scponly: init at 4.8
cd0fa5a 
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
@aanderse
Copy link
Member

@wmertens awesome! I would love to use this then. What problems did you have with chroot, because that would be great to have working.

@wmertens
Copy link
Contributor Author

@aanderse I tried the following steps:

  • enabling it with the --enable-chrooted-binary config flag
  • adding a suid wrapper
  • using the suid wrapper as the shell

It didn't seem to make a difference, I was still able to see outside the home directory. Perhaps I was missing a step. I was also wondering if perhaps systemd could provide some sort of user jail but I couldn't find anything.

@aanderse
Copy link
Member

@wmertens that is too bad. Sounds like it would require some debugging to figure that out. Oh well 🤷‍♂️

Thanks!

@SuperSandro2000
Copy link
Member

Can this be merged? I can't really tell if the discussions are a merge blocker.

@SuperSandro2000
Copy link
Member

This is a semi-automatic executed nixpkgs-review which does not build all packages (e.g. lumo, tensorflow or pytorch)
If you find some bugs or got suggestions for further things to search or run please reach out to SuperSandro2000 on IRC.

Result of nixpkgs-review pr 109452 run on x86_64-linux 1

1 package built:
  • scponly

@aanderse
Copy link
Member

No problems here. Anything I'm talking about could be implemented in a future PR, if ever.

@wmertens wmertens merged commit 57c1982 into NixOS:master Jan 17, 2021
@wmertens wmertens deleted the scponly branch January 17, 2021 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SuperSandro2000 SuperSandro2000

Assignees
No one assigned
Labels
8.has: package (new) This PR adds a new package 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 10.rebuild-linux: 1 11.by: package-maintainer This PR was created by the maintainer of the package it changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wmertens @SuperSandro2000 @aanderse