Man Page for commsh.conf

Name

commsh.conf - Community Shell configration file

Description

commsh.conf contains a list of directives that determine the behavior of commsh, the Community Shell.

A directive is of the form:

DirectiveName [Value [Value ...]]

Each Value can be either a boolean keyword (true, on, yes versus false, off, no), an integer (octal and hexadecimal forms are allowed, e.g. 0777 or 0x4A), or a string. Multi-word strings must be enclosed in quotation marks (e.g "one two three"), and both quotation marks and newlines can be escaped using \ (backslash).

If a directive is given without any values, a true boolean value is assumed.

Blank lines and lines starting with a # (comments) are ignored.

Directives

General

ReadConfig FILE

Read the configuration file found at FILE as if it were appended to the end of the main configuration file. Note that tildes (~) in FILE are expanded.

ReadUserConfig UID/USERNAME FILE

Behaves as ReadConfig if UID/USERNAME matches the current user.

AllowUser UID/USERNAME

Allows the given user to run commsh. By default, nobody is allowed access. The special value of * may be provided to allow any user that has not been explicitly denied (see DenyUser below).

DenyUser UID/USERNAME

Explicitly deny the given user from running commsh. This option has no effect unless "AllowUser *" has been specified.

CheckUser UID/USERNAME

Specify that commands from the given user should be checked when commsh --check-user is invoked. By default, commands are not checked for any users. The special value of * may be provided to specify that commands from all users should be checked. This access list is independent from the AllowUser / DenyUser access list.

CheckVerbose True/False

If set, commsh --checkuser will display verbose output in addition to its return value.

AssignUID UID

Specify a static UID to be assigned. (By default, the UID of the user is preserved.) This option is ignored if dynamic account generation is enabled (see below).

Change Root

ChrootPath [PATH/BOOL]

If BOOL is true or a PATH is provided, chroot functionality is enabled. The default path is the user's home directory, and tilde expansions in a provided path are performed. Before chroot is called, the path will be checked for security risks (see CheckChroot below).

CheckChroot [CHECK [CHECK ...]]

Before chrooting to a jailed environment, perform the specified checks. Possible checks include:

suidroot

Check for files setuid root

suid

Check for files with the setuid bit set

sgid

Check for files with the setgid bit set

block

Check for block devices

char

Check for character devices

socket

Check for UNIX sockets

fifo

Check for FIFO pipes

mount

Check for mount points.

all

Perform all checks (default)

CheckAllowDevice DEVICE

Allow the given DEVICE to exist within the jail. DEVICE should refer to a file in the real filesystem (not the jailed environment). The actual path to this file is not relevant, as the only checked characteristics are the file's mode, rdev, uid and gid. This only matters for block and character devices, sockets, and FIFO pipes (the latter two don't have an rdev to check), and then only if the corresponding CheckChroot parameter has been set.

Access Methods

LaunchShell True/False

If true, exec the user's shell after authentication, passing to it any command parameters. If false, commands will be executed directly as long as they match a DirectAccess style directive (see below).

DirectAccess COMMAND-SPECIFICATION

DirectAccessExact COMMAND-SPECIFICATION

DirectAccessSuDo COMMAND-SPECIFICATION

DirectAccessRE COMMAND-SPECIFICATION

Allow direct access to a given command. This has no effect if LaunchShell is enabled. The format and behavior of each of the above is described in Command Parameters below. When a command is launched directly, commsh actually performs an execve, so the shell process can be monitored directly to monitor the executed job.

Command Parameters

The command parameters used by the DirectAccess-style directives conform to one of four specifications:

The default style uses the POSIX fnmatch function to perform wildcard matching. The matching is done on a parameter-by-parameter basis, so a wildcard in a given parameter slot can't match the space between parameters. Furthermore, wildcards in the first (program name) slot can't match slashes. If fnmatch is not available, this will default to an Exact style directive.

The Exact style requires an exact match without any wildcard matching. This style is always available.

The SuDo style behaves exactly like an entry in the sudoers file. If fnmatch is not available, this directive will be ignored.

The RE style behaves as a regular expression. A caret '^' (start-of-line) character is automatically prepended to the string provided. (This is because not beginning the pattern with a start-of-line character is a security risk in all cases.) If the regexec suite of functions is not available, this directive will be ignored.

Examples

DirectAccessExact /bin/rbash

Allow the user to launch a restricted bash environment without parameters

DirectAccess /usr/bin/* **

Allow the user to execute any utility in /usr/bin with any list of parameters.

DirectAccessSUDO /bin/cat *

Allow the user to execute cat on any list of files.

DirectAccessRE /usr/bin/jobmanager/.* < infile[0-9]* > outfile[0-9]*$

Allow the user to execute any command in /usr/bin/jobmanager (or a subdirectiry) with redirection parameters restricted to certain input and output files.

See Also

commsh (1)