NCSA CyberSecurity

Projects and Software

Man Page for commsh

Name

commsh - Community Shell application for restricting user access in a community environment

Synopsis

commsh [--check [path [checks]] | --check-user command | --version | --help]

Description

commsh is a shell wrapper application for managing restricted multi-user accounts using chroot jail environments, dynamic account generation, and other access restriction methods.

commsh can currently perform the following functions:

  1. Perform a security check on a chroot jail environment
  2. chroot to a properly secured environment
  3. Switch to a new user within the secured environment
  4. Launch a shell as the new user

commsh reads a configuration file (defined at compile time, often /etc/commsh.conf) before performing any options.

commsh should be setuid root in order to function correctly. The setuid root bit will be dropped before commsh terminates or passes control to another application.

Options

--check [path [checks]]

Perform jail checks and output results before terminating. If path or checks is omitted, the values from the configration file will be used. The setuid root bit will be dropped before checks are performed.

--check-user command

If the user is listed as requiring command checking by a CheckUser directive, check the command against the DirectAccess directives. Return '0' if the command is allowed, and '-1' if it is not. If the CheckVerbose directive is true, 'ALLOW' or 'DENY' will be displayed as appropriate.

--version

Display version information and exit.

--help

Display help information and exit.

Files

/etc/commsh.conf - the commsh configuration file

Bugs

None known.

See Also

commsh.conf (5)

Building a trustworthy, national-scale cyberinfrastructure for researchers.
All rights reserved. ©2015 Board of Trustees of the University of Illinois.