fush 0.6.1 Cory Marsh FU shell SYNTAX fush fush [-c string] fuadmin [-c] DESCRIPTION fush is a Unix shell replacment. It provides improved logging support for the shell to keep an eye on users. It also provides extra security features. With fush you can restrict and log everything. You can restrict shell operators ( > < ; | & ) and or log their usage. Fush also has the ability to limit which commands can be execed from the command line. A list of MD5 sums is kept on all system binaries. When a user trys to exec a command, an MD5 hash is generated wich is compared against the user's ACL. If the MD5 sum and full path match an approved command in the ACL, the command is exec. Fush is not intended to be a full featured shell, or even a shell for normal system use and administration. Fush is used to restrict what commands a user can exec from the shell and log all executed commands. fush supports: * pipes * input redirection * ouput redirection * background commands * multiple commands on the command line * setting and unsetting environment variables * logging * restricting commands a user can execute * readline(3) command entry fush does not support: * IEEE Std 1003.2 (``POSIX.2'') specification for the shell * fush makes an effort to emulate sh(1) Fush has many configuration options. Fush stores it's config files in /usr/local/etc/fush (this is currently hard coded, and will be changed to a compile time option within a week). Configuration files consist of /usr/local/etc/fush/fush.db which is the MD5 database user commands. /usr/local/etc/fush/fush.security is a generic configuration file generated by fuadmin. It is a list of basic commands that can be executed, excluding a list of commands that fuadmin determined will break the security of fush (see SECURITY in this document). The /usr/local/etc/fush/username.security file configures security options for the user, username. The username.security file should be owned by root and the users group with 0640 permissions. SECURITY CONFIGURATION Fush has an administration program fuadmin(1) to help administrators setup the access controls that fush provides. The program currently only supports one option -c. fuadmin will create a database of MD5 hashes in /usr/local/etc/fush/fush.db. This database will be read when the shell loads. Along with this configuration file a file named /usr/local/etc/fush/username.security will be loaded. The .security file contains the configuration for the currently logged on user. The username.security file supports the following case insensative configuration options: can_redirect_out = YES | NO * ( prevents output redirection via >) can_redirect_in = YES | NO * ( prevents input redirection via < ) can_redirect_pipe = YES | NO * ( prevents redirecting output from one command to another ) can_multicommand = YES | NO * ( prevents execution of multiple commands on one command line entry via ; ) limit_exec = EXCLUDE | INCLUDE * ( instructs fush to include or exclude the commands listed in the * configuration file. If INCLUDE is set, the ACL allows only the listed * commands. If EXCLUDE is set, the ACL doe not allow the listed commands ) restrict_vi = YES | NO * ( If set to YES, then fush will redirect all requests for vi, to rvim. * * NOTE currently not fully un-bypass-able. Will be fixed in 0.7.0 release * ) max_background = 0 - 65435 * ( the maximum number of background commands ) max_arguments = 0 - 4096 * ( the maximum number of arguments on the command line ) /full/path/to/command * ( add this command to the Access Control List of commands. If limit_exec is * set to INCLUDE, then these commands will be allowed to be executed (the * prefered setup). If limit_exec is set to EXCLUDE, then these commands will * not be allowed to execute ) USER CONFIGURATION NOTE: NOT CURRENTLY SUPPORTED Startup and shutdown A login shell begins by reading the security configuration files (see SECURITY CONFIGURATION) After parsing these files, fush reads commands from the system file /usr/local/etc/fush/fushrc. It then executes commands from files in the user's home directory: ~/.fushrc. Non-login shells read the security configuration and startup scripts executing commands, then exit. In the normal case, the shell begins reading commands from the terminal, prompting with `hostname> '. (Processing of arguments and the use of the shell to process files containing command scripts are described later.) The shell repeatedly reads a line of command input, breaks it into words, places it on the command history list, parses it and executes each command in the line. END NOTE prompt: Fush supports csh style prompts. Fush will prompt the user with the environment variable 'prompt'. The prompt environemnt variable supports some special characters that are interpreted by the shell and expanded to the given information: %/ The current working directory. %M The full hostname. %m The hostname up to the first `.'. %n The name of the currently logged in user. %% A '%' sign. %# A > for normal users, a # for root. %? The return code for the last executed command. %L A newline character. %s Secconds. %i Minutes. %h Hour (24 hour format). %w Day of month. %D The day of the week. %Y The current year. LOGGING Fush logs to syslog. This allows the application to write to the log file, but not read it, or alter it. By default, fush logs to local0. This is currently hard coded, but fush will support multiple facilities and levels in a soon to be released version 0.7.1 (or there abouts). To enable logging in Fush, you need to edit your syslog.conf file and add the following line: local0.* /var/log/fush.log Then restart your syslog daemon. This will direct all fush users to log all entered commands to /var/log/fush.log. Fush prepends each log entry with the username, so tracking users is simple. version 0.7 or 0.8 will have a much improved logging interface with support for multiple facilities and logging levels. COMMAND-LINE EDITOR see realine(3) SECURITY Basic fush security requires that any command that the user executes not allow the user to transfer comtrol to another system command. This usualy includes installed shells (/bin/sh, /bin/csh, etc). To make the most of the access controls provided with fush, you should create a shell group and set the group owner for each shell on your system to this group. Then change the permissions on these shells to 0755. fush users should not be included in this group. This way, if a user can execute an external command from one of the approved commands, he/she will not be able to execute another shell. For additional security, users should always be restricted to a set of approved commands. This prevents users from downloading commands from external systems and executing them. You can enable this type of restriction by setting the user configuration value: limit_exec = INCLUDE commands that can exec other commands such as those listed here, should never be included in a list of approved commands. * vi * emacs * find * xargs * tclsh * expect * awk * perl * python * php ? * others FILES /usr/local/bin/fush /var/log/fush.log /usr/local/etc/fush/fush.db /usr/local/etc/fush/username.security AUTHORS Cory Marsh SEE ALSO fuadmin(1) sh(1) csh(1) osh(1) readline(3)