Which binaries should be available for the user to change password via ssh

Piotr Zych

1/19/24, 12:45 PM

I have a user that has a rbash as default shell (in order to limit his privileges). I also changed his default bin directory to cut-off most binaries from his PATH. User should time to time change his password. So which binaries should be reachable to give him the possibility to change password via ssh. I created a symbolic link to passwd in his bin directory but he still can't change password using ssh.

116

1 + 5

ssh

bash

restricted

Ray

1/19/24, 1:10 PM

`passwd` is at `/usr/bin/passwd`. He should have access to that file (and the subdirectories up to that file). A symbolic link alone won't help if he doesn't have access to the file that the symbolic link points to. i.e., A symbolic link doesn't bypass the permissions on the file.

Piotr Zych

1/19/24, 1:48 PM

@Ray He has access to all sub-directories. Unfortunately it didn't help. I'm still investigating problem.

Rinzwind

1/19/24, 1:50 PM

Is it needed to do that? `passwd` has an option `--expire` and that would force inserting a new passwrd

steeldriver

1/19/24, 1:56 PM

What is the actual error behavior you are observing? I just tried it in a WSL instance and it seemed to work

Ray

1/19/24, 2:08 PM

I suppose you can try running `passwd` through `strace` (i.e., `strace passwd`) and see if it's trying to load other files. I only have a rudimentary knowledge of `strace`, so you'll have to read up on it; `passwd` could be loading shared libraries which you have taken away his access to.

Score:1

Ubuntu

Raffa

1/19/24, 2:11 PM

A user in a restricted bash shell should be able to successfully run the passwd command as long as they have the location(full path of containing directory) of a working passwd binary in their search path.

That is the usual with rbash as the restrictions by default apply only to:

• changing directories with cd

• setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV

• specifying command names containing /

• specifying a filename containing a / as an argument to the . builtin command

• specifying a filename containing a slash as an argument to the -p option to the hash builtin command

• importing function definitions from the shell environment at startup

• parsing the value of SHELLOPTS from the shell environment at startup

• redirecting output using the >, >|, <>, >&, &>, and >> redirection operators

• using the exec builtin command to replace the shell with another command

• adding or deleting builtin commands with the -f and -d options to the enable builtin command

• using the enable builtin command to enable disabled shell builtins

• specifying the -p option to the command builtin command

• turning off restricted mode with set +r or set +o restricted.

If,however, you are adding some extra strict measures other than using rbash as the user's shell, you might want to look at what passwd actually needs to access, open, or write to with strace like so:

strace -e open,openat,write,access passwd

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Which binaries should be available for the user to change password via ssh

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.