Securely allowing just one application via telnet

[Andreas Davour]

On Tue, 5 Apr 2005, Anthony Atkielski wrote:

> If I want to allow external users to log on under only one permissible
> username, which immediately and unconditionally executes only one
> program (no shell access), via telnet, what is the most secure way to
> set this up?  I've always understood telnet to be somewhat of a
> Pandora's box for security, but I don't know if that applies to the
> protocol itself, or to telnetd, or if it just refers to the many dangers
> of shell access, or what.  If there is a way to secure this type of
> access, I'd like to try it on my test server (I won't risk the
> production server, of course), as an exercise in setting up custom
> environments.
>
> Any suggestions on how best to do this securely?
>
> If a specific user is restricted to a specific program at login (via
> /etc/passwd), is there _any_ way he can sneak out to a shell, assuming
> that the program he is forced to run does _not_ provide shellout access?

Sure there is. If there is any possibility of a buffer overflow error in 
that one program you let your users run, or "login" for that matter.

But, running the program as a login shell could at least minimize the 
possibilities I guess. Not that I've tried it myself. Go read about 
chroot and jail in the manpages and you'll think of something.

/andreas

-- 
A: Because it fouls the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?