Bug 904939
| Summary: | [RFE] An argument for ovirt-shell which would will disable text processing via pipe, scripting, file redirections, etc. via shell | ||
|---|---|---|---|
| Product: | [Retired] oVirt | Reporter: | Jiri Belka <jbelka> |
| Component: | ovirt-engine-cli | Assignee: | Michael Pasternak <mpastern> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | unspecified | CC: | acathrow, bazulay, iheim, jkt |
| Target Milestone: | --- | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | infra | ||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-12-01 10:58:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
the ssh config i thing is out of scope for ovirt-shell, and user can do it. having a config or a flag to ovirt shell to not allow to escape to shell to support this mode could make sense. Closing old bugs. If this issue is still relevant/important in current version, please re-open the bug. |
I would like to achieve a setup where I would like to define 'ovirt-shell' for logging users as ForceCommand when logging via ssh. In this way, logged user won't get usual login shell but would be present directly in ovirt-shell session. But I don't want he could do any "escapes" via '!' inside ovirt-shell, this would give him in fact access to shell. So an argument to start ovirt-shell with "disabled" proxy to the linux shell via '!' or 'shell' commands would be implemented. Actual results: A user which would have instead of normal logging shell assigned ovirt-shell could do "escapes" via '!'/'shell' commands and processing via pipe, scripting, file redirections, etc. Expected results: "Limited" ovirt-shell which would forbid any "escapes" via '!'/'shell' commands and processing via pipe, scripting, file redirections, etc. Additional info: About ForceCommand from sshd_config(5): ForceCommand Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of “internal-sftp” will force the use of an in-process sftp server that requires no support files when used with ChrootDirectory. So I want to give sysadmins CLI accessed via ssh to manage oVirt environment but to restrict them to have any direct access to filesystem/OS. Original discussion on the list: http://permalink.gmane.org/gmane.comp.emulators.ovirt.user/5378