VanDyke Software

VShell® Server

Try Before You Buy

Every release can be evaluated free of charge for 30 days.

Index

I need to have my users logon and only run our business application; no shell, no SFTP access whatsoever.

The following options should get you close to what you need.

If you want certain users (called the BusApp group for this example) to only have access to your business application and not have SFTP or port forwarding, you can use a combination of two different VShell® configuration options (AccessControl and ChrootUsers or ChrootGroups) combined with a controlled setup on the UNIX box.

Using the AccessControl configuration option, you can configure VShell so that the group of users that you want to have access to your business application does not have access to SFTP or port forwarding.  Then you can change it so that the members of the BusApp group are "jail shelled" to their home folder (which you can set to a directory that only contains your business application).

Note: All shared libraries must also be moved to the user's home directory when using ChrootUsers or ChrootGroups.

Example of the vshelld_config file:

    ...
    AccessControl {
        Login {
        	AllowGroups { BusApp, users } #Allow members of users and BusApp login access
        }
        Shell {
        	AllowUsers { bob } #Allow Bob the IT manager shell access
        	AllowGroups { BusApp } #Allow the group BusApp shell access (they are jailed)
        }
        SFTP {
        	AllowUsers { bob } #Allow Bob the IT manager SFTP access
        }
        RemoteExecution { 
        	AllowUsers { bob } #Allow Bob remote execution access
        	DenyGroups { BusApp } #Deny the group BusApp remote execution access
        }
        PortForwarding { } #No one can port forward
        RemotePortForwarding { } #No one can remote port forward
    }

    ChrootGroups { BusApp }
    ...

Then, in your /etc/passwd file for your BusApp members, define their shells and home folders as follows (assuming that you create a directory called /jail/bin and it has your BusApp in it):

/etc/passwd:

    ...
    Alice:x:512:530:Jailed User Sally:/jail:/bin/BusApp
    Ted:x:513:530:Jailed User Ted:/jail:/bin/BusApp
    ...

In /etc/group:

    ...
    BusApp:x:530
    ...

This way when your BusApp users connect to VShell, they will automatically be placed in the jail folder (which will look like their root /).  And, bin/BusApp will be executed as their shell.


Three Fast Ways to Learn More About VShell Server For Windows and UNIX

Tell me more. Email us your questions about putting VShell to work for your organization.

Try it today! Download a free 30-day evaluation copy of VShell for Windows or UNIX.

Talk to us. Let us help define the right VShell server solution for your company.