I need to create a safe environment for a foreign SSH user that has to have very restricted access to our server. That is:
- can only execute commands that are allowed
- can only use specific software that is allowed
- must not be allowed to see/modify/remove folders and files outside of his/her root filesystem under any circumstances
I have tried using chroot jail before using the jailkit tool for a smaller project that did not need as much customization and it worked fine, but this project is much bigger and requires a lot more customization in terms of allowed software and commands.
The requirements for the safe environment are:
- the ability to use basic commands such as ls, cd, grep etc.
- the ability to run dotnet scripts
- the ability to utilize running RabbitMQ broker (the broker is running OUTSIDE of the environment)
- the ability to utilize running PostgreSQL database (the database is running OUTSIDE of the environment)
I have heard about multistrap or debootstrap but I am not sure whether these are adequate tools for solving my problem.
The servers are running on Debian OS v. 9 and 10. All the required software is installed in the root filesystem and is running fine. All I need is for the restricted user to be able to utilize it without being able to damage/corrupt the root filesystem.
My questions are:
- Are there any other useful (better) tools that I have not mentioned that could solve my problem?
- Are there any useful guides for the software I have mentioned that could solve my problem?
In case somebody is facing the same problem. I solved it using Docker container with separate SSH server and all required software installed on it.