I have no immediate security concerns or anything, I'm just curious and thinking out loud. One of the services I host on my personal/home server is a Minecraft Java Edition server. I have it publicly available because a handful of friends also play on it. I created a separate user account specifically for holding the Minecraft related files, and wrote my own systemd service file to enable starting and stopping the process. One other thing I did is I set the default user shell as rBash for the Minecraft user, with only certain commands (including java) inside their new $PATH folder. What I'm wondering about is, since I'm spawning the Minecraft service with a systemd service file, would Minecraft still be restricted by rBash, or since it's not an interactive shell, would the java (Minecraft) process be exempt from those restrictions?
I suspect the latter because I experimented by deleting the symlink to /bin/java that I placed in the user's new $PATH, and the systemd service file was still able to start the service as the user "minecraft".
I understand that rBash isn't a proper "jail" like a chroot jail, I'm just experimenting with reasonable ways to lock down publicly accessible services on my personal server so that if some exploit is found in Java or the game, they can't go wandering around or messing with other areas of the filesystem that don't concern them. I guess one method would be to just create a chroot jail for the minecraft user, then just symlink in all the normal binary directories like /bin and such, but exclude sensitive areas like mounted storage drives and such.
I suspect the latter because I experimented by deleting the symlink to /bin/java that I placed in the user's new $PATH, and the systemd service file was still able to start the service as the user "minecraft".
I understand that rBash isn't a proper "jail" like a chroot jail, I'm just experimenting with reasonable ways to lock down publicly accessible services on my personal server so that if some exploit is found in Java or the game, they can't go wandering around or messing with other areas of the filesystem that don't concern them. I guess one method would be to just create a chroot jail for the minecraft user, then just symlink in all the normal binary directories like /bin and such, but exclude sensitive areas like mounted storage drives and such.
Statistics: Posted by Gerowen — 2024-01-28 05:10 — Replies 0 — Views 24