Today we look at how to add and remove commands from Check Point's Restricted shell: cpshell.
As many of you know, when you log on to any Check Point host that runs SecurePlatform you'll be presented with a restricted shell, that restricts the commands that you can run. Well, this is a good thing, because it keeps the junior admins away from the the root prompt and all the fun you can have with the rm command! (All the magic happens in the /etc/cpshell directory! It you're smart, you'll do cat /etc/cpshell/*cfg take one look at the output, and understand. If you want a bit more of a walkthrough, keep reading!)
Well, it's possible to remove commands from the restricted shell. For example, maybe you don't want you junior admin to run the 'router' command and screw up your OSPF configuration like he did last week. And the week before. Simple!
vi /etc/cpshell/gated.cfg and comment out the line that starts 'router'
It's also possible to add commands to the restricted shell. For example, maybe you're fed up with the junion admin asking you to run the 'df' command for him. No problem.
vi the cfg file of your choice and add the df command to it. I choose to edit gated.conf as this was where I was at anyway.
As you can see in the graphic, the restricted shell can no longer run 'router' and now has a new command: diskspace! Horah!
A few points however:
- I am not 100% sure (yet!) of the meaning of the numbers in the cfg files
- IMPORTANT: Ensure that the permissions on the file are as they should be after you have done your editing
- You don't seem to be able to use parameters. For example, I could not insert df -h. To remedy this, create a script containing your command and reference this in the cpshell .cfg file (in fact you can see how CP have done this already for most commands)
- Be aware that you might put your command into a .cfg file that cpshell doesn't even load. For example, cpshell won't load pv1.cfg unless Provider-1 is installed. I'd recommend creating your own .cfg file.
- I'd also recommend creating another use, other than 'admin', on your splat box with a bash shell, so if you well and truely 'hose' your cpshell, you can log in and fix it.
Warning: Security Implication
Carefully consider the security implications of the changes you are making as you are exposing privileged commands to a less privileged user.
Warning: Technical Support Implication
It's it not confirmed whether or not Check Point would support these modifications