Scribd
Upload
229 views4 pages

Dell EMC Unity - Shell Lockdown (Rbash) On Unity OE 4.5 and Above (User Correctable) - Dell US

Uploaded by

604597
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
229 views4 pages

Dell EMC Unity - Shell Lockdown (Rbash) On Unity OE 4.5 and Above (User Correctable) - Dell US

Uploaded by

604597
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Article Number: 000057822 📠 Print

Dell EMC Unity: Shell lockdown (rbash) on Unity OE 4.5 and above
(User Correctable)
Audience Level: Internal

Article Content

Symptoms

rbash is enabled by default on Unity OE 4.5 and higher.


This changes the shell behavior by disabling some actions/features, including:

Changing directories with the cd builtin.


Setting or unsetting the values of the SHELL, PATH, ENV, or BASH_ENV variables.
Specifying command names containing slashes.
Specifying a filename containing a slash as an argument to the . builtin command.
Specifying a filename containing a slash as an argument to the -p option to the hash builtin command.
Importing function definitions from the shell environment at startup.
Parsing the value of SHELLOPTS from the shell environment at startup.
Redirecting output using the > , >| , <> , >& , &> , and >> redirection operators.
Using the exec builtin to replace the shell with another command.
Adding or deleting builtin commands with the -f and -d options to the enable builtin.
Using the enable builtin command to enable disabled shell builtins.
Specifying the -p option to the command builtin.
Turning off restricted mode with set +r or set +o restricted .

See here for more details: https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html

For a full list of white listed commands, see KB 000528422

In order to mitigate the possible negative impact of Meltdown/Spectre, a decision was made to lockdown the Unity shell by enabling
rbash (restricted bash shell) starting in Unity OE 4.5.
Another change is the default home directory for the "service" user: changed from "/home/service" to "/home/service/user"

As a result of these changes, differences will be noticed in the way one interacts with the Unity.

Possible errors:
rbash: cd: restricted (when trying to navigate through the directories)
rbash: xxxx: restricted: cannot redirect output (when trying to redirect outputs to a file with ">")
rbash: xxxx: command not found (when trying to run commands not in the approved whitelist)
rbash: ./example_script: restricted: cannot specify `/' in command names (when trying to run scripts)
Cannot initialize SFTP protocol. Is the host running an SFTP server? (when trying to setup file transfer
tools like WinSCP)
Command 'cd "xxxx"' failed with return code 1 and error message. -rbash: line 47: cd:
restricted (when trying to change directories with WinSCP)

Cause

Meltdown/Spectre mitigation. For more info refer to Link Error KB 000516117

Resolution
File Transfers
Use SCP instead of SFTP/FTP protocol when setting up tools like WinSCP, etc.
Remember: users will not be able to navigate to different directories even with applications such as WinSCP (cd not allowed), so
everything to be downloaded from the SP will have to be copied first to "/cores/service/user" (or "/home/service/user",
which is the same location)

If you want to download files directly from the directory the files are on, then you can use other tools like pscp from windows
command prompt (CMD):

Usage: pscp [options] [user@]host:source target pscp [options] source [source...]


[user@]host:target

Download example (copying a data collect - the .tar file - and saving it to the local computer under C:\Users\testuser\Downloads:
C:\> pscp -scp
[email protected]:/EMC/backend/service/data_collection/Unity_300_service_data_CKM00xxxx_2018-12-
27_13_01_18.tar C:\Users\testuser\Downloads
Using keyboard-interactive authentication.
Password:
Unity_300_service_data_CK | 720570 kB | 42386.5 kB/s | ETA: 00:00:00 | 100%

Upload example:
C:\> pscp -scp C:\Users\testuser\Downloads\test.txt [email protected]:/cores/service/user
Using keyboard-interactive authentication.
Password:
test.txt | 0 kB | 0.0 kB/s | ETA: 00:00:00 | 100%

Navigation
The following links were created to allow users to navigate through directories without "cd".
The appended numbers at the beginning of the links are to allow users to quickly use paths by typing the two numbers+tab:
service@unity spb:~/user# pwd
/home/service/user <<<< new default home directory

service@unity spb:~/user# ll
lrwxrwxrwx 1 service service 24 Nov 3 11:50 00_emc_backend_log_shared ->
/EMC/backend/log_shared/
lrwxrwxrwx 1 service service 13 Nov 3 11:50 01_emc_cem_log -> /EMC/CEM/log/
lrwxrwxrwx 1 service service 16 Nov 3 11:50 02_emc_c4core_log -> /EMC/C4Core/log/
lrwxrwxrwx 1 service service 9 Nov 3 11:50 03_var_log -> /var/log/
lrwxrwxrwx 1 service service 9 Nov 3 11:50 04_var_tmp -> /var/tmp/
lrwxrwxrwx 1 service service 21 Nov 3 11:50 05_emc_backend_service -> /EMC/backend/service/
lrwxrwxrwx 1 service service 23 Nov 3 11:50 06_usr_apache-tomcat_logs -> /usr/apache-
tomcat/logs
lrwxrwxrwx 1 service service 14 Nov 3 11:50 07_nas_http_logs -> /nas/http/logs
lrwxrwxrwx 1 service service 15 Nov 3 11:50 08_emc_mnsvc_log -> /EMC/MNSVC/log/
lrwxrwxrwx 1 service service 17 Nov 3 11:50 09_emc_backend_cem -> /EMC/backend/CEM/
lrwxrwxrwx 1 service service 26 Nov 3 11:50 10_emc_backend_metricsluna1 ->
/EMC/backend/metricsluna1/
lrwxrwxrwx 1 service service 24 Nov 3 11:50 11_emc_backend_perf_stats ->
/EMC/backend/perf_stats/
Example (grep):
service@unity spb:~/user# grep ERROR 00_emc_backend_log_shared/EMCSystemLogFile.log
"2018-11-20T15:42:33.399Z" "..." "ERROR" "13:104f0002" :: "WARNING: Kerberos authentication failed
due to clock skew error. Server='xxxxx'. Last Event Time: GMT: Tue Nov 20 15:30:31 2018."
"2018-11-20T15:44:33.726Z" "..." "ERROR" "13:104f0002" :: "WARNING: Kerberos authentication failed
due to clock skew error. Server='xxxxx'. Last Event Time: GMT: Tue Nov 20 15:34:32 2018."
"2018-11-20T15:50:34.597Z" "..." "ERROR" "13:104f0002" :: "WARNING: Kerberos authentication failed
due to clock skew error. Server='xxxxx'. Last Event Time: GMT: Tue Nov 20 15:40:33 2018."
"2018-11-20T15:52:34.904Z" "..." "ERROR" "13:104f0002" :: "WARNING: Kerberos authentication failed
due to clock skew error. Server='xxxxx'. Last Event Time: GMT: Tue Nov 20 15:42:33 2018."
"2018-11-20T15:54:35.203Z" "..." "ERROR" "13:104f0002" :: "WARNING: Kerberos authentication failed
due to clock skew error. Server='xxxxx'. Last Event Time: GMT: Tue Nov 20 15:44:33 2018."

Example (ls or ll - listing files):


service@unity spb:~/user> ll 05_emc_backend_service/data_collection/
-rw-r--r-- 1 root root 692459520 Nov 11 09:21 Unity_300_service_data_CKM0018xxxxxxx_2018-11-
11_09_07_14.tar
-rw-r--r-- 2 root root 683325440 Nov 12 16:06 Unity_300_service_data_CKM0018xxxxxxx_2018-11-
12_15_54_11.tar
-rw-r--r-- 1 root root 697292800 Nov 14 09:12 Unity_300_service_data_CKM0018xxxxxxx_2018-11-
14_08_58_19.tar
drwxr-xr-x 4 root root 4096 Nov 8 12:05 cores
-rw-r--r-- 1 root root 207872000 Sep 26 10:06 daily_Unity_300F_service_data_CKM0018xxxxxxx_2018-09-
26_09_57_43.tar

The same principle applies to everything else.

Additional Information

This secure shell can be disabled with UEMCLI:

uemcli -no -u admin -p <password> /sys/security set -restrictedShellEnabled no

Conditions:
The user needs to logout/login in order for the changes to take effect.
The secure shell will be enabled again after an SP reboot/failover or after 24 hours.
Disabling rbash is only allowed when the system is fully functional.
Disabling rbash should be done only with the Unity administrator's consent.

To check status:
uemcli -no -u admin -p <password> /sys/security show

1: FIPS 140 mode = disabled


TLS 1.0 mode = enabled
Restricted shell mode = enabled
Internal Notes

Notes:
Disabling the secure shell without customer approval should NOT be done.
Using root (svc_service_shell) just to bypass this restriction should NOT be done.

Article Properties

Affected Product
Dell EMC Unity Family

Product
Dell EMC Unity 300, Dell EMC Unity 300F, Dell EMC Unity 350F, Dell EMC Unity XT 380, Dell EMC Unity XT 380F, Dell EMC Unity 400, Dell
EMC Unity 400F, Dell EMC Unity 450F, Dell EMC Unity XT 480, Dell EMC Unity XT 480F, Dell EMC Unity 500, Dell EMC Unity 500F, Dell
EMC Unity 550F, Dell EMC Unity 600, Dell EMC Unity 600F, Dell EMC Unity 650F, Dell EMC Unity XT 680, Dell EMC Unity XT 680F, Dell
EMC Unity XT 880, Dell EMC Unity XT 880F, Dell EMC Unity Family |Dell EMC Unity All Flash, Dell EMC Unity Family, Dell EMC Unity
Hybrid, UnityVSA, Dell EMC UnityVSA (Virtual Storage Appliance), Dell EMC UnityVSA Professional Edition/Unity Cloud Edition

Last Published Date

23 Nov 2020

Version
2

Article Type
Solution

You might also like