Re: restricted bash (rbash)

To: debian-security@lists.debian.org
Subject: Re: restricted bash (rbash)
From: Colin Phipps <cph@netcraft.com>
Date: Tue, 14 Nov 2000 15:50:05 +0000
Message-id: <[🔎] 20001114155005.A4643@ns0.netcraft.com>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <20001114163433.C16710@Death.TGR.yi.org>; from debian@TGR.yi.org on Tue, Nov 14, 2000 at 04:34:33PM +0100
References: <[🔎] 20001114133056.B3339@mantis.autsens.localnet> <20001114163433.C16710@Death.TGR.yi.org>

On Tue, Nov 14, 2000 at 04:34:33PM +0100, Jan Martin Mathiassen wrote:
> On Tue, Nov 14, 2000 at 01:30:57PM -0200, Pedro Zorzenon Neto wrote:
> >   I put /bin/rbash as the default shell (in /etc/passwd) for some users that
> > I just want them to use a restricted login.
> > 
> >   When the user logs in, rbash is being executed and the restricted login is
> > working well. But, if the user executes 'bash', everything becames unrestricted.

[goes away and plays with rbash for a bit]

> >   How can I deny the execution of shells inside rbash?
> My first thought would be to remove the executable flag for other users,
> make a special group for bash, and add anyone that should have access to
> bash in that group.

No; restricting just shells is useless if you leave other commands open. 

>From my very brief look, it appears that rbash essentially prevents you 
running commands outside of your PATH. Clearly it has NO security value 
unless you set their PATH to a directory with only the few commands you 
want them to be allowed to run.

-- 
Colin Phipps <cph@netcraft.com>                http://www.netcraft.com/

Reply to:

Follow-Ups:
- Re: restricted bash (rbash)
  - From: Tomasz Kuźniar <mezon@profnet.pl>

References:
- restricted bash (rbash)
  - From: Pedro Zorzenon Neto <pzn@terra.com.br>

Prev by Date: restricted bash (rbash)
Next by Date: Re: restricted bash (rbash)
Previous by thread: restricted bash (rbash)
Next by thread: Re: restricted bash (rbash)
Index(es):
- Date
- Thread