[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: restricted bash (rbash)

On Wed, Nov 15, 2000 at 12:08:30AM -0800, Alexander Hvostov wrote:
> Jochen,
> mkdir /usr/local/bin/restricted;ln -s <command>
> /usr/local/bin/restricted/<command>;...
> export PATH=/usr/local/bin/restricted;exec rbash
> ...boom. Now only the commands you want the user to be able to run will be
> available. Shell scripts, however, continue to work fine, since their
> `hash bang' doesn't pay attention to the PATH anyway (which I think is
> more than slightly objectionable, but that's beyond the scope of this
> email).
  As long as they can't write to a directory that they can execute files
from (i.e. in PATH, with rbash), they can't take advantage of it.

I think rsh (restricted, not remote) was designed a long time ago, back when
casual security was all that was needed.  If you trust your users not to
be malicious, and just want to protect them from themselves, more or less,
restricted shell is the way to go.

#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE

Reply to: