[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: restricted bash (rbash)


In article <[🔎] 3A11F5B3.1925874B@m2tech.co.nz>, Nick Clifford 
<nickc@m2tech.co.nz> wrote:

>Personally, a chroot jail is the only thing I trust when I need to setup
>an isolated or restricted environment. Its difficult to break out of a
>chroot jail even when you are root, but it can be done. So ensure they
>can't get root. :)

If you install capsel 
(ftp://ftp.linuxnews.pl/Linux/kernel/patches/capsel/), you can restrict 
chroot even for root - it will only succeed once, every next call to 
chroot will fail, so root can't break out, too.

On a side note: I hacked up osh to gain a kind of "restricted" shell 
(very restricted in comparison with rbash). It's debianized at 
http://www.gws-online.de/download/, package name is nosh. It uses the 
same configuration stile of osh to restrict users to special commands 
and directories, so they can't access stuff I don't want them to access, 
and I don't have to set up a chroot jail (as that is sometimes a real 
PITA for some programs). We use it as a users shell on westfalen.de so 
people can be allowed to change passwords or execute weblint or other 
command line tools without being given a full shell. It doens't do shell 
scripts in the expected way, though - only very limited shell 

Combined with capsel (where you can restrict executables to users, too), 
you can set up quite a restricted environment without need for chroot 
(or with chroot only for programs where it is needed).

bye, Georg


Reply to: