Hi, On 15 Nov 2000, Peter Cordes <peter@llama.nslug.ns.ca> wrote: > > > Jochen, > > > > mkdir /usr/local/bin/restricted;ln -s <command> > > /usr/local/bin/restricted/<command>;... > > > > export PATH=/usr/local/bin/restricted;exec rbash > > > > ...boom. Now only the commands you want the user to be able to run will be > > available. OK. So far it's clear I think. > > Shell scripts, however, continue to work fine, since their > > `hash bang' doesn't pay attention to the PATH anyway (which I think is > > more than slightly objectionable, but that's beyond the scope of this > > email). Umm... OK, so you have a restricted shell where /bin/bash is not executed any more. But if your script begins #!/bin/bash (or e.g. #!/usr/bin/perl) does rbash really still execute it?? Would be an easy way to work around all those restrictions, right? Or did I just get you wrong? Otherwise many users' scripts would simply be dead suddenly... > As long as they can't write to a directory that they can execute files > from (i.e. in PATH, with rbash), they can't take advantage of it. > (Probably...) ^^^^^^^^ ;-) > I think rsh (restricted, not remote) was designed a long time ago, back when > casual security was all that was needed. If you trust your users not to > be malicious, and just want to protect them from themselves, more or less, > restricted shell is the way to go. OK, I think I can live with that :-). Restricted != secure ... Greetings, Jochen. -- FAQ zur Newsgroup at.linux: <http://alfie.ist.org/LinuxFAQ/>
Attachment:
pgp9I6dK64_Ig.pgp
Description: PGP signature