Re: restricted bash (rbash)
Hi!
In article <[🔎] 3A11F5B3.1925874B@m2tech.co.nz>, Nick Clifford
<nickc@m2tech.co.nz> wrote:
>Personally, a chroot jail is the only thing I trust when I need to setup
>an isolated or restricted environment. Its difficult to break out of a
>chroot jail even when you are root, but it can be done. So ensure they
>can't get root. :)
If you install capsel
(ftp://ftp.linuxnews.pl/Linux/kernel/patches/capsel/), you can restrict
chroot even for root - it will only succeed once, every next call to
chroot will fail, so root can't break out, too.
On a side note: I hacked up osh to gain a kind of "restricted" shell
(very restricted in comparison with rbash). It's debianized at
http://www.gws-online.de/download/, package name is nosh. It uses the
same configuration stile of osh to restrict users to special commands
and directories, so they can't access stuff I don't want them to access,
and I don't have to set up a chroot jail (as that is sometimes a real
PITA for some programs). We use it as a users shell on westfalen.de so
people can be allowed to change passwords or execute weblint or other
command line tools without being given a full shell. It doens't do shell
scripts in the expected way, though - only very limited shell
capabilities.
Combined with capsel (where you can restrict executables to users, too),
you can set up quite a restricted environment without need for chroot
(or with chroot only for programs where it is needed).
bye, Georg
--
http://www.westfalen.de/hugo/
Reply to: