On Sun, Aug 20, 2000 at 01:34:04AM -0800, Ethan Benson wrote: > On Sun, Aug 20, 2000 at 02:11:00AM -0700, kmself@ix.netcom.com wrote: > > > > As suggested, the restricted shell. Invoked with rbash or bash -r. > > > > This doesn't allow changes to $PATH, users can't cd, and a number of > > other restrictions exist. You *have* to either point users to a system > > directory with commands they can use, or create a commands directory for > > but you can't really include /bin or /usr/bin without allowing the > user to trivially break out of the restricted shell: > > if /bin is in the $PATH then they need to only run `exec bash' to get > a real shell without restrictions. if /usr/bin is in the path they > can run chsh -s /bin/bash and logout and relogin to get a real shell > (or passwd -s /bin/bash) > > really you have to only have ~/bin in thier PATH and create > appropriate symlinks or shell wrappers to the real binaries. If it wasn't apparent, this was the sort of configuration I was advocating. An alternative would be to have some sort of an "rbash/bin" directory someplace which all restricted users could be pointed at. You'd want to avoid including, for obvious reasons, /bin, /usr/bin, or administrative commands. -- Karsten M. Self <kmself@ix.netcom.com> http://www.netcom.com/~kmself Evangelist, Opensales, Inc. http://www.opensales.org What part of "Gestalt" don't you understand? Debian GNU/Linux rocks! http://gestalt-system.sourceforge.net/ K5: http://www.kuro5hin.org GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0
Attachment:
pgppIkcweTZrl.pgp
Description: PGP signature