From owner-freebsd-questions  Tue Sep  3 15:35:39 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0C3C837B400
	for <questions@FreeBSD.ORG>; Tue,  3 Sep 2002 15:35:37 -0700 (PDT)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7D6D043E6E
	for <questions@FreeBSD.ORG>; Tue,  3 Sep 2002 15:35:36 -0700 (PDT)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.12.5/8.12.5) id g83MYFFI052521;
	Tue, 3 Sep 2002 17:34:15 -0500 (CDT)
	(envelope-from dan)
Date: Tue, 3 Sep 2002 17:34:15 -0500
From: Dan Nelson <dnelson@allantgroup.com>
To: Giorgos Keramidas <keramida@ceid.upatras.gr>
Cc: Radko Keves <rado@studnet.sk>, questions@FreeBSD.ORG
Subject: Re: restricted shell
Message-ID: <20020903223415.GB5980@dan.emsphone.com>
References: <20020903184443.GA99379@studnet.sk> <20020904004159.H37427-100000@hades>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020904004159.H37427-100000@hades>
X-OS: FreeBSD 5.0-CURRENT
X-message-flag: Outlook Error
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

In the last episode (Sep 04), Giorgos Keramidas said:
> On 2002-09-03 20:44, Radko Keves wrote:
> > ;), Tue, Sep 03, 2002 at 09:04:51PM +0300, Giorgos Keramidas said that
> > > On 2002-09-03 17:50 +0000, Radko Keves wrote:
> > > > hi all i have question about restricted shell (for example rbash)
> > > > SHELL enviroment is read only, but user can run another shell if is
> > > > in PATH, [...]
> > that's fine but please supply next enviroments for my eyes:
> > PATH
> > SHELL
> 
> Pardon me, I was invoking bash the wrong way.
> I stand corrected:
> 
> charon@hades[00:42]/home/charon$ env PATH='/bin:/sbin:/usr/bin:.' /usr/local/bin/bash --restricted --norc

That PATH is more than enough to break out of the shell.  You can use
more, less, find, xargs, and probably 20 other commands in /usr/bin to
launch an unrestricted shell.  You should set PATH to a single
directory, and only put in it the programs that the user must run.

-- 
	Dan Nelson
	dnelson@allantgroup.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message