From owner-freebsd-questions Tue Sep 3 15:45:11 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC32237B400 for ; Tue, 3 Sep 2002 15:45:08 -0700 (PDT) Received: from nic.upatras.gr (nic.upatras.gr [150.140.129.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 3CEFD43E65 for ; Tue, 3 Sep 2002 15:45:07 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: (qmail 23329 invoked from network); 3 Sep 2002 22:38:09 -0000 Received: from upnet-dialinpool-4.upatras.gr (HELO hades.hell.gr) (150.140.128.250) by nic.upatras.gr with SMTP; 3 Sep 2002 22:38:09 -0000 Received: from hades.hell.gr (hades [127.0.0.1]) by hades.hell.gr (8.12.6/8.12.6) with ESMTP id g83MiDFu039326; Wed, 4 Sep 2002 01:44:13 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from charon@localhost) by hades.hell.gr (8.12.6/8.12.6/Submit) id g83MiDcl039308; Wed, 4 Sep 2002 01:44:13 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Wed, 4 Sep 2002 01:43:59 +0300 From: Giorgos Keramidas To: Dan Nelson Cc: Radko Keves , questions@FreeBSD.ORG Subject: Re: restricted shell Message-ID: <20020903224359.GA38353@hades.hell.gr> References: <20020903184443.GA99379@studnet.sk> <20020904004159.H37427-100000@hades> <20020903223415.GB5980@dan.emsphone.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020903223415.GB5980@dan.emsphone.com> X-PGP-Fingerprint: C1EB 0653 DB8B A557 3829 00F9 D60F 941A 3186 03B6 X-Phone: +30-944-116520 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 2002-09-03 17:34 +0000, Dan Nelson wrote: > In the last episode (Sep 04), Giorgos Keramidas said: > > Pardon me, I was invoking bash the wrong way. > > I stand corrected: > > > > charon@hades[00:42]/home/charon$ env PATH='/bin:/sbin:/usr/bin:.' \ > > /usr/local/bin/bash --restricted --norc > > That PATH is more than enough to break out of the shell. You can use > more, less, find, xargs, and probably 20 other commands in /usr/bin to > launch an unrestricted shell. You should set PATH to a single > directory, and only put in it the programs that the user must run. Yes. I believe that's also the answer to the original question. Create a directory like /usr/restricted and place several binaries there, preferrably statically linked to avoid having to mess with LD_LIBRARY_PATH and other nice things. Then, spawn a shell like shown above with only /usr/restricted in the PATH: % env PATH='/usr/restricted' /usr/local/bin/bash \ --restricted --norc That should be easy to do :-) -- FreeBSD: The Power to Serve -- http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message