Date: Tue, 5 Apr 2005 13:38:28 +0200 (CEST) From: Andreas Davour <ante@Update.UU.SE> To: freebsd-questions@freebsd.org Subject: Re: Securely allowing just one application via telnet Message-ID: <Pine.LNX.4.62.0504051335381.23065@Psilocybe.Update.UU.SE> In-Reply-To: <1183736361.20050405031743@wanadoo.fr> References: <1183736361.20050405031743@wanadoo.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 5 Apr 2005, Anthony Atkielski wrote: > If I want to allow external users to log on under only one permissible > username, which immediately and unconditionally executes only one > program (no shell access), via telnet, what is the most secure way to > set this up? I've always understood telnet to be somewhat of a > Pandora's box for security, but I don't know if that applies to the > protocol itself, or to telnetd, or if it just refers to the many dangers > of shell access, or what. If there is a way to secure this type of > access, I'd like to try it on my test server (I won't risk the > production server, of course), as an exercise in setting up custom > environments. > > Any suggestions on how best to do this securely? > > If a specific user is restricted to a specific program at login (via > /etc/passwd), is there _any_ way he can sneak out to a shell, assuming > that the program he is forced to run does _not_ provide shellout access? Sure there is. If there is any possibility of a buffer overflow error in that one program you let your users run, or "login" for that matter. But, running the program as a login shell could at least minimize the possibilities I guess. Not that I've tried it myself. Go read about chroot and jail in the manpages and you'll think of something. /andreas -- A: Because it fouls the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.62.0504051335381.23065>