From owner-freebsd-security Wed May 17 12:49:20 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id MAA12385 for security-outgoing; Wed, 17 May 1995 12:49:20 -0700 Received: from mars.csg.peachnet.edu ([168.26.193.19]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id MAA12378 for ; Wed, 17 May 1995 12:49:19 -0700 Received: from mercury.csg.peachnet.edu (mercury.CSG.PeachNet.EDU [168.26.193.32]) by mars.csg.peachnet.edu (8.6.9/8.6.9) with ESMTP id PAA03321 for ; Wed, 17 May 1995 15:45:54 -0400 Received: from CCMAIN/SpoolDir by mercury.csg.peachnet.edu (Mercury 1.21); 17 May 95 15:53:35 EST Received: from SpoolDir by CCMAIN (Mercury 1.21); 17 May 95 15:53:15 EST From: "Christian" Organization: Columbus College, Columbus, GA To: security@FreeBSD.org Date: Wed, 17 May 1995 15:53:11 EST MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Disabling subshell spawn in Telnet & Ftp clients Priority: normal X-mailer: Pegasus Mail v3.22 Message-ID: <5364FB10FE9@mercury.csg.peachnet.edu> Sender: security-owner@FreeBSD.org Precedence: bulk I am in the process of setting up a FreeBSD box for student use at my school. I am restricting what a user can do through a menu system that they cannot break out of....there is only one problem...two of the menu choices are FTP and Telnet. Both of these clients have a command that will allow the user to get a subshell...I want to be able to disable this option. I know that some freenets that allow telnet & ftp have done this so I know it can be done. I am no C guru so please take this into consideration when you reply. Thanks in advance. Christian Plazas From owner-freebsd-security Fri May 19 06:47:30 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id GAA22878 for security-outgoing; Fri, 19 May 1995 06:47:30 -0700 Received: from vhf.dataradio.com (vhf.dataradio.com [198.168.41.55]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id GAA22872 for ; Fri, 19 May 1995 06:47:26 -0700 Received: (from root@localhost) by vhf.dataradio.com (8.6.9/8.6.9) id JAA03349; Fri, 19 May 1995 09:47:18 -0400 Date: Fri, 19 May 1995 09:47:17 -0400 (EDT) From: Dataradio sysadmin To: Christian cc: security@FreeBSD.org Subject: Re: Disabling subshell spawn in Telnet & Ftp clients In-Reply-To: <5364FB10FE9@mercury.csg.peachnet.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@FreeBSD.org Precedence: bulk On Wed, 17 May 1995, Christian wrote: > I am in the process of setting up a FreeBSD box for student use > at my school. I am restricting what a user can do through a menu > system that they cannot break out of....there is only one > problem...two of the menu choices are FTP and Telnet. Both of these > clients have a command that will allow the user to get a subshell...I > want to be able to disable this option. I know that some freenets > that allow telnet & ftp have done this so I know it can be done. I > am no C guru so please take this into consideration when you reply. > Thanks in advance. > I think what you will find useful is setting the user's default shell in the password file to point to your menu system. That way, when the user spawns a subshell, it will simply re-invoke the menu system. With a simple semaphore file, you could easily detect that the menu system is already in use, and take the necessary actions. Good luck! ----- Andrew Webster DATARADIO, Inc. Network Manager http://www.dataradio.com Special Projects awebster@dataradio.com