Date: Wed, 4 Sep 2002 01:43:59 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Dan Nelson <dnelson@allantgroup.com> Cc: Radko Keves <rado@studnet.sk>, questions@FreeBSD.ORG Subject: Re: restricted shell Message-ID: <20020903224359.GA38353@hades.hell.gr> In-Reply-To: <20020903223415.GB5980@dan.emsphone.com> References: <20020903184443.GA99379@studnet.sk> <20020904004159.H37427-100000@hades> <20020903223415.GB5980@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2002-09-03 17:34 +0000, Dan Nelson wrote: > In the last episode (Sep 04), Giorgos Keramidas said: > > Pardon me, I was invoking bash the wrong way. > > I stand corrected: > > > > charon@hades[00:42]/home/charon$ env PATH='/bin:/sbin:/usr/bin:.' \ > > /usr/local/bin/bash --restricted --norc > > That PATH is more than enough to break out of the shell. You can use > more, less, find, xargs, and probably 20 other commands in /usr/bin to > launch an unrestricted shell. You should set PATH to a single > directory, and only put in it the programs that the user must run. Yes. I believe that's also the answer to the original question. Create a directory like /usr/restricted and place several binaries there, preferrably statically linked to avoid having to mess with LD_LIBRARY_PATH and other nice things. Then, spawn a shell like shown above with only /usr/restricted in the PATH: % env PATH='/usr/restricted' /usr/local/bin/bash \ --restricted --norc That should be easy to do :-) -- FreeBSD: The Power to Serve -- http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020903224359.GA38353>