Date: Mon, 10 Jan 2000 01:19:25 -0500 From: Jim Conner <jconner@enterit.com> To: Mojahedul Hoque Abul Hasanat <mojahed@citechco.net>, FreeBSD-Questions@FreeBSD.ORG Subject: Re: Question about restricted shell account. Message-ID: <4.2.0.58.20000110011322.00b318d0@mail.enterit.com> In-Reply-To: <20000111113354.B313@mars.cosmos.net> References: <Pine.BSF.4.10.10001101502570.75543-100000@iteso.mx> <20000110181654.1149.qmail@nwcst289.netaddress.usa.net> <Pine.BSF.4.10.10001101502570.75543-100000@iteso.mx>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11:33 11-01-00 +0600, Mojahedul Hoque Abul Hasanat wrote:
>On Mon, Jan 10, 2000 at 03:04:51PM -0600, De la Cruz Lugo Eric
>wrote:
> >
> > Some out there knows about a restricted shell that runs on
> > FreeBSD in order to denny users to cd up their home dir. ?,
> > thanks in advance.
>
>A restricted shell will not prevent them from running another
>shell (bash, tcsh, ...) or program like emacs and changing the
>directory.
From what I understand about rksh and some others this is not entirely
accurate. rksh will only run whats in the PATH provided for it. Hence, if
you PATH /usr/bin or /usr/local/bin then yes, the restricted user will be
able to run another shell. However, if you do what is suggested in the man
page and create a local bin directory (or directory of your choice) and
place only the binaries you allow for that user to execute then you should
be safe.
man (1) ksh
...
-r restricted mode -- see below
...
A shell is interactive if the -i option is used or if both
standard input and standard error are attached to a tty.
An interactive shell has job control enabled (if avail-
able), ignores the INT, QUIT and TERM signals, and prints
prompts before reading input (see PS1 and PS2 parameters).
For non-interactive shells, the trackall option is on by
default (see set command below).
A shell is restricted if the -r option is used or if
either the basename of the name the shell is invoked with
or the SHELL parameter match the pattern *r*sh (e.g., rsh,
rksh, rpdksh, etc.). The following restrictions come into
effect after the shell processes any profile and $ENV
files:
o the cd command is disabled
o the SHELL, ENV and PATH parameters can't be changed
o command names can't be specified with absolute or
relative paths
o the -p option of the command built-in can't be used
o redirections that create files can't be used (i.e.,
>, >|, >>, <>)
Essentially, this restricted shell is chroot'ed (as far as I understand a
chroot to be) plus more restricted since the user can't cd.
Jim
>What you want is chroot. You may want to make a script/program
>that first chroots to the desired directory and then execs a
>shell (restricted perhaps).
>
>
>--
>Mojahed
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Today's errors, in contrast:
Windows - "Invalid page fault in module kernel32.dll at 0032:A16F2935"
UNIX - "segmentation fault - core dumped"
Humanous Beingsus - "OOPS, I've fallen and I can't get up"
-------------------------------
Jim Conner
NOTJames
jconner@enterit.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.20000110011322.00b318d0>