Restricted shell - forgot one.
Kris Karas
When specifying somebody's shell as "rbash" to invoke the restricted
behaviour, bash does do a decent job in most respects of disallowing
users to run arbitrary commands, by virtue of not allowing changes to
$PATH, cd'ing to directories, or running commands with a slash in the
pathname. However, that didn't stop one user, who simply did:
user~$ hash -p /bin/bash bash
user~$ bash
And away (s)he went with a fully unrestricted shell. :-/
(An account whose password was compromised via a rewt-kit sniffer
could not have the password changed or account disabled because there
is a daemon that telnets to it with a hard-wired username/password
combo. So I figured a restricted shell with all the commands the
daemon needs (in ~/bin, with PATH set to /homedir/bin) would do the
trick. But the original rewt-kit culprit merely logged in and got
around the restriction.)
OK, shoot me, now I know that I can `enable -n xyzzy`. But it sure
would have been nice had the defaults for restricted shell been such
that all potentially dangerous built-ins be disabled by default.
--
Kristofer Karas * k...@ktk.bidmc.harvard.edu
AMA/CCS DoD RF900RR NT650++ !car * Senior systems engineer/SysAdmin
"Build a system that even a fool can use, * BI Deaconess Medical Center, Boston
and only a fool will want to use it." * Will design LISP machines for food
Chet Ramey
> behaviour, bash does do a decent job in most respects of disallowing
> users to run arbitrary commands, by virtue of not allowing changes to
> $PATH, cd'ing to directories, or running commands with a slash in the
> pathname. However, that didn't stop one user, who simply did:
> user~$ hash -p /bin/bash bash
> user~$ bash
> And away (s)he went with a fully unrestricted shell. :-/
Whoops. Overlooked that one. It will be fixed in the next version.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
( ``Discere est Dolere'' -- chet)
Chet Ramey, Case Western Reserve University Internet: ch...@po.CWRU.Edu