Re: Restricted Shells or Menu Based Shells

From: Steffen Dettmer (steffen@dett.de)
Date: 02/28/02 

Date: Thu, 28 Feb 2002 09:06:48 +0100
From: Steffen Dettmer <steffen@dett.de>
To: focus-linux@securityfocus.com

* Sumit Dhar wrote on Sun, Feb 24, 2002 at 15:17 -0500:
> On Sun, 24 Feb 2002, Victor Usjanov wrote:
> > Seen your advice and decided to try on my server. I am running RH7.2.
> > When i tried to change /bin/bash to /bin/bash2 -r for a test user in
> > /etc/passwd file, and log on that user, the only thing i got was
> > "cannot run /bin/bash2 -r: No such file or directory"

You cannot specify parameters in passwd. To archive restricted
mode, cp / ln bash (or bash2) to "rbash". Bash goes in restricted
mode is argv[0] equals rbash.
man bash /RESTRICTED

> 3. Once you have done all that, add a user whose shell is /bin/bash2 -r
> to your password file.

I don't think that this will work on most linux systems.

It is really important to make a own "bin" style directory for
rbash users. I have such a setup, and copied a few (!) allowed
binaries to there. If you have vim, cp it into that dir as rvim,
since vim is able to execute shell processes! That applies for
really a lot of tools. Don't cp standard ftp, since it's able to
drop a non-restricted /bin/bash. Ohh, and don't set up paths and
such in .profile - users may overwrite it! Make sure you make
other variables readonly. Set the PATH to the new "bin" style
tree only! Setting up a rbash environment isn't easy and takes
time. Check out all manpages of all tools you cp and make
avialable, since they may able to drop a shell! Maybe you need a
readonly, empty LD_PRELOAD and such things.

This list is not complete at all.

Keep in mind that chances are high that users still can break out
it if they're smart. It's a really complex thing, such a u*nx...

oki,

Steffen 

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.