Re: Restricted Shells or Menu Based Shells

From: Steffen Dettmer (steffen@dett.de)
Date: 03/04/02


Date: Mon, 4 Mar 2002 09:04:25 +0100
From: Steffen Dettmer <steffen@dett.de>
To: focus-linux@securityfocus.com


* Sumit Dhar wrote on Sat, Mar 02, 2002 at 04:07 -0500:
> On Thu, 28 Feb 2002, Steffen Dettmer wrote:
> > really a lot of tools. Don't cp standard ftp, since it's able to
> > drop a non-restricted /bin/bash. Ohh, and don't set up paths and
>
> Hmm, always interested in knowing something new. I kind of knew that a
> ftp could drop you into a shell. But have never been able to do that.
> How could one go about doing it?? Any pointers?

The standard linux ftp client drops a shell if you say
!/bin/bash
IIRC. You can type any command after "!".

> > such in .profile - users may overwrite it! Make sure you make
> > other variables readonly. Set the PATH to the new "bin" style
> > tree only!
>
> How would one go about doing this. What I did was slightly kludgy, so
> would really appreciate comments.. Usually how do you go about doing
> this part. Cos I feel this is the trickiest and the most important
> part...

Well, you must make sure that the users are not allowed to write
to any path of PATH of course. If possible, make ~ not writable
too (it is not sufficient to make ~/.*, as .profile, not
writeable, since the users could delete and re-create those
files). You have to set up the variables in /etc/profile,
system-wide. You have to determine if the starting user is
restricted or not by some condition, and if it's true, set up
needed read-only variables, as PATH and such. I copied some tools
to /home/bin, i.e. /home/bin/rbash, .../rvim and so on. If there
is no /home/bin, the users cannot log in at all, since I used
/home/bin/rbash as login shell. The restricted users cannot
change read-only variables nor execute programs from other paths
as /home/bin. Well, but they would find a way to break out, keep
it in mind...

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.



Relevant Pages

  • Re: Setting up FTP server
    ... >custom username/passwords and standard ftp access privilages ... This server will only have 3-5 simulataneous ... while being confined to their home directory. ...
    (freebsd-newbies)
  • Re: FTP Using Access VBA?
    ... If you don't want to use a standard FTP script file, ... a nice progress bar with callbacks to update the progress bar during the ... The above example for the FTP transfer library on the MVP site ...
    (microsoft.public.access.modulesdaovba)
  • Setting up FTP server
    ... custom username/passwords and standard ftp access privilages ... Works with any standard ftp client ... This server will only have 3-5 simulataneous ...
    (freebsd-newbies)
  • Re: FTP Using Access VBA?
    ... Batch1 it not a batch file. ... If you don't want to use a standard FTP script file, ...
    (microsoft.public.access.modulesdaovba)