Re: Restricted Shells or Menu Based Shells
From: Seth Arnold (sarnold@wirex.com)Date: 03/08/02
- Previous message: Bennett Todd: "Re: SecurID and FreeS/WAN GW"
- In reply to: Brian Clifton: "Re: Restricted Shells or Menu Based Shells"
- Next in thread: Steffen Dettmer: "Re: Restricted Shells or Menu Based Shells"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 8 Mar 2002 10:06:40 -0800 From: Seth Arnold <sarnold@wirex.com> To: focus-linux@securityfocus.com
On Thu, Mar 07, 2002 at 10:31:37AM -0000, Brian Clifton wrote:
> Even if a user could do this, wouldn't disabling anonymous FTP be a
> simple answer or am I missing something?
The problem isn't accepting ftp connections -- it is allowing users to
use the ftp client on the machine with the 'restricted shell' -- because
the ftp client allows users to execute programs locally pretty easy. Of
course, you have the source to your ftp clients, so feel free to modify
your client of choice to prevent that. :)
Of course, many unix programs have this ability, because it is useful.
Practically every editor, every MUA, every terminal-based web browser,
and other useful programs, all have easy access to the shell. Many
programs have 'restricted' modes that are supposed to prevent access to
the shell, but mistakes happen.
Ever wonder what happens if a user sets EDITOR=/bin/sh before editing
outgoing email? I never thought about it until today. I wonder what
happens. And perhaps someone trying to create a restricted shell
probably ought to wonder about it too. :)
-- UniNet InfoSec Conference April 15-19 http://infosec.uninet.edu
- application/pgp-signature attachment: stored
- Previous message: Bennett Todd: "Re: SecurID and FreeS/WAN GW"
- In reply to: Brian Clifton: "Re: Restricted Shells or Menu Based Shells"
- Next in thread: Steffen Dettmer: "Re: Restricted Shells or Menu Based Shells"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
