Date: Thu, 6 Jan 2000 10:56:03 -0500 From: Mark Conway Wirt <mark@intrepid.net> To: Jim Sander <jim@federation.addy.com> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: MUA as shell for mail-only accounts? Message-ID: <20000106105603.D18458@intrepid.net> In-Reply-To: <Pine.BSF.4.10.10001011231520.28717-100000@federation.addy.com>; from jim@federation.addy.com on Sat, Jan 01, 2000 at 12:54:18PM -0500 References: <XFMail.991230072810.andrews@TECHNOLOGIST.COM> <Pine.BSF.4.10.10001011231520.28717-100000@federation.addy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jan 01, 2000 at 12:54:18PM -0500, Jim Sander wrote: > We have several hundred "email-only" accounts with pine as their login > shell. The problem is that pine is a really powerfull mail tool that > allows all sorts of "dangerous" things. I set up pine.conf.fixed (in > /usr/local/etc if you install from the port) to disallow certain things, > and hard-coded other options... > > No suspend, no custom print, no pipe, alternate speller locked to > /usr/local/bin/ispell, alternate editor locked to vi- with the option to > disallow subshells. I also set "user home dir" to marginally protect > non-user files from them. There are probably a few other things too- > basically I went through the list of tricks I've used or seen used to get > "real" shells on systems with non-standard ones (freenets do this a lot) > and either fixed or disabled the option. > All very important, but there are other pitfalls as well. If you allow ssh for "normal users," wasn't there a thread here a while ago that ssh could be used to change the login shell? Forgive me if I'm remembering it incorrectly... --Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000106105603.D18458>