From owner-freebsd-newbies  Sun Jun 25  2:59:19 2000
Delivered-To: freebsd-newbies@freebsd.org
Received: from draenor.org (draenor.org [196.36.119.129])
	by hub.freebsd.org (Postfix) with ESMTP
	id 56D9437B933; Sun, 25 Jun 2000 02:59:07 -0700 (PDT)
	(envelope-from marcs@draenor.org)
Received: from marcs by draenor.org with local (Exim 3.14 #1)
	id 1369Bh-000FkY-00; Sun, 25 Jun 2000 11:58:49 +0200
Date: Sun, 25 Jun 2000 11:58:49 +0200
From: Marc Silver <marcs@draenor.org>
To: phrack_ p h r a c k <phrack_@hotmail.com>
Cc: freebsd-newbies@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG
Subject: Re: BitchX Dangerous?
Message-ID: <20000625115849.L53435@draenor.org>
References: <20000625043023.1354.qmail@hotmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Mutt/1.2i
In-Reply-To: <20000625043023.1354.qmail@hotmail.com>; from phrack_@hotmail.com on Sun, Jun 25, 2000 at 04:30:23AM +0000
X-Operating-System: FreeBSD 4.0-STABLE
Sender: owner-freebsd-newbies@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

It's quite simple to be able to break out a program like BitchX.  I'm
guessing, but a simple =1A should get the user out of it....  :)  Then of
course, they could always /exec which means they could execute something
outside of BX.  :)

There are ways to limit this, but they all require quite a bit of work.
Basically though... I don't think bitchx was designed to keep people out
of shells...  :)  Perhaps look at chrooting the user and the process.
:)

Cheers,
Marc

On Sun, Jun 25, 2000 at 04:30:23AM +0000, phrack_ p h r a c k wrote:
> I was recently informed that there was a way for a user to type a
> command(s) in BitchX and get a command line, i have a user acct on my box=
=20
> that
> defaults to BitchX when this user ssh's in, if i only want that user to u=
se=20
> bitchX
> but am afraid that user knows far more than i and dont want to take the
> chance of something like that happening does anyone know where i could re=
ad
> up more on this and how to prevent it
>=20
>=20
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-newbies" in the body of the message