From owner-freebsd-questions@FreeBSD.ORG Sat Mar 12 03:44:44 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F7D316A4CE for ; Sat, 12 Mar 2005 03:44:44 +0000 (GMT) Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFAE943D1F for ; Sat, 12 Mar 2005 03:44:41 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-a134.otenet.gr [212.205.215.134]) j2C3iBE0022081; Sat, 12 Mar 2005 05:44:17 +0200 Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.13.3/8.13.3) with ESMTP id j2C3iNSL049126; Sat, 12 Mar 2005 05:44:23 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.13.3/8.13.3/Submit) id j2C3iN17049125; Sat, 12 Mar 2005 05:44:23 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Sat, 12 Mar 2005 05:44:22 +0200 From: Giorgos Keramidas To: doug@safeport.com Message-ID: <20050312034422.GB48885@gothmog.gr> References: <20050311191532.X8887@pemaquid.safeport.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050311191532.X8887@pemaquid.safeport.com> cc: freebsd-questions@freebsd.org Subject: Re: bash restricted shell X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Mar 2005 03:44:44 -0000 On 2005-03-11 19:53, doug@safeport.com wrote: > On a standard 4.11 install /usr/local/bin/bash = v2.04. rbash does not > exist. So I added it as an sh script. This works okay in that normal > things I tried do not break out. This is probably good enough for the > users I would give this shell to. My question is basically: what is > the "right" way to do this? Create a /usr/local/bin/rbash script containing the following lines: #!/usr/local/bin/bash exec /usr/local/bin/bash --login --restricted "$@" The initial #! line is necessary, in my opinion, because having it there means you don't need to depend on the fact that shell scripts do accept options on the #! line. Set the permissions and owner of the new script and add it to /etc/shells: % chmod 0555 /usr/local/bin/rbash % chown root:wheel /usr/local/bin/rbash % echo '/usr/local/bin/rbash' >> /etc/shells Than you should be able to use '/usr/local/bin/rbash' as the login shell of a user and have the user restricted in the HOME directory.