From owner-freebsd-hackers Sun May 25 22:07:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA28777 for hackers-outgoing; Sun, 25 May 1997 22:07:37 -0700 (PDT) Received: from ingenieria ([168.176.15.11]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id WAA28770 for ; Sun, 25 May 1997 22:07:31 -0700 (PDT) Received: from unalmodem.usc.unal.edu.co by ingenieria (SMI-8.6/SMI-SVR4) id AAA27924; Mon, 26 May 1997 00:53:51 -0400 Message-ID: <338935E0.224E@fps.biblos.unal.edu.co> Date: Mon, 26 May 1997 00:04:00 -0700 From: "Pedro F. Giffuni" Organization: Universidad Nacional de Colombia X-Mailer: Mozilla 3.0 (Win16; I) MIME-Version: 1.0 To: Jaye Mathisen CC: hackers@FreeBSD.ORG Subject: Re: Correct way to chroot for shell account users? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Jaye Mathisen wrote: > > Anybody got any tips on how to write a secure shell to exec on login to > set a users environment to the "right thing". > I had to open some public accounts some time ago. While on SCO and AIX I had the restricted shell (Rsh), but it wasn't very useful: I used it for a suspected cracker and he also broke it :-). My answer to the problem is to define an innocent program in /etc/shells and use it instead of the shell. You can build a custom lynx (with lot's of restrictions) or use gopher as a shell. Code for a restricted shell, and some "secure" utilities used to be in the gopher and W3C distribution sites, JIC someone was brave enough to use them > > Any code appreciated as well. Thanks.