From owner-freebsd-questions Sun Jun 25 5: 4: 2 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mail.hellasnet.gr (mail.hellasnet.gr [212.54.192.3]) by hub.freebsd.org (Postfix) with ESMTP id CFA9337B6C2 for ; Sun, 25 Jun 2000 05:03:56 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (ppp2.patr.hellasnet.gr [212.54.197.17]) by mail.hellasnet.gr (8.9.1/8.9.1) with ESMTP id OAA21591; Sun, 25 Jun 2000 14:02:55 +0200 (GMT) Received: (from charon@localhost) by hades.hell.gr (8.10.2/8.10.2) id e5PBgWG04088; Sun, 25 Jun 2000 14:42:32 +0300 (EEST) Date: Sun, 25 Jun 2000 14:42:32 +0300 From: Giorgos Keramidas To: phrack_ p h r a c k Cc: freebsd-questions@FreeBSD.ORG Subject: Re: BitchX Dangerous? Message-ID: <20000625144232.A3337@hades.hell.gr> References: <20000625043023.1354.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000625043023.1354.qmail@hotmail.com>; from phrack_@hotmail.com on Sun, Jun 25, 2000 at 04:30:23AM +0000 X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [ freebsd-newbies removed from recipients, cross posting is not good :) ] On Sun, Jun 25, 2000 at 04:30:23AM +0000, phrack_ p h r a c k wrote: > I was recently informed that there was a way for a user to type a > command(s) in BitchX and get a command line, I do not know about a command line, but most IRC clients that I know of (epic, BitchX, etc) have the /exec command, which can be used to execute arbitrary commands on the host that the client is running. I customarily use this command in aliases such as: /alias dns exec /usr/bin/host $0- But I am not sure if this can be used to gain access to a shell prompt. > i have a user acct on my box that defaults to BitchX when this user > ssh's in, if i only want that user to use bitchX but am afraid that > user knows far more than i and dont want to take the chance of > something like that happening does anyone know where i could read up > more on this and how to prevent it Having bitchx as their login shell does not prevent users from executing commands on your machine. Apart from having them run in a chrooted environment, which is probably too much trouble and does not solve the problem, I can't think of anything else except for: a) Making the machine fairly secure with it's user-limits and quotas enabled. b) Giving to anyone you wish, a normal shell, without any special priviledges. -- Giorgos Keramidas, < keramida @ ceid . upatras . gr > For my public key: finger keramida@ceid.upatras.gr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message