From owner-freebsd-security  Wed May  8  9:31:45 2002
Delivered-To: freebsd-security@freebsd.org
Received: from webterminator19.crystaltech.com (mail1.crystaltech.com [216.119.106.20])
	by hub.freebsd.org (Postfix) with ESMTP id 0792837B40A
	for <freebsd-security@FreeBSD.ORG>; Wed,  8 May 2002 09:31:31 -0700 (PDT)
Received: from romy [166.84.146.186] by webterminator19.crystaltech.com
  (SMTPD32-7.06) id A2DC20B0034; Wed, 08 May 2002 09:31:24 -0700
Message-ID: <004801c1f6ad$cbca1c40$ba9254a6@romy>
Reply-To: "Justin King" <justin@othius.com>
From: "Justin King" <justin@othius.com>
To: <freebsd-security@FreeBSD.ORG>
References: <200205081623.g48GNkl89410@dc.cis.okstate.edu>
Subject: Re: Accounts with Restricted privileges
Date: Wed, 8 May 2002 12:31:24 -0400
Organization: Othius.com
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

man bash

RESTRICTED SHELL
       If bash is started with the name rbash, or the  -r  option
       is  supplied  at invocation, the shell becomes restricted.
       A restricted shell is used to set up an  environment  more
       controlled  than  the  standard shell.  It behaves identi-
       cally to bash with the exception that  the  following  are
       disallowed or not performed:

       o      changing directories with cd

       o      setting  or  unsetting  the  values of SHELL, PATH,
              ENV, or BASH_ENV

       o      specifying command names containing /

       o      specifying a file name containing a / as  an  argu-
              ment to the .  builtin command

       o      Specifying  a  filename  containing  a  slash as an
              argument to the -p option to the hash builtin  com-
              mand

       o      importing function definitions from the shell envi-
              ronment at startup

       o      parsing the value of SHELLOPTS from the shell envi-
              ronment at startup

       o      redirecting output using the >, >|, <>, >&, &>, and
              >> redirection operators

       o      using the exec builtin command to replace the shell
              with another command

       o      adding or deleting builtin commands with the -f and
              -d options to the enable builtin command

       o      specifying the -p option  to  the  command  builtin
              command

       o      turning  off  restricted mode with set +r or set +o
              restricted.



----- Original Message ----- 
From: "Martin McCormick" <martin@dc.cis.okstate.edu>
To: <freebsd-security@FreeBSD.ORG>
Sent: Wednesday, May 08, 2002 12:23 PM
Subject: Accounts with Restricted privileges


> Is it possible to create an account with a restricted
> shell?
> 
> The documentation for bash shows that it can be invoked
> with the --restricted flag.  A check of the handbook shows
> nothing more about this topic.  Neither did a look at the man
> pages for login.
> 
> Thank you.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message