Date: Wed, 8 May 2002 14:43:51 -0600 From: "Dalin S. Owen" <dowen@pstis.com> To: security@freebsd.org Subject: Re: Accounts with Restricted privileges Message-ID: <200205081443.51457.dowen@pstis.com>
next in thread | raw e-mail | index | archive | help
On May 8, 2002 10:31 am, Justin King wrote:
Actually.. I am looking for the almost same answer... what about a chroot-ed
shell? ie. they can "cd" forwards but not back beyond my designated "/"...
and I quote (from bash's manpage):
"When a command that is found to be a shell script is exe-
cuted (see COMMAND EXECUTION above), rbash turns off any
restrictions in the shell spawned to execute the script."
I don't want that. I want all other processes to be chrooted too. By now
some of you are thinking "jail"... A jail won't cut it, because you can't use
quotas in a jail.
Does anyone know to do this with bash, or any other shell? I recall someone
talking about a shell that could do all of the above.
Thanks! :)
FreeBSD Rox, BTW!
> man bash
>
> RESTRICTED SHELL
> If bash is started with the name rbash, or the -r option
> is supplied at invocation, the shell becomes restricted.
> A restricted shell is used to set up an environment more
> controlled than the standard shell. It behaves identi-
> cally to bash with the exception that the following are
> disallowed or not performed:
>
> o changing directories with cd
>
> o setting or unsetting the values of SHELL, PATH,
> ENV, or BASH_ENV
>
> o specifying command names containing /
>
> o specifying a file name containing a / as an argu-
> ment to the . builtin command
>
> o Specifying a filename containing a slash as an
> argument to the -p option to the hash builtin com-
> mand
>
> o importing function definitions from the shell envi-
> ronment at startup
>
> o parsing the value of SHELLOPTS from the shell envi-
> ronment at startup
>
> o redirecting output using the >, >|, <>, >&, &>, and
>
> >> redirection operators
>
> o using the exec builtin command to replace the shell
> with another command
>
> o adding or deleting builtin commands with the -f and
> -d options to the enable builtin command
>
> o specifying the -p option to the command builtin
> command
>
> o turning off restricted mode with set +r or set +o
> restricted.
>
>
>
> ----- Original Message -----
> From: "Martin McCormick" <martin@dc.cis.okstate.edu>
> To: <freebsd-security@FreeBSD.ORG>
> Sent: Wednesday, May 08, 2002 12:23 PM
> Subject: Accounts with Restricted privileges
>
> > Is it possible to create an account with a restricted
> > shell?
> >
> > The documentation for bash shows that it can be invoked
> > with the --restricted flag. A check of the handbook shows
> > nothing more about this topic. Neither did a look at the man
> > pages for login.
> >
> > Thank you.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205081443.51457.dowen>