From owner-freebsd-security Wed May 8 13:54:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id 8D33337C14B for ; Wed, 8 May 2002 13:48:13 -0700 (PDT) Received: (qmail 2393 invoked from network); 8 May 2002 20:48:02 -0000 Received: from unknown (HELO h410g3n.localnet) (204.209.140.10) by 0 with SMTP; 8 May 2002 20:48:02 -0000 Content-Type: text/plain; charset="us-ascii" From: "Dalin S. Owen" Reply-To: dowen@pstis.com Organization: Nexus XI Corp. To: security@freebsd.org Subject: Re: Accounts with Restricted privileges Date: Wed, 8 May 2002 14:43:51 -0600 X-Mailer: KMail [version 1.4] MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200205081443.51457.dowen@pstis.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On May 8, 2002 10:31 am, Justin King wrote: Actually.. I am looking for the almost same answer... what about a chroot= -ed=20 shell? ie. they can "cd" forwards but not back beyond my designated "/".= =2E.=20 and I quote (from bash's manpage): "When a command that is found to be a shell script is exe- cuted (see COMMAND EXECUTION above), rbash turns off any restrictions in the shell spawned to execute the script." I don't want that. I want all other processes to be chrooted too. By no= w=20 some of you are thinking "jail"... A jail won't cut it, because you can't= use=20 quotas in a jail. Does anyone know to do this with bash, or any other shell? I recall some= one=20 talking about a shell that could do all of the above. Thanks! :) FreeBSD Rox, BTW! > man bash > > RESTRICTED SHELL > If bash is started with the name rbash, or the -r option > is supplied at invocation, the shell becomes restricted. > A restricted shell is used to set up an environment more > controlled than the standard shell. It behaves identi- > cally to bash with the exception that the following are > disallowed or not performed: > > o changing directories with cd > > o setting or unsetting the values of SHELL, PATH, > ENV, or BASH_ENV > > o specifying command names containing / > > o specifying a file name containing a / as an argu- > ment to the . builtin command > > o Specifying a filename containing a slash as an > argument to the -p option to the hash builtin com- > mand > > o importing function definitions from the shell envi- > ronment at startup > > o parsing the value of SHELLOPTS from the shell envi- > ronment at startup > > o redirecting output using the >, >|, <>, >&, &>, and > > >> redirection operators > > o using the exec builtin command to replace the shell > with another command > > o adding or deleting builtin commands with the -f and > -d options to the enable builtin command > > o specifying the -p option to the command builtin > command > > o turning off restricted mode with set +r or set +o > restricted. > > > > ----- Original Message ----- > From: "Martin McCormick" > To: > Sent: Wednesday, May 08, 2002 12:23 PM > Subject: Accounts with Restricted privileges > > > Is it possible to create an account with a restricted > > shell? > > > > The documentation for bash shows that it can be invoked > > with the --restricted flag. A check of the handbook shows > > nothing more about this topic. Neither did a look at the man > > pages for login. > > > > Thank you. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message