From owner-freebsd-security  Wed May  8 14:15:55 2002
Delivered-To: freebsd-security@freebsd.org
Received: from slc.edu (weir-01c.slc.edu [207.106.89.46])
	by hub.freebsd.org (Postfix) with ESMTP id 8DAB337B41B
	for <security@FreeBSD.ORG>; Wed,  8 May 2002 14:15:11 -0700 (PDT)
Received: (from anthony@localhost)
	by slc.edu (8.11.6/8.11.6) id g48LHHH37683;
	Wed, 8 May 2002 17:17:17 -0400 (EDT)
	(envelope-from anthony)
Date: Wed, 8 May 2002 17:17:17 -0400
From: Anthony Schneider <aschneid@mail.slc.edu>
To: "Dalin S. Owen" <dowen@pstis.com>
Cc: security@FreeBSD.ORG
Subject: Re: Accounts with Restricted privileges
Message-ID: <20020508171717.A37592@mail.slc.edu>
References: <200205081443.51457.dowen@pstis.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o"
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <200205081443.51457.dowen@pstis.com>; from dowen@pstis.com on Wed, May 08, 2002 at 02:43:51PM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--IS0zKkzwUGydFO0o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

if you don't have any luck finding a shell with chrootability, you could
easily write a simple setuid wrapper to chroot() and then execute rbash,
where rbash is located within the chrooted file hierarchy.
-Anthony.

On Wed, May 08, 2002 at 02:43:51PM -0600, Dalin S. Owen wrote:
> On May 8, 2002 10:31 am, Justin King wrote:
>=20
> Actually.. I am looking for the almost same answer... what about a chroot=
-ed=20
> shell?  ie. they can "cd" forwards but not back beyond my designated "/".=
..=20
> and I quote (from bash's manpage):
>=20
>        "When  a command that is found to be a shell script is exe-
>        cuted (see COMMAND EXECUTION above), rbash turns  off  any
>        restrictions in the shell spawned to execute the script."
>=20
> I don't want that.  I want all other processes to be chrooted too.  By no=
w=20
> some of you are thinking "jail"... A jail won't cut it, because you can't=
 use=20
> quotas in a jail.
>=20
> Does anyone know to do this with bash, or any other shell?  I recall some=
one=20
> talking about a shell that could do all of the above.
>=20
> Thanks!:)
>=20
> FreeBSD Rox, BTW!
>=20
> > man bash
> >
> > RESTRICTED SHELL
> >        If bash is started with the name rbash, or the  -r  option
> >        is  supplied  at invocation, the shell becomes restricted.
> >        A restricted shell is used to set up an  environment  more
> >        controlled  than  the  standard shell.  It behaves identi-
> >        cally to bash with the exception that  the  following  are
> >        disallowed or not performed:
> >
> >        o      changing directories with cd
> >
> >        o      setting  or  unsetting  the  values of SHELL, PATH,
> >               ENV, or BASH_ENV
> >
> >        o      specifying command names containing /
> >
> >        o      specifying a file name containing a / as  an  argu-
> >               ment to the .  builtin command
> >
> >        o      Specifying  a  filename  containing  a  slash as an
> >               argument to the -p option to the hash builtin  com-
> >               mand
> >
> >        o      importing function definitions from the shell envi-
> >               ronment at startup
> >
> >        o      parsing the value of SHELLOPTS from the shell envi-
> >               ronment at startup
> >
> >        o      redirecting output using the >, >|, <>, >&, &>, and
> >
> >               >> redirection operators
> >
> >        o      using the exec builtin command to replace the shell
> >               with another command
> >
> >        o      adding or deleting builtin commands with the -f and
> >               -d options to the enable builtin command
> >
> >        o      specifying the -p option  to  the  command  builtin
> >               command
> >
> >        o      turning  off  restricted mode with set +r or set +o
> >               restricted.
> >
> >
> >
> > ----- Original Message -----
> > From: "Martin McCormick" <martin@dc.cis.okstate.edu>
> > To: <freebsd-security@FreeBSD.ORG>
> > Sent: Wednesday, May 08, 2002 12:23 PM
> > Subject: Accounts with Restricted privileges
> >
> > > Is it possible to create an account with a restricted
> > > shell?
> > >
> > > The documentation for bash shows that it can be invoked
> > > with the --restricted flag.  A check of the handbook shows
> > > nothing more about this topic.  Neither did a look at the man
> > > pages for login.
> > >
> > > Thank you.
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
>=20
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
-----------------------------------------------
PGP key at:
    http://www.keyserver.net/
    http://www.anthonydotcom.com/gpgkey/key.txt
Home:
    http://www.anthonydotcom.com
-----------------------------------------------


--IS0zKkzwUGydFO0o
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjzZld0ACgkQ+rDjkNht5F1b/wCgnuaJyW7kHHzJfGPRJ3FbnemB
GmEAoJHbS/9lDG6XANRB2oH+2eslSRxA
=JJyx
-----END PGP SIGNATURE-----

--IS0zKkzwUGydFO0o--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message