Date: Wed, 8 May 2002 23:25:07 -0400 From: Anthony Schneider <aschneid@mail.slc.edu> To: "Dalin S. Owen" <dowen@pstis.com> Cc: security@freebsd.org Subject: Re: Accounts with Restricted privileges Message-ID: <20020508232507.B48952@mail.slc.edu> In-Reply-To: <200205081608.21273.dowen@pstis.com>; from dowen@pstis.com on Wed, May 08, 2002 at 04:08:21PM -0600 References: <200205081443.51457.dowen@pstis.com> <20020508171717.A37592@mail.slc.edu> <200205081608.21273.dowen@pstis.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--dkEUBIird37B8yKS
Content-Type: multipart/mixed; boundary="FkmkrVfFsRoUs1wW"
Content-Disposition: inline
--FkmkrVfFsRoUs1wW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
ah, my bad.
i'll try to read better next time. :)
so what you really want is rbash without the 'cd' limitation, but also
chrooted? I have here a patch i just sorta whipped up (read: crude
and hardly tested, but seems to work) which allows the cd builtin to
be executed. so, if you are in a chrooted environment, cd should work,
and all of the rest of the restritions should apply that come along with
using restricted zsh (zsh, in case you don't know, is IMStubbornlyHO, a
very nice shell, with almost, if not exactly, the same syntax features
as bash, including restriction by copying zsh to rzsh). Again, this is
very untested, but you should be able to apply this to builtin.c in the
Src/ directory of zsh-4.0.4. I'll email zsh-workers, and see if maybe
they'd consider making compilation of particular environment restrictions
configurable on a per-restriction basis.
Hope this helps.
-Anthony.
On Wed, May 08, 2002 at 04:08:21PM -0600, Dalin S. Owen wrote:
> On May 8, 2002 03:17 pm, you wrote:
>=20
> Nope. rbash disables "cd", remember? :) I need to be able to browse=20
> subdirectories.
>=20
> > if you don't have any luck finding a shell with chrootability, you could
> > easily write a simple setuid wrapper to chroot() and then execute rbash,
> > where rbash is located within the chrooted file hierarchy.
> > -Anthony.
> >
> > On Wed, May 08, 2002 at 02:43:51PM -0600, Dalin S. Owen wrote:
> > > On May 8, 2002 10:31 am, Justin King wrote:
> > >
> > > Actually.. I am looking for the almost same answer... what about a
> > > chroot-ed shell? ie. they can "cd" forwards but not back beyond my
> > > designated "/"... and I quote (from bash's manpage):
> > >
> > > "When a command that is found to be a shell script is exe-
> > > cuted (see COMMAND EXECUTION above), rbash turns off any
> > > restrictions in the shell spawned to execute the script."
> > >
> > > I don't want that. I want all other processes to be chrooted too. By
> > > now some of you are thinking "jail"... A jail won't cut it, because y=
ou
> > > can't use quotas in a jail.
> > >
> > > Does anyone know to do this with bash, or any other shell? I recall
> > > someone talking about a shell that could do all of the above.
> > >
> > > Thanks!:)
> > >
> > > FreeBSD Rox, BTW!
-----------------------------------------------
PGP key at:
http://www.keyserver.net/
http://www.anthonydotcom.com/gpgkey/key.txt
Home:
http://www.anthonydotcom.com
-----------------------------------------------
--FkmkrVfFsRoUs1wW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="restr_cd.path"
Content-Transfer-Encoding: quoted-printable
--- builtin.c Wed May 8 23:22:27 2002
+++ builtin.c.orig Wed May 8 23:12:24 2002
@@ -685,14 +685,10 @@
LinkNode dir;
struct stat st1, st2;
=20
- /* -- added 5.08.02, Anthony Schneider; allow cd in restricted mode
- so rzsh may run slightly less restricted in a chroot()'ed
- environment.
if (isset(RESTRICTED)) {
zwarnnam(nam, "restricted", NULL, 0);
return 1;
}
- */
doprintdir =3D (doprintdir =3D=3D -1);
=20
for (; *argv && **argv =3D=3D '-'; argv++) {
--FkmkrVfFsRoUs1wW--
--dkEUBIird37B8yKS
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjzZ7BIACgkQ+rDjkNht5F0CegCfTDLqipr7HaDu/lj4+El0Jo1q
yNAAoKatJbqWnRcQLRpi2cpjMictqRM3
=pMaS
-----END PGP SIGNATURE-----
--dkEUBIird37B8yKS--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020508232507.B48952>