Date: Tue, 13 Mar 2012 10:43:22 -0500 From: Tim Daneliuk <tundra@tundraware.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Editor With NO Shell Access? Message-ID: <4F5F6B1A.7070808@tundraware.com> In-Reply-To: <4F5EEBB4.1080608@gmail.com> References: <4F5E4C2A.1020005@tundraware.com> <4F5E6D3A.50302@gmail.com> <20120312231000.4bb530e1.freebsd@edvax.de> <4F5E7687.5070808@gmail.com> <20120312232300.4da8ebf3.freebsd@edvax.de> <4F5EEBB4.1080608@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/13/2012 01:39 AM, Joshua Isom wrote: > On 3/12/2012 5:23 PM, Polytropon wrote: >> On Mon, 12 Mar 2012 15:19:51 -0700, Edward M. wrote: >>> On 03/12/2012 03:10 PM, Polytropon wrote: >>>> /etc/shells to work, but a passwd entry like >>>> >>>> bob:*:1234:1234:Two-loop-Bob:/home/bob:/usr/local/bin/joe >>> >>> >>> I think this would not let the user to login,etc >> >> I'm not sure... I assume logging in is handled by /usr/bin/login, >> and control is then (i. e. after successful login) transferred >> to the login shell, which is the program specified in the >> "shell" field (see "man 5 passwd") of /etc/passwd. How is >> login supposed to know if the program specified in this >> field is actually a dialog shell? >> >>> From "man 1 login" I read that many shells have a built-in >> login command, but /usr/bin/login is the system's default >> binary for this purpose if the "shell" (quotes deserved if >> it is an editor as shown in my assumption) has no capability >> of performing a login. >> >> >> > > Are they logging in from the console or from ssh? If it's from a console, I'd send them directly into a jail with limited file system access, so that excecutables don't matter. If it's from ssh, I'd do the same thing. > > Assume they can break out of the editor or that something will happen. Make it minimalist about what they can do. Use the /rescue/vi in an empty jail with the files available. Don't think about changing editors, change the system. That's a really good idea, but we're talking about almost 1000 systems here. That's a whole bunch of configuration... -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F5F6B1A.7070808>