From owner-freebsd-questions Mon Jan 10 22:19:18 2000 Delivered-To: freebsd-questions@freebsd.org Received: from hsalouserv1.hsacorp.net (208-247-171-50.hsacorp.net [208.247.171.50]) by hub.freebsd.org (Postfix) with ESMTP id C85601538C for ; Mon, 10 Jan 2000 22:19:13 -0800 (PST) (envelope-from jconner@enterit.com) Received: from default (24-216-177-226.hsacorp.net [24.216.177.226]) by hsalouserv1.hsacorp.net with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id CPRQHY1A; Tue, 11 Jan 2000 01:12:04 -0500 Message-Id: <4.2.0.58.20000110011322.00b318d0@mail.enterit.com> X-Sender: jconner@mail.enterit.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Mon, 10 Jan 2000 01:19:25 -0500 To: Mojahedul Hoque Abul Hasanat , FreeBSD-Questions@FreeBSD.ORG From: Jim Conner Subject: Re: Question about restricted shell account. In-Reply-To: <20000111113354.B313@mars.cosmos.net> References: <20000110181654.1149.qmail@nwcst289.netaddress.usa.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 11:33 11-01-00 +0600, Mojahedul Hoque Abul Hasanat wrote: >On Mon, Jan 10, 2000 at 03:04:51PM -0600, De la Cruz Lugo Eric >wrote: > > > > Some out there knows about a restricted shell that runs on > > FreeBSD in order to denny users to cd up their home dir. ?, > > thanks in advance. > >A restricted shell will not prevent them from running another >shell (bash, tcsh, ...) or program like emacs and changing the >directory. From what I understand about rksh and some others this is not entirely accurate. rksh will only run whats in the PATH provided for it. Hence, if you PATH /usr/bin or /usr/local/bin then yes, the restricted user will be able to run another shell. However, if you do what is suggested in the man page and create a local bin directory (or directory of your choice) and place only the binaries you allow for that user to execute then you should be safe. man (1) ksh ... -r restricted mode -- see below ... A shell is interactive if the -i option is used or if both standard input and standard error are attached to a tty. An interactive shell has job control enabled (if avail- able), ignores the INT, QUIT and TERM signals, and prints prompts before reading input (see PS1 and PS2 parameters). For non-interactive shells, the trackall option is on by default (see set command below). A shell is restricted if the -r option is used or if either the basename of the name the shell is invoked with or the SHELL parameter match the pattern *r*sh (e.g., rsh, rksh, rpdksh, etc.). The following restrictions come into effect after the shell processes any profile and $ENV files: o the cd command is disabled o the SHELL, ENV and PATH parameters can't be changed o command names can't be specified with absolute or relative paths o the -p option of the command built-in can't be used o redirections that create files can't be used (i.e., >, >|, >>, <>) Essentially, this restricted shell is chroot'ed (as far as I understand a chroot to be) plus more restricted since the user can't cd. Jim >What you want is chroot. You may want to make a script/program >that first chroots to the desired directory and then execs a >shell (restricted perhaps). > > >-- >Mojahed > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Today's errors, in contrast: Windows - "Invalid page fault in module kernel32.dll at 0032:A16F2935" UNIX - "segmentation fault - core dumped" Humanous Beingsus - "OOPS, I've fallen and I can't get up" ------------------------------- Jim Conner NOTJames jconner@enterit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message