From owner-freebsd-questions@FreeBSD.ORG Thu Nov 18 16:15:57 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0AED41065672 for ; Thu, 18 Nov 2010 16:15:57 +0000 (UTC) (envelope-from doug@fledge.watson.org) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by mx1.freebsd.org (Postfix) with ESMTP id C0A4F8FC13 for ; Thu, 18 Nov 2010 16:15:56 +0000 (UTC) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.4/8.14.4) with ESMTP id oAIGFtnS019314; Thu, 18 Nov 2010 11:15:55 -0500 (EST) (envelope-from doug@fledge.watson.org) Received: from localhost (doug@localhost) by fledge.watson.org (8.14.4/8.14.4/Submit) with ESMTP id oAIGFsgr019309; Thu, 18 Nov 2010 11:15:54 -0500 (EST) (envelope-from doug@fledge.watson.org) Date: Thu, 18 Nov 2010 11:15:52 -0500 (EST) From: doug To: Julian Fagir In-Reply-To: <20101118145239.10937b78@adolfputzen> Message-ID: References: <20101118145239.10937b78@adolfputzen> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Thu, 18 Nov 2010 11:15:56 -0500 (EST) Cc: freebsd-questions@freebsd.org Subject: Re: Escaping from shell-scripts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: doug@safeport.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Nov 2010 16:15:57 -0000 On Thu, 18 Nov 2010, Julian Fagir wrote: > Hi, > > I'm planning a service with a login-user-interface. Thus, I want to restrict > the user somehow to this script and to do nothing else. > > The straight-forward way would be to write this script, have all input parsed > by read and then let the script act according to this input (let's assume > that these tools are secure, it's just cp'ing and writing to > non-sensitive files. > > Are there possibilities to escape from such a script down to a prompt? > > On the other hand, if I would take python for this, so a python-script is > executed, are there ways to get to a generic python-prompt? > > The restriction to that script would be done by either setting the > login-shell to that script, setting the ssh-command for that account/key (and > ensuring that it can't be altered), or both. > > > All in all, this is a more general question I have for quite a time: Can you > use shell-scripts for security-relevant environments? Does an attacker have > the possibility to escape from a script down to a prompt? > > I'm not that into shell-programming and there are too many legacies about > terminals (some time ago, I had to cope with termcap...) and shells which one > just can't all know. > E.g., it was just a few days ago I found out what a terminal-stop means and > that it is still interpreted by screen, though using it for several years now. > > > Regards, Julian If you make a program a shell AFAIK to escape is to logff. Bash has a chroot like facility that might work. However if you write a simple C program as a wrapper for your shell script and make that program a shell, I would think that is pretty secure.