From owner-freebsd-questions  Wed Jan 12  4: 4:37 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.citechco.net (mail.citechco.net [203.127.137.3])
	by hub.freebsd.org (Postfix) with ESMTP id 970A914C1C
	for <FreeBSD-Questions@FreeBSD.ORG>; Wed, 12 Jan 2000 04:04:28 -0800 (PST)
	(envelope-from mojahed@citechco.net)
Received: from mars.cosmos.net (ls2-01-172.citechco.net [203.127.137.172])
	by mail.citechco.net (8.9.3/8.8.7) with ESMTP id SAA03454
	for <FreeBSD-Questions@FreeBSD.ORG>; Wed, 12 Jan 2000 18:06:21 +0600
Received: (from mojahed@localhost)
	by mars.cosmos.net (8.9.3/8.9.3) id MAA00567
	for FreeBSD-Questions@FreeBSD.ORG; Wed, 12 Jan 2000 12:08:07 +0600 (BDT)
	(envelope-from mojahed)
Date: Wed, 12 Jan 2000 12:08:07 +0600
From: Mojahedul Hoque Abul Hasanat <mojahed@citechco.net>
To: FreeBSD-Questions@FreeBSD.ORG
Subject: Re: Question about restricted shell account.
Message-ID: <20000112120806.A379@mars.cosmos.net>
Mail-Followup-To: FreeBSD-Questions@FreeBSD.ORG
References: <Pine.BSF.4.10.10001101502570.75543-100000@iteso.mx> <20000110181654.1149.qmail@nwcst289.netaddress.usa.net> <Pine.BSF.4.10.10001101502570.75543-100000@iteso.mx> <20000111113354.B313@mars.cosmos.net> <4.2.0.58.20000110011322.00b318d0@mail.enterit.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0pre2i
In-Reply-To: <4.2.0.58.20000110011322.00b318d0@mail.enterit.com>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, Jan 10, 2000 at 01:19:25AM -0500, Jim Conner wrote:
> >
> >A restricted shell will not prevent them from running another
> >shell (bash, tcsh, ...) or program like emacs and changing the
> >directory.
> 
> From what I understand about rksh and some others this is not
> entirely accurate.  rksh will only run whats in the PATH
> ...
> and place only the binaries you allow for that user to execute
> then you should be safe.

I agree with you here.

> [ snip ] 
> Essentially, this restricted shell is chroot'ed (as far as I
> understand a chroot to be) plus more restricted since the user
> can't cd.

Once you chroot, you can not access anything outside the chroot
jail in any way.  But with only a restricted shell, you have to
be very careful on what you place in PATH.  You have to make sure
that no program can do a cd or run something outside PATH.  Even
a harmless vi can ruin your day.

So, you may still want to use chroot in addition to a restricted
shell.


-- 
Mojahed


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message