Date: Sun, 24 Sep 2000 18:47:54 -0500 (CDT) From: missnglnk <missnglnk@sneakerz.org> To: "Forrest W. Christian" <forrestc@imach.com> Cc: "Jonathan M. Slivko" <jmslivko@mindspring.com>, freebsd-isp@FreeBSD.ORG, Tom <tom@toetag.com> Subject: Re: Backround Proccess Limiter Message-ID: <Pine.BSF.4.21.0009241838430.20536-100000@sneakerz.org> In-Reply-To: <Pine.BSF.4.21.0009232321570.4884-100000@workhorse.iMach.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Whoops. jumped the gun, I saw 'process limiter', and thought about
amounts, sorry about that...a restricted shell (rbash is what I can
think of off head), a directory containing only the allowed programs
to be executed, and a PATH configured by the administrator, here's
the snippet from the bash manpage about its restricted shell mode:
-- snip --
RESTRICTED SHELL
If bash is started with the name rbash, or the -r option
is supplied at invocation, the shell becomes restricted.
A restricted shell is used to set up an environment more
controlled than the standard shell. It behaves identi-
cally to bash with the exception that the following are
disallowed or not performed:
o changing directories with cd
o setting or unsetting the values of SHELL, PATH,
ENV, or BASH_ENV
o specifying command names containing /
o specifying a file name containing a / as an argu-
ment to the . builtin command
o Specifying a filename containing a slash as an
argument to the -p option to the hash builtin com-
mand
o importing function definitions from the shell envi-
ronment at startup
o parsing the value of SHELLOPTS from the shell envi-
ronment at startup
o redirecting output using the >, >|, <>, >&, &>, and
>> redirection operators
o using the exec builtin command to replace the shell
with another command
o adding or deleting builtin commands with the -f and
-d options to the enable builtin command
o specifying the -p option to the command builtin
command
o turning off restricted mode with set +r or set +o
restricted.
These restrictions are enforced after any startup files
are read.
When a command that is found to be a shell script is exe-
cuted (see COMMAND EXECUTION above), rbash turns off any
restrictions in the shell spawned to execute the script.
-- snip --
Once again, sorry for jumping the gun, and good luck!
--
missnglnk@sneakerz.org
http://www.sneakerz.org/~missnglnk
On Sat, 23 Sep 2000, Forrest W. Christian wrote:
> Date: Sat, 23 Sep 2000 23:23:48 -0600 (MDT)
> From: Forrest W. Christian <forrestc@imach.com>
> To: missnglnk <missnglnk@sneakerz.org>
> Cc: Jonathan M. Slivko <jmslivko@mindspring.com>, freebsd-isp@FreeBSD.ORG,
> Tom <tom@toetag.com>
> Subject: Re: Backround Proccess Limiter
>
> Forgive me for being ignorant, but how does this prevent someone from
> running an unauthorized background process on a machine?
>
> If it has this capabibility it is either non-obvious or I'm being blind.
>
> -forrestc@imach.com
>
> On Sat, 23 Sep 2000, missnglnk wrote:
>
> > Date: Sat, 23 Sep 2000 21:43:48 -0500 (CDT)
> > From: missnglnk <missnglnk@sneakerz.org>
> > To: Jonathan M. Slivko <jmslivko@mindspring.com>
> > Cc: freebsd-isp@FreeBSD.ORG, Tom <tom@toetag.com>
> > Subject: Re: Backround Proccess Limiter
> >
> > Umm, I'm surpoised, on one has come across user/process limits which are
> > in the base system, see the login.conf(5) and the existing /etc/login.conf
> > example, and you'll see why you don't need homegrown code, or any other
> > extensions onto the system.
> > --
> > missnglnk@sneakerz.org
> > http://www.sneakerz.org/~missnglnk
> >
> > On Sat, 23 Sep 2000, Jonathan M. Slivko wrote:
> >
> > > Date: Sat, 23 Sep 2000 22:30:25 -0400
> > > From: Jonathan M. Slivko <jmslivko@mindspring.com>
> > > To: freebsd-isp@freebsd.org, Tom <tom@toetag.com>
> > > Subject: Re: Backround Proccess Limiter
> > >
> > > I agree. That is harsh. I was thinking of maybe a piece of homegrown code
> > > that could do the job. Any ideas as to if someone has already done it in
> > > FreeBSD?
> > >
> > > -- Jonathan M. Slivko
> > >
> > > ----- Original Message -----
> > > From: "Tom" <tom@toetag.com>
> > > To: <freebsd-isp@freebsd.org>
> > > Sent: Saturday, September 23, 2000 9:59 PM
> > > Subject: Re: Backround Proccess Limiter
> > >
> > >
> > > > On Sat, 23 Sep 2000 18:50:42 MDT, "Forrest W. Christian" writes:
> > > > >On Sat, 23 Sep 2000, Jonathan M. Slivko wrote:
> > > > >
> > > > >> I'm trying to set up a machine so no eggdrop bots will be able to
> > > > >> load, but BitchX and BNC sessions will load. I need some kind of
> > > > >> proccess limiter of some kind to help acheive this task. Does anyone
> > > > >> know if FreeBSD has one in it already? If so, where can I find it?
> > > > >
> > > > >Although it doesn't prevent the load, there is the option of killing all
> > > > >of the user's processes when they logout...
> > > > >
> > > > >(Gotta be careful not to do this for the wrong user (i.e. root))
> > > > >
> > > >
> > > > You could also install the software you want them to run and then
> > > > mount all user writable filesystems noexec, including homedirs.
> > > > Harsh but it works.
> > > > --
> > > > tom@unhooked.net ICQ - 16163541
> > > > Spam: the other white meat. AIM - twjansen
> > > >
> > > >
> > > >
> > > >
> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > > with "unsubscribe freebsd-isp" in the body of the message
> > >
> > >
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-isp" in the body of the message
> > >
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-isp" in the body of the message
> >
>
> - Forrest W. Christian (forrestc@imach.com) AC7DE
> ----------------------------------------------------------------------
> iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com
> Solutions for your high-tech problems. (406)-442-6648
> ----------------------------------------------------------------------
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009241838430.20536-100000>