Date: Thu, 18 Nov 2010 14:52:39 +0100 From: Julian Fagir <gnrp@physik.tu-berlin.de> To: freebsd-questions@freebsd.org Subject: Escaping from shell-scripts Message-ID: <20101118145239.10937b78@adolfputzen>
next in thread | raw e-mail | index | archive | help
--Sig_/G5vvwumKDYKsTnvKvT2hZZI Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hi, I'm planning a service with a login-user-interface. Thus, I want to restrict the user somehow to this script and to do nothing else. The straight-forward way would be to write this script, have all input pars= ed by read and then let the script act according to this input (let's assume that these tools are secure, it's just cp'ing and writing to non-sensitive files. Are there possibilities to escape from such a script down to a prompt? On the other hand, if I would take python for this, so a python-script is executed, are there ways to get to a generic python-prompt? The restriction to that script would be done by either setting the login-shell to that script, setting the ssh-command for that account/key (a= nd ensuring that it can't be altered), or both. All in all, this is a more general question I have for quite a time: Can you use shell-scripts for security-relevant environments? Does an attacker have the possibility to escape from a script down to a prompt? I'm not that into shell-programming and there are too many legacies about terminals (some time ago, I had to cope with termcap...) and shells which o= ne just can't all know. E.g., it was just a few days ago I found out what a terminal-stop means and that it is still interpreted by screen, though using it for several years n= ow. Regards, Julian --Sig_/G5vvwumKDYKsTnvKvT2hZZI Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkzlL6cACgkQFV4nWcOPv/C+IgCeJLJAfSQY0ZrDCer+8wxDw5Iu +yIAoJTFhx28TZk4q9W8UQUXSGQdiNBD =wQTV -----END PGP SIGNATURE----- --Sig_/G5vvwumKDYKsTnvKvT2hZZI--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101118145239.10937b78>