Restricted Shell - does it still exist.
Arthur S. Kamlet
ask at cbnews.ATT.COM
Thu Aug 17 09:26:38 AEST 1989
In article <20623 at adm.BRL.MIL> FAUSETT at tops20.radc.af.mil writes:
>
>I'm looking for something like the old AT&T restricted shell (found in System
>III and possibly later?) for a Sun system. I've got a guest user I need to
>set up on the system with whom I have a good bit of trust, but still want to
>discourage from poking around tyhe system.
>
>Does anyone know if such a beastie still exists?
Mark:
I don't know if the old rsh is available or not. However, it had
several major deficiencies, and in that form is probably not
recommended.
Instead, you may want to write a small program to simulate
a restricted shell, and use it in the /etc/passwd entry for
restricted users.
It should do the following: (System V assumed)
1 In his .profile :
PATH=/RESTRICTED_DIRECTORY
readonly PATH
.profile must be non-writable by the user, and not owned by
the user. And all parent directories must be non-writable by the
user.
2. Install a small set of commands in /some_path/RESTRICTED_DIRECTORY
These commands should be the minimal set needed by a restricted
user.
One characteristic of these commands is they should never allow the
user to escape the shell. (a RESTRICTED mail, vi, etc may need to
be written to prevent such escapes - easy to do with the source)
4. Put restricted users into a restricted file
system by making that filesystem his root filesystem.
Then, he can't cd to /bin and try to ./command or
try to /bin/command or something similar. In fact,
make /some_path/RESTRICTED_DIRECTORY the filesystem. As far as he is
concerned, /some_path/RESTRICTED_DIRECTORY is his root directory.
I may have left out something, but these are all fairly simple
to do, and should provide a good deal or restriction.
I'm sure lots of people will point out why it really isn't secure,
however.
--
Art Kamlet a_s_kamlet at att.com AT&T Bell Laboratories, Columbus
More information about the Comp.unix.questions
mailing list