Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.telstra.net!act.news.telstra.net!news-out.internetmci.com!newsfeed.internetmci.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!newsfeed.nacamar.de!news1.best.com!nntp1.ba.best.com!not-for-mail From: dillon@flea.best.net (Matt Dillon) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Are there any Good Restricted Shells Around ? Date: 13 Jun 1997 09:23:43 -0700 Organization: Best Internet Communications, Inc. - 415 964 BEST Lines: 25 Message-ID: <5nrs6f$sbs$1@flea.best.net> References: <3397999F.7ABF@dpie.gov.au> NNTP-Posting-Host: flea.best.net Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:42934 :In article <3397999F.7ABF@dpie.gov.au>, :Wayne Farmer <wayne.farmer@dpie.gov.au> wrote: :>I am aware of Sun's /usr/lib/rsh restricted shell which limits what a :>user can do. :> :>I am also aware of osh (the operator shell) which limits root :>permissions for a customised list of commands based on user's group. :>(So one can give operators etc. access to particular commands as root). :> :>Does anyone know of any other alternatives that could provide a "sort :>of" chrooted telnet type of environment ? :> :>Wayne I would avoid restricted shells like the plague. They are usually full of holes. For example, if you have a non-chroot'd restricted shell that allows vi, you can run a shell-escape from vi. If you have a chroot'd shell, there is not generally much usefullness to the restricted shell anyway (certainly no more then if you did some simple group fiddling to give the operator access to what he needed access to). Restricted shells make every binary on the system a potential security hole. -Matt