*BSD News Article 97791


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.telstra.net!act.news.telstra.net!news-out.internetmci.com!newsfeed.internetmci.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!newsfeed.nacamar.de!news1.best.com!nntp1.ba.best.com!not-for-mail
From: dillon@flea.best.net (Matt Dillon)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Are there any Good Restricted Shells Around ?
Date: 13 Jun 1997 09:23:43 -0700
Organization: Best Internet Communications, Inc. - 415 964 BEST
Lines: 25
Message-ID: <5nrs6f$sbs$1@flea.best.net>
References: <3397999F.7ABF@dpie.gov.au>
NNTP-Posting-Host: flea.best.net
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:42934

:In article <3397999F.7ABF@dpie.gov.au>,
:Wayne Farmer  <wayne.farmer@dpie.gov.au> wrote:
:>I am aware of Sun's /usr/lib/rsh restricted shell which limits what a
:>user can do.  
:>
:>I am also aware of osh (the operator shell) which limits root
:>permissions for a customised list of commands based on user's group. 
:>(So one can give operators etc. access to particular commands as root).
:>
:>Does anyone know of any other alternatives that could provide a "sort
:>of" chrooted telnet type of environment ?
:>
:>Wayne

    I would avoid restricted shells like the plague.  They are usually
    full of holes.  For example, if you have a non-chroot'd restricted shell 
    that allows vi, you can run a shell-escape from vi.  If you have a
    chroot'd shell, there is not generally much usefullness to the
    restricted shell anyway (certainly no more then if you did some simple
    group fiddling to give the operator access to what he needed access to).
    Restricted shells make every binary on the system a potential security
    hole.

					-Matt