Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!yarrina.connect.com.au!munnari.OZ.AU!spool.mu.edu!howland.reston.ans.net!swrinde!newsfeed.internetmci.com!in1.uu.net!EU.net!Germany.EU.net!zib-berlin.de!news.tu-chemnitz.de!irz401!uriah.heep!not-for-mail
From: j@uriah.heep.sax.de (J Wunsch)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Restricted shell in FreeBSD?
Date: 18 Nov 1995 13:05:26 +0100
Organization: Private FreeBSD site, Dresden.
Lines: 23
Message-ID: <48ki66$ktk@uriah.heep.sax.de>
References: <48dc2k$aki@maui.cc.odu.edu>
NNTP-Posting-Host: uriah.heep.sax.de
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Keywords: restricted shell
Jonathan Sturges <sturgesj@bosco.cc.odu.edu> wrote:
>My nutshell book, "Practical Unix Security," sez that for BSD systems in
>general, you can create a restricted shell by making a link to /bin/sh. It
>says that sh will look to see what name was used to invoke it, and behave
>accordingly.
>Anyway, I tested it, and it didn't seem to be restrictive at all.
{Free,Net}BSD don't have restricted shells.
The so-called ``restricted shells'' i've seen on commercial unices so
far do rather open a can of worms security-wise (by making the
sysadmin believe he did something for the security, which is mostly
not true) than plugging any security hole.
Most of the people who wanna have a restricted shell intend to use it
as a user's login shell. This is never the right way to go. A chroot
tree is more secure, but much more work.
--
cheers, J"org
joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)