Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!nntp.coast.net!chi-news.cic.net!newsfeed.internetmci.com!btnet!zetnet.co.uk!demon!awfulhak.demon.co.uk!awfulhak.demon.co.uk!not-for-mail From: toor@awfulhak.demon.co.uk (Bourne-again Superuser) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Restricted shell in FreeBSD? Date: 27 Nov 1995 05:18:52 -0000 Organization: None Lines: 29 Message-ID: <49bhns$dvl@awfulhak.demon.co.uk> References: <48dc2k$aki@maui.cc.odu.edu> <48ki66$ktk@uriah.heep.sax.de> <DIAr9y.1np@thor.shn.com> <492sdj$r6g@uriah.heep.sax.de> X-NNTP-Posting-Host: awfulhak.demon.co.uk X-Newsreader: TIN [version 1.2 PL2] J Wunsch (j@uriah.heep.sax.de) wrote: : hw@thor.shn.com (Henning Wickhorst) writes: : > But be very careful in trusting its secure promises. If the user's : > PATH includes '/bin' for example, he can execute 'sh' and he has a : > non restricted shell. : More generally, if the user has any opportunity to create an : executable on the system (run csh, drop a uuencoded binary, unpack a : tar archive, compile a C program etc.), he can quickly bypass the : restrictions. Not if it's set up correctly. You can't run a program by specifying the path name, so if your path just includes non-writable directories, all of the above will fail ! But your "point" is correct - chroot is much more secure ! : -- : cheers, J"org : joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE : Never trust an operating system you don't have sources for. ;-) -- Brian <brian@awfulhak.demon.co.uk> Don't _EVER_ lose your sense of humour....