Return to BSD News archive
Newsgroups: comp.unix.bsd.freebsd.misc
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!yarrina.connect.com.au!munnari.OZ.AU!spool.mu.edu!howland.reston.ans.net!gatech!newsfeed.internetmci.com!EU.net!Germany.EU.net!news.maz.net!news.shlink.de!thor.shn.com!hw
From: hw@thor.shn.com (Henning Wickhorst)
Subject: Re: Restricted shell in FreeBSD?
X-Newsreader: TIN [version 1.2 PL2]
Reply-To: h.wickhorst@elmshorn.netsurf.de
Organization: Private site
Message-ID: <DIAr9y.1np@thor.shn.com>
References: <48dc2k$aki@maui.cc.odu.edu> <48ki66$ktk@uriah.heep.sax.de>
Date: Sun, 19 Nov 1995 15:34:45 GMT
Lines: 39
J Wunsch (j@uriah.heep.sax.de) wrote:
: Jonathan Sturges <sturgesj@bosco.cc.odu.edu> wrote:
: >My nutshell book, "Practical Unix Security," sez that for BSD systems in
: >general, you can create a restricted shell by making a link to /bin/sh. It
: >says that sh will look to see what name was used to invoke it, and behave
: >accordingly.
: >Anyway, I tested it, and it didn't seem to be restrictive at all.
: {Free,Net}BSD don't have restricted shells.
: The so-called ``restricted shells'' i've seen on commercial unices so
: far do rather open a can of worms security-wise (by making the
: sysadmin believe he did something for the security, which is mostly
: not true) than plugging any security hole.
: Most of the people who wanna have a restricted shell intend to use it
: as a user's login shell. This is never the right way to go. A chroot
: tree is more secure, but much more work.
Yes, that's right. A restricted shell isn't very secure indeed.
Jonathan:
But in case you want a 'restricted shell' although, you should look
at pdksh. You can compile it and link 'ksh' to 'rksh', that's it.
But be very careful in trusting its secure promises. If the user's
PATH includes '/bin' for example, he can execute 'sh' and he has a
non restricted shell.
So you have to do much more things to make that account secure, so
i think a chroot tree would be best.
Henning
--
------------------------------------------------------------------
Henning Wickhorst Elmshorn, Germany hw@thor.shn.com
------------------------------------------------------------------