Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!worldnet.att.net!news.mathworks.com!fu-berlin.de!irz401!orion.sax.de!uriah.heep!news From: j@uriah.heep.sax.de (J Wunsch) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Restricted Shell? Date: 18 Apr 1997 19:28:39 GMT Organization: Private BSD site, Dresden Lines: 27 Message-ID: <5j8i17$5mt@uriah.heep.sax.de> References: <3344939f.9541354@news.hiwaay.net> Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) NNTP-Posting-Host: localhost.heep.sax.de Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Newsreader: knews 0.9.6 X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:39320 whuff@airnet.net (Walter Huff) wrote: > I need to provide a user restricted access to a FreeBSD machine which > I administer. Using a ``restricted'' shell for this of work kind is the worst abuse you could do. You don't need to give your users a restricted shell then at all. If they are stupid, they won't notice the difference anyway, and if they are clever, they probably won't take more than 15 minutes to circumvent the ``restrictions''. The restricted shells have been invented to make script systems a little less risky. As soon as someone gets an interactive prompt on it, your bets are off. I consider them a big security hole, for giving the admin a warm feeling where he should get a cold shudder. If you really need to give somebody restricted shell access, consider the (hard) work of setting up a chroot environment. Still, he can abuse the network connections (if there are any), but it's way safer than what any restricted shell could offer you. -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)