Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.telstra.net!act.news.telstra.net!news-out.internetmci.com!newsfeed.internetmci.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!newsfeed.nacamar.de!news1.best.com!nntp1.ba.best.com!not-for-mail
From: dillon@flea.best.net (Matt Dillon)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Are there any Good Restricted Shells Around ?
Date: 13 Jun 1997 09:23:43 -0700
Organization: Best Internet Communications, Inc. - 415 964 BEST
Lines: 25
Message-ID: <5nrs6f$sbs$1@flea.best.net>
References: <3397999F.7ABF@dpie.gov.au>
NNTP-Posting-Host: flea.best.net
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:42934
:In article <3397999F.7ABF@dpie.gov.au>,
:Wayne Farmer <wayne.farmer@dpie.gov.au> wrote:
:>I am aware of Sun's /usr/lib/rsh restricted shell which limits what a
:>user can do.
:>
:>I am also aware of osh (the operator shell) which limits root
:>permissions for a customised list of commands based on user's group.
:>(So one can give operators etc. access to particular commands as root).
:>
:>Does anyone know of any other alternatives that could provide a "sort
:>of" chrooted telnet type of environment ?
:>
:>Wayne
I would avoid restricted shells like the plague. They are usually
full of holes. For example, if you have a non-chroot'd restricted shell
that allows vi, you can run a shell-escape from vi. If you have a
chroot'd shell, there is not generally much usefullness to the
restricted shell anyway (certainly no more then if you did some simple
group fiddling to give the operator access to what he needed access to).
Restricted shells make every binary on the system a potential security
hole.
-Matt