On Thu, Mar 07, 2002 at 10:31:37AM -0000, Brian Clifton wrote: > Even if a user could do this, wouldn't disabling anonymous FTP be a > simple answer or am I missing something?
The problem isn't accepting ftp connections -- it is allowing users to use the ftp client on the machine with the 'restricted shell' -- because the ftp client allows users to execute programs locally pretty easy. Of course, you have the source to your ftp clients, so feel free to modify your client of choice to prevent that. :) Of course, many unix programs have this ability, because it is useful. Practically every editor, every MUA, every terminal-based web browser, and other useful programs, all have easy access to the shell. Many programs have 'restricted' modes that are supposed to prevent access to the shell, but mistakes happen. Ever wonder what happens if a user sets EDITOR=/bin/sh before editing outgoing email? I never thought about it until today. I wonder what happens. And perhaps someone trying to create a restricted shell probably ought to wonder about it too. :) -- UniNet InfoSec Conference April 15-19 http://infosec.uninet.edu
msg00247/pgp00000.pgp
Description: PGP signature
