On Tue, 5 Apr 2005, Anthony Atkielski wrote:
If I want to allow external users to log on under only one permissible username, which immediately and unconditionally executes only one program (no shell access), via telnet, what is the most secure way to set this up? I've always understood telnet to be somewhat of a Pandora's box for security, but I don't know if that applies to the protocol itself, or to telnetd, or if it just refers to the many dangers of shell access, or what. If there is a way to secure this type of access, I'd like to try it on my test server (I won't risk the production server, of course), as an exercise in setting up custom environments.
Any suggestions on how best to do this securely?
If a specific user is restricted to a specific program at login (via /etc/passwd), is there _any_ way he can sneak out to a shell, assuming that the program he is forced to run does _not_ provide shellout access?
Sure there is. If there is any possibility of a buffer overflow error in that one program you let your users run, or "login" for that matter.
But, running the program as a login shell could at least minimize the possibilities I guess. Not that I've tried it myself. Go read about chroot and jail in the manpages and you'll think of something.
/andreas
-- A: Because it fouls the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
