I understand. There is definitely always that possibility that users
will get a shell. However, can SELinux help in this case? Perhaps I can
confined the users with basic access, one that does not allow a user to
run any execution from their home or /tmp. We have a debian deployment
but can migrate our users to CentOS without a problem. I realized
running a chroot does not help much since the system only runs postfix
and mutt. If I jail mutt, then I have to jail postfix and if I do that,
I defeat the purpose of the jail entirely.
On 05/10/2014 05:01 PM, Derek Martin wrote:
On Fri, May 09, 2014 at 03:14:03PM -0700, Shawn Zaidermann wrote:
Is there a way to completely disable the shell-escape feature?
In short, no. If you're trying to prevent mutt users from gaining any
access to the shell, you also have to concern yourself with things
like:
my_var=`run arbitrary shell command here`
in the user's .muttrc. The bottom line is Mutt was not designed for
restricted access... but then neither was any other e-mail client
AFAIK.
But also, as the author of rssh, I can tell you that this turns out to
be an extremely hard problem (though exactly how hard is somewhat OS
dependent), and is probably not worth your time. The best you can
hope for is to restrict unsophisticated users; if you have savvy users
on your system and they REALLY want to get shell access, they probably
will.
You have to trust your users, and if you can't you've basically
already lost the battle. If you do, then there's no point in
confining them to your idea of what's safe.
