>Hi,
>I need (as many of us) to restrict some user account in order to >provide
>only some services on our Linux boxes.
>For this purpose it is important to give users a restricted shell that
>lock
>them in their home directory.
>Under Berkley UNIX, you can create a restricteed shell by creating a >hard
>link to the /bin/sh program and giving the name of rsh. When sh >starts up,
>it looks at the program name that it was called to determine what >behavior
>it should have.
>When it starts up it executes commands in the $HOME/.profile and >once it
is
>processed, the following restrictions go into effect:
Goes about the same what on RedHat, only that /bin/bash must be called as
rbash.
I don't know if it is compiled in by default (guess not), but the config is
in config.h in the bash source tree.
>- the user can't change the current directory
>- the user can't change the value of the the PATH environment >variable
>- the user can't use command names containing slashes
>- the user can't redirect output using > or >>
rbash has it all....
>generally on Berkley UNIX it is enough to do:
>#ln /bin/sh /usr/etc/rsh
Just put rbash somewhere, and add it to /etc/shells (don't forget it !!!)
>and you have the restricted shell.
Yep.
>Note: It is important not to place the rsh in any of the standard >system
>program directories so people don't execute it for mistake when >they are
>using remote shell command (rsh).
>I tried it and.. on Caldera OplenLinux Standard 1.1 it is not working...
>Does it work on RedHat? (Right now I can only access to >OpenLinux,
tomorrow
>I'll check it myself on RH 5.0)
Linking to /bin/rsh doesn't work either in RedHat. Bash MUST be called with
rbash when used as a remote shell....
>Well, if I want to do it on OpenLinux (or RedHat?) I have to look for a >sh
source
>that would allow me to do it, then compile it, install on my box, create
>the user
>home directory with all the hard link to the commands he needs (like >for
>example pine and lynx).
I recompiled bash. One disadvantage : I got a bash file of 1 MB, and
distribution bash is only 300 Kb.....
>After that I'll have to modify the mail delivery agent in order to deliver
>all the user mail in to to $HOME/.mail (so he will be able to read it...
>and
>than modify pine).
>After that, since I want the user to ftp in a restricted envirnonment I
>have
>to compile and link ls statically, modify ftpaccess file, etc...
>After that I'll (of course) enable quota.
You can put the users in a guest group. Then ftp will enable a anonymous
behaviour for that user.
>Well, I was wondering if it does't make sense if in the next release of
>RedHat we would have to add restricted users as a normal option in
>adduser.... I mean: root would be able to choose to create a normal >user
or
>one with restricted options..
No, don;t think so. rbash is VERY restricted, and only usefull for some
ISP's.
>In my opinion the following changes in future release of OpenLinux >(but
also
>RedHat, Suse, Slackware, etc) would only benefit the Linux world:
>- mail delivery agent shoud always send mail in the user's home >directory
>since even if the user is not restricted this won't bother him.
>- quota should be always be enabled since even if the user is not
>restricted
>this won't bother him. we can always set it to 500MB or more
>- a statically linked copy of all bin utils should be installed
>(somewhere)
>by default for emergencies purpose
Why ??? I always use a bootup disk. And if i screw up my system, I do it in
such a way that even static linked exec. won't help :)
>- a restricted shell like rsh on Berkeley UNIX should be installed by
>default somewhere
>- all the proper permission/restriction shoul be set
Should be an idea. Don't know if it will be used a lot...
>I'd like to hear what do you think about that..
>(maybe I didn't consider something and my proposal doesn't worth >0.2c.. in
that
>case, please forgive me)
>regards,
>Marco
Igmar
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
