Re: Create my own shell? SOLVED
Many thanks to all people of this mailing list for all the replies. Finally, I have edited the files I've downloaded from http://mongers.org/gw_menu and make my own shell. Thanks ;) El Lunes, 25 de Julio de 2005 21:03, escribis: On 2005-07-25 16:01:49 +0200, Abel Talaversn Estevez wrote: I need to create a particular but simple shell for a firewall running OpenBSD 3.6. The idea is create a user whose shell is a very limited one. This shell or command line interpreter (CLI) must have permissions only in the home directory. How could I do this? Any ideas? Editing the source code of sh?, for example. Make my own cli? http://mongers.org/gw_menu But that might be too restricted for you. Have a nice day Morten -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired, S.L. C/ Caballero, 87 - 08029 - Barcelona (Spain) Tel (+34) 93/410 75 70 - Fax (+34) 93/419 45 91
Re: Create my own shell? SOLVED
:-) What about ctrl-Z, does that secure gateway menu script ignore that too? 2005/7/27, Abel Talaversn Estevez [EMAIL PROTECTED]: Many thanks to all people of this mailing list for all the replies. Finally, I have edited the files I've downloaded from http://mongers.org/gw_menu and make my own shell. Thanks ;) El Lunes, 25 de Julio de 2005 21:03, escribis: On 2005-07-25 16:01:49 +0200, Abel Talaversn Estevez wrote: I need to create a particular but simple shell for a firewall running OpenBSD 3.6. The idea is create a user whose shell is a very limited one. This shell or command line interpreter (CLI) must have permissions only in the home directory. How could I do this? Any ideas? Editing the source code of sh?, for example. Make my own cli? http://mongers.org/gw_menu But that might be too restricted for you.
Re: Create my own shell? SOLVED
Or if a user presses ctrl-C before the trap command is executed? 2005/7/27, Alexander Farber [EMAIL PROTECTED]: :-) What about ctrl-Z, does that secure gateway menu script ignore that too? 2005/7/27, Abel Talaversn Estevez [EMAIL PROTECTED]: http://mongers.org/gw_menu
Re: Create my own shell? SOLVED
On Wed, 27 Jul 2005 15:46:00 +0200 Alexander Farber [EMAIL PROTECTED] wrote: Or if a user presses ctrl-C before the trap command is executed? 2005/7/27, Alexander Farber [EMAIL PROTECTED]: :-) What about ctrl-Z, does that secure gateway menu script ignore that too? 2005/7/27, Abel Talaversn Estevez [EMAIL PROTECTED]: http://mongers.org/gw_menu Mmh ... Instead of being a smartmouth, you should think a little about what would really happen and not make assumptions based on nothing. let's make the assumption that trap was not even called. If a user presses ctrl-c the script will exit, closing the user's session. What did you expect it to do ? Spawn a shell from nothing ? -- chaton@
Re: Create my own shell? SOLVED
With Ctrl-c the shell doesn't finish. The shell file is showed here: #!/bin/sh # $Id: menu,v 1.5 2004/05/20 12:15:57 holsta Exp $ # # Menu wrapper for FireWired. Ctrl-C is ignored and user input is never # passed to the command line. PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/games:. export PATH HOME TERM umask 077 HELP=/home/console/menu.help GREETING=/home/console/menu.greeting trap 2 grep -v ^# $GREETING while true do echo FireWired \c if read line then case $line in ) continue;; esac set -- $line case $1 in CASAV.bash) CASAV.bash;; CAcceso.bash) CAcceso.bash;; CActivarPolitica.sh)CActivarPolitica.sh;; CAnadirFiltroProxy.sh) CAnadirFiltroProxy.sh;; CAnadirPuertoProxy.sh) CAnadirPuertoProxy.sh;; CAnadirRedProxy.sh) CAnadirRedProxy.sh;; CApaga.sh) CApaga.sh;; CAplicarRFPProxy.sh)CAplicarRFPProxy.sh;; CAyuda.sh) CAyuda.sh;; CBorrarEncam.sh)CBorrarEncam.sh;; CBorrarEstad.sh)CBorrarEstad.sh;; CBorrarFiltroProxy.sh) CBorrarFiltroProxy.sh;; CBorrarObjeto.bash) CBorrarObjeto.bash;; CBorrarPolitica.sh) CBorrarPolitica.sh;; CBorrarPuertoProxy.sh) CBorrarPuertoProxy.sh;; CBorrarRedProxy.sh) CBorrarRedProxy.sh;; CBorrarRegla.bash) CBorrarRegla.bash;; CBorrarReglaBINAT.bash) CBorrarReglaBINAT.bash;; CBorrarReglaNAT.bash) CBorrarReglaNAT.bash;; CBorrarReglaPF.bash)CBorrarReglaPF.bash;; CBorrarReglaRDR.bash) CBorrarReglaRDR.bash;; CBorrarReglaVPN.bash) CBorrarReglaVPN.bash;; CBorrarRuta.bash) CBorrarRuta.bash;; CBridges.bash) CBridges.bash;; CConfFabrica.sh)CConfFabrica.sh;; CConsola.bash) CConsola.bash;; CCrearObjeto.bash) CCrearObjeto.bash;; CCrearPolitica.bash)CCrearPolitica.bash;; CCrearReglaBINAT.bash) CCrearReglaBINAT.bash;; CCrearReglaNAT.bash)CCrearReglaNAT.bash;; CCrearReglaPF.bash) CCrearReglaPF.bash;; CCrearReglaRDR.bash)CCrearReglaRDR.bash;; CCrearReglaVPN.bash)CCrearReglaVPN.bash;; CCrearRuta.bash)CCrearRuta.bash;; CDNS.sh)CDNS.sh;; CDepurar.sh)CDepurar.sh;; CDesactivarPolitica.sh) CDesactivarPolitica.sh;; CGW.sh) CGW.sh;; CInterfacesIP.bash) CInterfacesIP.bash;; CListaObj.sh) CListaObj.sh;; CLogout.sh) CLogout.sh;; CManuales.sh) CManuales.sh;; CModificarObjeto.bash) CModificarObjeto.bash;; CModificarReglaBINAT.bash) CModificarReglaBINAT.bash;; CModificarReglaNAT.bash)CModificarReglaNAT.bash;; CModificarReglaPF.bash) CModificarReglaPF.bash;; CModificarReglaRDR.bash)CModificarReglaRDR.bash;; CModificarReglaVPN.bash)CModificarReglaVPN.bash;; CMostrarPolActiva.sh) CMostrarPolActiva.sh;; CMostrarPoliticas.sh) CMostrarPoliticas.sh;; CMostrarPoliticasUser.sh) CMostrarPoliticasUser.sh;; CMostrarReglas.sh) CMostrarReglas.sh;; CMostrarReglasBINAT.sh) CMostrarReglasBINAT.sh;; CMostrarReglasNAT.sh) CMostrarReglasNAT.sh;; CMostrarReglasPF.sh)CMostrarReglasPF.sh;; CMostrarReglasRDR.sh) CMostrarReglasRDR.sh;; CMostrarReglasVPN.sh) CMostrarReglasVPN.sh;; CMoverReglaPF.bash) CMoverReglaPF.bash;; CMoverReglaVPN.bash)CMoverReglaVPN.bash;; CPassword.sh) CPassword.sh;; CPing.sh) CPing.sh;; CProxy.sh) CProxy.sh;; CProxyFtp.sh) CProxyFtp.sh;; CProxyTransp.sh)CProxyTransp.sh;; CReboot.sh) CReboot.sh;; CReloj.sh) CReloj.sh;; CSMTP.bash) CSMTP.bash;; CSsh.sh)CSsh.sh;; CTraceroute.sh) CTraceroute.sh;; CVPN.bash) CVPN.bash;; CVPNAnadirSucursal.bash)CVPNAnadirSucursal.bash;; CVPNClientes.bash)
Re: Create my own shell? SOLVED
Yes, maybe you're right. I've tried sneaking past if read line (a backslash newline would make it take more lines) and set -- $line (tried semiclons, redirections and backticks) and if match=`grep ^$1$ $HOSTS` ; then ssh $match ( . would match a buildhost ) and echo Unknown command or host: $line. ( tried \characters ) But didn't manage to break it :-) Yet!! Regards Alex 2005/7/27, chaton [EMAIL PROTECTED]: On Wed, 27 Jul 2005 15:46:00 +0200 Alexander Farber [EMAIL PROTECTED] wrote: Or if a user presses ctrl-C before the trap command is executed? 2005/7/27, Alexander Farber [EMAIL PROTECTED]: :-) What about ctrl-Z, does that secure gateway menu script ignore that too? 2005/7/27, Abel Talaversn Estevez [EMAIL PROTECTED]: http://mongers.org/gw_menu Mmh ... Instead of being a smartmouth, you should think a little about what would really happen and not make assumptions based on nothing. let's make the assumption that trap was not even called. If a user presses ctrl-c the script will exit, closing the user's session. What did you expect it to do ? Spawn a shell from nothing ? -- chaton@
Re: Create my own shell? SOLVED
On Wed, 27 Jul 2005 16:27:32 +0200 Abel Talaversn Estevez [EMAIL PROTECTED] wrote: With Ctrl-c the shell doesn't finish. The shell file is showed here: [...] That was my point.
Re: Create my own shell?
On 7/25/05, Jon Drews [EMAIL PROTECTED] wrote: On 7/25/05, Abel Talaversn Estevez [EMAIL PROTECTED] wrote: I need to create a particular but simple shell for a firewall running OpenBSD 3.6. The idea is create a user whose shell is a very limited one. Hi: Operating ksh in restricted mode may fulfill your needs. Oops - this is not true. I set up an account with rksh (ksh -r) and it is possible for the user to still switch shells. For the details on this see: Practical Unix Internet Security, 3rd Edition by Simson Garfinkel, Gene Spafford, Alan Schwartz. The relevant material is on pages 576 to 578. Basically the restricted shell can be subverted and they advise using chroot. -- Kind regards, Jonathan
Create my own shell?
Hi all, I need to create a particular but simple shell for a firewall running OpenBSD 3.6. The idea is create a user whose shell is a very limited one. This shell or command line interpreter (CLI) must have permissions only in the home directory. How could I do this? Any ideas? Editing the source code of sh?, for example. Make my own cli? -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired, S.L. C/ Caballero, 87 - 08029 - Barcelona (Spain) Tel (+34) 93/410 75 70 - Fax (+34) 93/419 45 91
Re: Create my own shell?
On 7/25/05, Abel Talaversn Estevez [EMAIL PROTECTED] wrote: Hi all, I need to create a particular but simple shell for a firewall running OpenBSD 3.6. The idea is create a user whose shell is a very limited one. This shell or command line interpreter (CLI) must have permissions only in the home directory. Hi: Operating ksh in restricted mode may fulfill your needs. Here from the man page for ksh (this is the public domain Korn Shell in OpenBSD): -r Restricted shell. A shell is ``restricted'' if this option is used or if either the basename the shell was invoked with or the SHELL parameter match the pattern ``*r*sh'' (e.g. rsh, rksh, rpdksh). The following restrictions come into effect after the shell processes any profile and ENV files: o The cd command is disabled. o The SHELL, ENV, and PATH parameters cannot be changed. o Command names can't be specified with absolute or relative paths. o The -p option of the built-in command command can't be used. o Redirections that create files can't be used (i.e. `', `|', `', `'). -- Kind regards, Jonathan
Re: Create my own shell?
On 25/07/05, Abel Talaversn Estevez [EMAIL PROTECTED] wrote: Hi all, I need to create a particular but simple shell for a firewall running OpenBSD 3.6. The idea is create a user whose shell is a very limited one. This shell or command line interpreter (CLI) must have permissions only in the home directory. How could I do this? Any ideas? Editing the source code of sh?, for example. Make my own cli? Try existing solutions first. Debian packages something called Operators Shell (osh). You could possibly try porting it if rksh isn't enough. http://packages.debian.org/stable/shells/osh I'm unaware of anything similar in the OpenBSD port tree. Andreas -- Andreas Kahari PGP: 1024D/C2E163CB
Re: Create my own shell?
Operating ksh in restricted mode may fulfill your needs. Here from the man page for ksh (this is the public domain Korn Shell in OpenBSD): -r Restricted shell. A shell is ``restricted'' if this option is used or if either the basename the shell was invoked with or the SHELL parameter match the pattern ``*r*sh'' (e.g. rsh, rksh, rpdksh). The following restrictions come into effect after the shell processes any profile and ENV files: bash has the same switch. see man bash