On Fri, Oct 19, 2001 at 02:54:57PM +0200, Pascal Bourguignon wrote: > A restricted shell does not prevent anything: > > [pascal@thalassa pascal]$ rbash > [pascal@thalassa pascal]$ cd / > rbash: cd: restricted > [pascal@thalassa pascal]$ ls /tmp/a > /tmp/a > [pascal@thalassa pascal]$ csh > /home/pascal> cd / > />
That's because in your example you did not set up a proper restricted shell environment. Obviously, if you include csh in one of the directories in the restricted shell environment's $PATH, it's not a very effective restriction! Other programs that you cannot include are shells (bash, zsh, tcsh, ...), most editors (emacs, vi, ...), pagers (pg, more, less, ...), newsreaders (slrn, trn, ...), mail readers (mutt, pine, ...), games like nethack -- pretty much *every* interactive Unix program is designed to permit the user to run arbitrary commands. And any one of them will let you out of the restricted shell environment, as long as you have execute permission on /bin/sh or /bin/csh. If you can spare the disk space, a chroot jail is FAR easier and more secure to set up than a restricted shell environment. (All you have to do is hunt down and copy a couple dozen shared libraries and essential programs and config files -- you don't have to audit and cripple the source of half of Unix!) Of course, as you said, it depends on what your goals are. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
