On Tue, Sep 05, 2006 at 10:57:45PM +0200, Tevfik Karagülle wrote: > > Alternative 1: > > >> Create a file named sftponly in bin directory: > > #!/bin/bash > if [ "$*" != "-c /bin/sftp-server" ]; then > echo "SFTP only!" > exit 1 > fi > exec $@
Please understand, THIS WILL NOT WORK. Under some circumstances it may be possible for the user to send the shell signals which will break out of the script and give the user a shell. I saw a demonstration of this which is one of the things that prompted me to write rssh. Also, you've invoked the shell as bash, which will cause the user's environment files to be sourced, even if the system does not treat the shell script as a login shell (which it may, I don't recall off hand). The user could upload a .bashrc and/or .profile which contains arbitrary commands, including something like this: exec /usr/bin/my_favorite_shell A shell script can not ever reliably be used to protect an account this way, except against naive users. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D
pgp56z8sSWbct.pgp
Description: PGP signature
