On Thu, Apr 23, 2009 at 7:57 AM, J. Bakshi <[email protected]> wrote:
> On Wed, 22 Apr 2009 11:21:06 -0600
> Benny Helms <[email protected]> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> You always have the option of changing their login shell to
>> '/bin/bash -s' which locks them in. Unfortunately, it also takes
>> away their access to things like, 'ls' and 'cp' and 'vi', etc.,
>> unless you include copies in their home folder.
>>
>> You also need to remember that some apps like 'vim' will allow a user
>> a shell escape which can break the limits you set. Make sure to give
>> them access only to the secure version. For 'vim' that would be
>> 'rvim'.
>
> thanks a lot for the rvim tip.
> I am grateful to you to make me aware that vim allows shell access.
A lot of utilities allow shell access.
more
less
vi
nvi
vim
emacs
nano
pico
awk
...
If you have perl access, you have fork/exec access.
uploading your own binaries that fork/exec...
general shell access is not easy to do securely.
chroot is basically your only choice.
--
And, did Galoka think the Ulus were too ugly to save?
-Centauri
