Path: utzoo!utgpu!watmath!att!cbnews!ask From: ask@cbnews.ATT.COM (Arthur S. Kamlet) Newsgroups: comp.unix.questions Subject: Re: Restricted Shell - does it still exist. Message-ID: <9035@cbnews.ATT.COM> Date: 16 Aug 89 23:26:38 GMT References: <20623@adm.BRL.MIL> Reply-To: ask@cbnews.ATT.COM (Arthur S. Kamlet) Organization: AT&T Bell Laboratories Lines: 54 In article <20623@adm.BRL.MIL> FAUSETT@tops20.radc.af.mil writes: > >I'm looking for something like the old AT&T restricted shell (found in System >III and possibly later?) for a Sun system. I've got a guest user I need to >set up on the system with whom I have a good bit of trust, but still want to >discourage from poking around tyhe system. > >Does anyone know if such a beastie still exists? Mark: I don't know if the old rsh is available or not. However, it had several major deficiencies, and in that form is probably not recommended. Instead, you may want to write a small program to simulate a restricted shell, and use it in the /etc/passwd entry for restricted users. It should do the following: (System V assumed) 1 In his .profile : PATH=/RESTRICTED_DIRECTORY readonly PATH .profile must be non-writable by the user, and not owned by the user. And all parent directories must be non-writable by the user. 2. Install a small set of commands in /some_path/RESTRICTED_DIRECTORY These commands should be the minimal set needed by a restricted user. One characteristic of these commands is they should never allow the user to escape the shell. (a RESTRICTED mail, vi, etc may need to be written to prevent such escapes - easy to do with the source) 4. Put restricted users into a restricted file system by making that filesystem his root filesystem. Then, he can't cd to /bin and try to ./command or try to /bin/command or something similar. In fact, make /some_path/RESTRICTED_DIRECTORY the filesystem. As far as he is concerned, /some_path/RESTRICTED_DIRECTORY is his root directory. I may have left out something, but these are all fairly simple to do, and should provide a good deal or restriction. I'm sure lots of people will point out why it really isn't secure, however. -- Art Kamlet a_s_kamlet@att.com AT&T Bell Laboratories, Columbus