Xref: utzoo alt.bbs:2992 comp.unix.sysv386:556
Path: utzoo!utgpu!cs.utexas.edu!uunet!looking!brad
From: brad@looking.on.ca (Brad Templeton)
Newsgroups: alt.bbs,comp.unix.sysv386
Subject: Re: Here's how to stop shell escapes from vi
Message-ID: <1990Sep21.040106.14873@looking.on.ca>
Date: 21 Sep 90 04:01:06 GMT
References: <2441@sud509.ed.ray.com> <1990Sep18.120450.14590@nstar.uucp> <1990Sep20.153105.28394@naitc.naitc.com> <11285:Sep2022:15:2090@kramden.acf.nyu.edu>
Organization: Looking Glass Software Ltd.
Lines: 37

Pretty drastic to forbid certain characters like :! in vi.

I once set up my system with a special subdirectory that had a mini
root filesystem on it.

I then created a login shell that chroot'd the users into that directory
and started up their shell there.

They can play there all they want, and it is safe.  As long as you keep
permissions clean on the main subdirectories (ie. don't leave /etc and
/dev and its important files unprotected) you are fine.  You link in
the files and binaries you want to give them.

There are a few problems, of course:

a) Unless you have symlinks, you can't link in files that are on a
different filesystem.  In general, you either want to create this mini
system on the root FS (so you can link in stuff from /bin and /usr) or
you have to waste a lot of disk space copying those binaries.

b) Users can't change their passwords, unless you make some special
program that looks at their fake password file and copies up passwords,
which is risky.

c) Unless the news spool happens to be inside the protected subtree, as
well as the news library, users can't read news.  *but*, you can run
NNTP on the machine, the server running in the real world and the client
in the protected world.


Chroot plus symlinks would create the perfect secure mini-environment.
You are fully protected unless the pesky users can figure out how to
become root.   Most tricks for doing this involve greek horses or fiddling
with files used by suid programs.  But this rarely works if all you have
access to is the subdir.
-- 
Brad Templeton, ClariNet Communications Corp. -- Waterloo, Ontario 519/884-7473