Xref: utzoo alt.security:1618 alt.bbs:3025 comp.unix.sysv386:684 Path: utzoo!attcan!uunet!crdgw1!sixhub!davidsen From: davidsen@sixhub.UUCP (Wm E. Davidsen Jr) Newsgroups: alt.security,alt.bbs,comp.unix.sysv386 Subject: Re: Protecting against downloads Message-ID: <1956@sixhub.UUCP> Date: 24 Sep 90 16:52:13 GMT References: <1990Sep20.153105.28394@naitc.naitc.com> <1990Sep23.061854.309@csense.uucp> Reply-To: davidsen@sixhub.UUCP (bill davidsen) Followup-To: alt.security Organization: *IX Public Access UNIX, Schenectady NY Lines: 34 In article <1990Sep23.061854.309@csense.uucp> bote@csense.uucp (John Boteler) writes: | The .profile of the user must be owned by root, and writeable ONLY by | root. Overkill. As long as the profile is not writable by the user, it doesn't have to be owned by a special id (one more potential hole). Someone like 'usradmin' would be nice. | The .profile must define a PATH that includes a directory such as | /rbin, and does NOT include /bin or /usr/bin. This is useful but doesn't stop explicit /bin/sh (or whatever) unless /bin just isn't there. ie. chroot. And the PATH better be readonly, a feature of ksh and recent SysV shells. | The .profile must define and export SHELL=/usr/rbin. This will ensure | that any shell called from vi or other programs are also rsh. Assuming they use that convention. Alas too many editors have /bin/sh wired in rather than use the system() call. Microemacs disables shell escapes completely in restricted mode, which is a good reason to offer it instead of vi (depending on how well your vi behaves). I prefer to offer guest users a menu program, which drives from a menu which can be customized for them. Much tighter control than ever letting them have shell access. If you have the disk you can provide shell access in a chroot area and be safe. If you don't have enough disk to copy rather than link, you might still be in trouble. -- bill davidsen - davidsen@sixhub.uucp (uunet!crdgw1!sixhub!davidsen) sysop *IX BBS and Public Access UNIX moderator of comp.binaries.ibm.pc and 80386 mailing list "Stupidity, like virtue, is its own reward" -me