Xref: utzoo comp.unix.questions:31615 comp.unix.shell:2242 Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!thunder.mcrcim.mcgill.edu!mouse From: mouse@thunder.mcrcim.mcgill.edu (der Mouse) Newsgroups: comp.unix.questions,comp.unix.shell Subject: Re: Looking for a restricted shell. Keywords: shell, restricted Message-ID: <1991May24.114710.5024@thunder.mcrcim.mcgill.edu> Date: 24 May 91 11:47:10 GMT References: <1991May23.033109.10724@DMI.USherb.CA> Organization: McGill Research Centre for Intelligent Machines Lines: 44 In article <1991May23.033109.10724@DMI.USherb.CA>, pineault@sarcelle.DMI.USherb.CA (Christian Pineault) writes: > I'm looking for a shell on SunOS 4.1.1 that would prevent users from > using any armful commands. I assume you meant `harmful', though it's amusing to contemplate possible meanings for `armful'.... The simplest way to do this is to remove their login access. I'm serious. UNIX provides much power, but with this power comes the power to shoot yourself in the foot. If you were to prohibit all potentially destructive actions, there wouldn't be much left that one could do; you would more or less have to make the entire system read-only for that user. (Which you could, I suppose, do, but in the right circumstances even read access could be harmful.) Assuming that's not acceptable, you're left with the problem of drawing the line: how much potential destruction is acceptable? Unfortunately, UNIX does not recognize the difference between destroying a worthless scratch file you were using to play with the editor and destroying the only existing copy of the quarterly reports you have to present at next week's meeting. Avoiding *that* then becomes a matter of managing ownerships and permissions correctly, and that's not something you can manage by preventing users from using certain commands. If you already know what commands you do or don't want the users to be able to use, it's not hard. If you want them to have access to only a subset of commands, make their login shells chroot() to a directory somewhere and exec the desired shell, then underneath that directory create whatever playpen world you want. If you want them to have access to all but a certain list of commands, move those commands into a special directory, then turn off the world (and possibly group) execute bit(s) on that directory (and set its ownerships to match). It also depends on whether you're trying to protect against accident or malice (the latter is much harder, of course), and whether you're trying to protect against users harming themselves or harming others. der Mouse old: mcgill-vision!mouse new: mouse@larry.mcrcim.mcgill.edu