Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.1 6/24/83; site inuxc.UUCP Path: utzoo!watmath!clyde!burl!mgnetp!ihnp4!inuxc!mcferrin From: mcferrin@inuxc.UUCP (P McFerrin) Newsgroups: net.unix-wizards Subject: Re: Is the restricted shell really secure? Message-ID: <990@inuxc.UUCP> Date: Tue, 17-Jul-84 12:03:01 EDT Article-I.D.: inuxc.990 Posted: Tue Jul 17 12:03:01 1984 Date-Received: Wed, 18-Jul-84 02:53:29 EDT References: <275@pcsbst.UUCP> Organization: AT&T Consumer Products Div., Indianapolis Lines: 54 The restricted shell CAN be secure if the administrator follows certain guidelines, some of which are included: 1- Do not have PATH setup to search the standard directories. Have it search only a directory that contains ONLY the commands you are allowing the restricted user. (called the restricted bin directory) 2- Do not permit the restricted user access to the bin directory established in step 1. 3- Use the .profile to setup any important variables you want and set them to read-only if necessary. Do a cd(1) to the appropiate directory. Include SHELL=/bin/rsh in the .profile. 4- The commands you put in the restricted bin directory should check the arguments to insure that the restrictions are not being bypassed. (e.g. arguments beginning with '/' or '../'. 5- If you want to include some standard Unix commands in the restricted bin directory, use the following example: cd $RESTRICTED_BIN ed .cmd a PATH="/bin:/usr/bin:..........$RESTRICTED_BIN" # ^^^^^^ your normal bin directories here for arg in $* do case $arg in /*|../) : echo "$0: \"$arg\" not allowed, restricted." 1>&2 exit 255 ;; *) : ok ;; esac done exec $0 $* . w q chmod 775 .cmd ln .cmd ls ln .cmd cat ln .cmd diff # The last 3 commands will make the ls, cat, & diff commands available # to the restricted user. Remember, shell scripts will be executed by a NON-RESTRICTED shell, thus giving you, the administrator, the full power in controlling what you are allowing the restricted user. Paul McFerrin AT&T Consumer Products