Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ames!oliveb!intelca!mipos3!merlyn
From: merlyn@intelob.biin.com (Randal L. Schwartz @ Stonehenge)
Newsgroups: comp.unix.wizards
Subject: Re: Restricted shell isn't! (was: Restricted shell)
Summary: bwk said it first
Message-ID: <3404@mipos3.intel.com>
Date: 1 Jan 89 01:09:38 GMT
References: <1276@uwbull.uwbln.UUCP> <14640@cisunx.UUCP> <901@philmds.UUCP> <425@aurora.auvax.uucp> <366@siswat.UUCP>
Sender: news@mipos3.intel.com
Reply-To: merlyn@intelob.biin.com (Randal L. Schwartz @ Stonehenge)
Organization: Stonehenge; netaccess via BiiN, Hillsboro, Oregon, USA
Lines: 47
In-reply-to: buck@siswat.UUCP (A. Lester Buck)

In article <366@siswat.UUCP>, buck@siswat (A. Lester Buck) writes:
| [stuff about setting PATH in an 'sh -r'...]
|			     Even this setup is described as "not
| really very secure."  We can all imagine some interesting attacks.
| Just nothing as trivial as "$ sh".

I think it was research!bwk (Kernighan) that posted an article about
four years ago that detailed the following scenario:

He and a cohort were provided a login on another Bell Labs UNIX box
(running V7, or something non-BSD-like) with the following
restrictions:

(1) Login shell = /bin/rsh
(2) PATH= (that is, nothing in the PATH)
(3) non-writable, empty (but existant) $HOME directory
(4) No other hints

They said that they broke root in under an hour.  Here was their
method of attack:

(1) login
(2) enter:
	IFS=
	while read a
	do $a
	done </etc/passwd
(3) shell responds with:
root:asdfasdf123:0:0:The Root:/:/bin/sh: restricted
nextuser:12341234asd:1:1:A Luser:/usr/nextuser:/bin/csh: restricted
...

In other words, out comes the /etc/passwd file.  Now, apply standard
break-in techniques. :-) Essentially, you could read any public file
on the system with this built-in cat(1).

So, the summary was something like "something as powerful as the
language of the shell cannot be restricted sufficiently to warrant its
use in a limited environment and still be useful."  (A very bad
paraphrase... someone wanna dredge that article up if they have it? :-)
-- 
Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095
on contract to BiiN Technical Information Services (for now :-),
in a former Intel building in Hillsboro, Oregon, USA.
<merlyn@intelob.biin.com> or ...!tektronix!inteloa[!intelob]!merlyn
SOME MAILERS REQUIRE <merlyn@intelob.intel.com> GRRRRR!
Standard disclaimer: I *am* my employer!