Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!aplcen!haven!grebyn!macom1!larry From: larry@macom1.UUCP (Larry Taborek) Newsgroups: comp.unix.wizards Subject: Re: Secure (regular) Scripts_ Message-ID: <4989@macom1.UUCP> Date: 22 Dec 89 12:22:14 GMT References: <9100020@m.cs.uiuc.edu> Organization: CENTEL Federal Systems, Reston, VA. 22091-1506 Lines: 43 From article <9100020@m.cs.uiuc.edu>, by carey@m.cs.uiuc.edu: > > I want to keep people in this shell script, and not allow them to have > access to a regular shell. One thing I have tried to prevent is having > people send interrupts and things like that to interrupt the shell > script. > > Another big problem is that many things, like notes, mail, and even editors, > have "shell escapes" built into them. > > Is there any way to prevent people from using these shell escapes, or at least > having them not be able to do anything once they have done it? Do I have to > rewrite mail and editors, to disable the shell escapes? I wanted to avoid > using the "rsh" (restricted shell) since that is kind of an administrative > hassle. It would be better than rewriting editors. The best thing would > be some kind of trick to have them end up in a black hole somewhere when > they do a shell escape. Well, one thing I noticed in reading the login source for 5.2 is that if you have a "*" character in the shell field of an account in the password file, then login will do a change root to that accounts home directory field and attempt to respin a local login. Once root has been changed to that subdirectory (now called localroot), then underneith localroot you will need a bin, etc and dev directory. Naturally you will need a login program in either localroot/etc or localroot/bin. a /localroot/etc/passwd file is also necessary. Now if you don't have a sh or csh or ksh program available in localroot/bin, then I don't believe that they can -ever- access the shell, as for them there is no shell to access. And if they did, where would they go... :-) By the way, NEAT feature guys... -- Larry Taborek ..!uunet!grebyn!macom1!larry Centel Federal Systems larry@macom1.UUCP 11400 Commerce Park Drive Reston, VA 22091-1506 My views do not reflect those of Centel 703-758-7000