Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Steffen Dettmer (steffendett.de)
Date: Thu Feb 28 2002 - 02:06:48 CST
* Sumit Dhar wrote on Sun, Feb 24, 2002 at 15:17 -0500:
> On Sun, 24 Feb 2002, Victor Usjanov wrote:
> > Seen your advice and decided to try on my server. I am running RH7.2.
> > When i tried to change /bin/bash to /bin/bash2 -r for a test user in
> > /etc/passwd file, and log on that user, the only thing i got was
> > "cannot run /bin/bash2 -r: No such file or directory"
You cannot specify parameters in passwd. To archive restricted
mode, cp / ln bash (or bash2) to "rbash". Bash goes in restricted
mode is argv equals rbash.
man bash /RESTRICTED
> 3. Once you have done all that, add a user whose shell is /bin/bash2 -r
> to your password file.
I don't think that this will work on most linux systems.
It is really important to make a own "bin" style directory for
rbash users. I have such a setup, and copied a few (!) allowed
binaries to there. If you have vim, cp it into that dir as rvim,
since vim is able to execute shell processes! That applies for
really a lot of tools. Don't cp standard ftp, since it's able to
drop a non-restricted /bin/bash. Ohh, and don't set up paths and
such in .profile - users may overwrite it! Make sure you make
other variables readonly. Set the PATH to the new "bin" style
tree only! Setting up a rbash environment isn't easy and takes
time. Check out all manpages of all tools you cp and make
avialable, since they may able to drop a shell! Maybe you need a
readonly, empty LD_PRELOAD and such things.
This list is not complete at all.
Keep in mind that chances are high that users still can break out
it if they're smart. It's a really complex thing, such a u*nx...
-- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.