>> the default pager will allow 'v' to run $EDITOR which will also usually
allow dropping to a shell.
True, but rksh catches that:
!/bin/csh
sh: /bin/rksh: restricted
This one it doesn't.
I don't personally use restricted shells; I found this issue on brocade
switches, where admin user should have limited access.
I then tried it on OpenBSD and FreeBSD, with slight modification it was
possible.
I get that restricted shells are not being taken that seriously, I just
wanted to inform that there's this way to do it.
Apologies if it should not be in the bugs section.
martin
On Fri, Feb 5, 2016 at 11:40 AM, Stuart Henderson <st...@openbsd.org> wrote:
> On 2016/02/05 10:19, ilavsky.mar...@gmail.com wrote:
> > >Synopsis: escape rksh when user has access to man(1)
> > >Category: system
> > >Environment:
> > System : OpenBSD 5.8
> > Details : OpenBSD 5.8 (GENERIC) #1170: Sun Aug 16 02:26:00 MDT
> 2015
> > dera...@amd64.openbsd.org:
> /usr/src/sys/arch/amd64/compile/GENERIC
> >
> > Architecture: OpenBSD.amd64
> > Machine : amd64
> > >Description:
> > user can escape rksh shell when he has access to man(1) using
> custom MANPAGER env variable
>
> I don't think this is a bug. You are expecting more of rksh than
> it offers.
>
> You don't even need a custom MANPAGER, the default pager will allow
> 'v' to run $EDITOR which will also usually allow dropping to a shell.
>
> > # ll /home/whoo/bin/
> > total 872
> > drwxr-xr-x 2 root whoo 512 Feb 5 10:10 .
> > drwxr-xr-x 4 whoo whoo 512 Feb 5 00:06 ..
> > -r-xr-xr-x 1 root bin 422520 Aug 16 10:19 man
> > #
> >
> > man copied from /usr/bin/
> ..
> > >Fix:
>
> Don't allow access to programs which allow the user to escape to
> an unrestricted shell?
>
> If you need man, maybe run it from a wrapper that enforces environment
> variables (MANPAGER, LESSSECURE), or uses 'man -c'.
>
--
*There is only one God, and his name is Death. And there is only one thing
we say to Death: ‘Not today’*
--- Syrio Forel, Game of Thrones ---
