* Sumit Dhar wrote on Sun, Feb 24, 2002 at 15:17 -0500: > On Sun, 24 Feb 2002, Victor Usjanov wrote: > > Seen your advice and decided to try on my server. I am running RH7.2. > > When i tried to change /bin/bash to /bin/bash2 -r for a test user in > > /etc/passwd file, and log on that user, the only thing i got was > > "cannot run /bin/bash2 -r: No such file or directory"
You cannot specify parameters in passwd. To archive restricted mode, cp / ln bash (or bash2) to "rbash". Bash goes in restricted mode is argv[0] equals rbash. man bash /RESTRICTED > 3. Once you have done all that, add a user whose shell is /bin/bash2 -r > to your password file. I don't think that this will work on most linux systems. It is really important to make a own "bin" style directory for rbash users. I have such a setup, and copied a few (!) allowed binaries to there. If you have vim, cp it into that dir as rvim, since vim is able to execute shell processes! That applies for really a lot of tools. Don't cp standard ftp, since it's able to drop a non-restricted /bin/bash. Ohh, and don't set up paths and such in .profile - users may overwrite it! Make sure you make other variables readonly. Set the PATH to the new "bin" style tree only! Setting up a rbash environment isn't easy and takes time. Check out all manpages of all tools you cp and make avialable, since they may able to drop a shell! Maybe you need a readonly, empty LD_PRELOAD and such things. This list is not complete at all. Keep in mind that chances are high that users still can break out it if they're smart. It's a really complex thing, such a u*nx... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
