* Sumit Dhar wrote on Sat, Mar 02, 2002 at 04:07 -0500: > On Thu, 28 Feb 2002, Steffen Dettmer wrote: > > really a lot of tools. Don't cp standard ftp, since it's able to > > drop a non-restricted /bin/bash. Ohh, and don't set up paths and > > Hmm, always interested in knowing something new. I kind of knew that a > ftp could drop you into a shell. But have never been able to do that. > How could one go about doing it?? Any pointers?
The standard linux ftp client drops a shell if you say !/bin/bash IIRC. You can type any command after "!". > > such in .profile - users may overwrite it! Make sure you make > > other variables readonly. Set the PATH to the new "bin" style > > tree only! > > How would one go about doing this. What I did was slightly kludgy, so > would really appreciate comments.. Usually how do you go about doing > this part. Cos I feel this is the trickiest and the most important > part... Well, you must make sure that the users are not allowed to write to any path of PATH of course. If possible, make ~ not writable too (it is not sufficient to make ~/.*, as .profile, not writeable, since the users could delete and re-create those files). You have to set up the variables in /etc/profile, system-wide. You have to determine if the starting user is restricted or not by some condition, and if it's true, set up needed read-only variables, as PATH and such. I copied some tools to /home/bin, i.e. /home/bin/rbash, .../rvim and so on. If there is no /home/bin, the users cannot log in at all, since I used /home/bin/rbash as login shell. The restricted users cannot change read-only variables nor execute programs from other paths as /home/bin. Well, but they would find a way to break out, keep it in mind... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
