On Thu, 25 Apr 2002, Warren Togami wrote: >> What can a user do with a shell account without access to outside of their >> home directory? >Plenty. They can poke around the filesystem looking for local root >exploits,
If they can't cd out of their home directory, unless the admin allowed this user to install some tool that has a root exploit, I doubt this user can do much. > or they can use programs on the server (or upload their own) to >use the server as an relay from which they can scan and attack other >machines. True, but _your_ server is safe. ;-) Seriously, if you are so uptight that you are not willing to let a user cd out of their home directory, and yet you allow them to upload anything they want? This completely defeats the purpose of the cd limitation. >SSH also introduces new problems in that any user can tunnel to any other >location on the Internet, making it look like it came from the SSH server >itself. This is a HUGE security risk because it is incredibly difficult to >trace for the server administrator. There are ways of stopping people from >doing this with iptables, but they are fairly difficult to implement and I'm >not exactly sure how to do it at the moment. This assumes the admin found a way to prevent the user from cd'ing out of the home directory, but then left ssh wide open for security holes. How ironic. --jc -- Jimen Ching (WH6BRR) [EMAIL PROTECTED] [EMAIL PROTECTED]
