Subject: Re: user not traversing a tree in telnet?
To: David Brownlee <abs@NetBSD.ORG>
From: Jim Wise <>
List: netbsd-users
Date: 01/29/1998 12:30:25

On Mon, 26 Jan 1998, David Brownlee wrote:

> 	You would need to call chroot() (man 2 chroot), but you would
> 	have to ensure they could still see all the binaries, libraries
> 	and devices to which they need access.
> 	A better option might just be to chmod various parts of the
> 	filesystem and ensure they are in a group which cannot access
> 	them.

another option is to make their login shell a restricted ksh (NetBSD
ships with pdksh, which works as a restricted shell if called as
*r*ksh).  From ksh(1):

	 A shell is restricted if the  -r  option  is  used  or  if
       either  the basename of the name the shell is invoked with
       or the SHELL parameter match the pattern *r*sh (e.g., rsh,
       rksh, rpdksh, etc.).  The following restrictions come into
       effect after the shell  processes  any  profile  and  $ENV
         o    the cd command is disabled
         o    the SHELL, ENV and PATH parameters can't be changed
         o    command names can't be specified with  absolute  or
              relative paths
         o    the -p option of the command built-in can't be used
         o    redirections that create files can't be used (i.e.,
              >, >|, >>, <>)

Of course, this may be too restricted to be useful to you...

Note also, that if you do this, you have to make sure that the preset
PATH doesn't contain any programs which will let the user execute a
non-restricted shell.  This is a _lot_ harder than it sounds...

- --
				Jim Wise

Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv