Subject: Re: user not traversing a tree in telnet?
To: David Brownlee <abs@NetBSD.ORG>
From: Jim Wise <firstname.lastname@example.org>
Date: 01/29/1998 12:30:25
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 26 Jan 1998, David Brownlee wrote:
> You would need to call chroot() (man 2 chroot), but you would
> have to ensure they could still see all the binaries, libraries
> and devices to which they need access.
> A better option might just be to chmod various parts of the
> filesystem and ensure they are in a group which cannot access
another option is to make their login shell a restricted ksh (NetBSD
ships with pdksh, which works as a restricted shell if called as
*r*ksh). From ksh(1):
A shell is restricted if the -r option is used or if
either the basename of the name the shell is invoked with
or the SHELL parameter match the pattern *r*sh (e.g., rsh,
rksh, rpdksh, etc.). The following restrictions come into
effect after the shell processes any profile and $ENV
o the cd command is disabled
o the SHELL, ENV and PATH parameters can't be changed
o command names can't be specified with absolute or
o the -p option of the command built-in can't be used
o redirections that create files can't be used (i.e.,
>, >|, >>, <>)
Of course, this may be too restricted to be useful to you...
Note also, that if you do this, you have to make sure that the preset
PATH doesn't contain any programs which will let the user execute a
non-restricted shell. This is a _lot_ harder than it sounds...
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
-----END PGP SIGNATURE-----