Subject: Re: user not traversing a tree in telnet?
To: David Brownlee <abs@NetBSD.ORG>
From: Jim Wise <jimw@numenor.turner.com>
List: netbsd-users
Date: 01/29/1998 12:30:25
-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 26 Jan 1998, David Brownlee wrote:

> 	You would need to call chroot() (man 2 chroot), but you would
> 	have to ensure they could still see all the binaries, libraries
> 	and devices to which they need access.
> 
> 	A better option might just be to chmod various parts of the
> 	filesystem and ensure they are in a group which cannot access
> 	them.

another option is to make their login shell a restricted ksh (NetBSD
ships with pdksh, which works as a restricted shell if called as
*r*ksh).  From ksh(1):

	 A shell is restricted if the  -r  option  is  used  or  if
       either  the basename of the name the shell is invoked with
       or the SHELL parameter match the pattern *r*sh (e.g., rsh,
       rksh, rpdksh, etc.).  The following restrictions come into
       effect after the shell  processes  any  profile  and  $ENV
       files:
         o    the cd command is disabled
         o    the SHELL, ENV and PATH parameters can't be changed
         o    command names can't be specified with  absolute  or
              relative paths
         o    the -p option of the command built-in can't be used
         o    redirections that create files can't be used (i.e.,
              >, >|, >>, <>)

Of course, this may be too restricted to be useful to you...

Note also, that if you do this, you have to make sure that the preset
PATH doesn't contain any programs which will let the user execute a
non-restricted shell.  This is a _lot_ harder than it sounds...

- --
				Jim Wise
				jim.wise@turner.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQEVAwUBNNC8thg+dMhCouwfAQHwXAf/YdO75VF3iiedmbc1JxNYzAJOeXUgA/Yb
s9t3Yk6VvJ7+qDEuI66xWDArSt4D3lZQcMnPNAJST0sIqBdtsxM1OrhMKCdMOfgq
EKm+a2WoYdkRcVjXbpeISnnBAJPRxDfE5ru9E4QwyFYrBKljOdYIj4qxIj/rYoW2
+SwDCDMO5ocmG9Dbo2GvqyyxKc3A8wdfAcK1c9BGXuvZL8tZaDDF/bBBQURez/EI
sepXwEEXXZfTZoXgzS16K9ldTHLJ1TuMp/wW14QIR7858OAkRWjolXo1zzWJCH7y
uuh9eVU5YOEvJSM3AO+ZvM35B8yUyoHpSsJbnToyiRJ8v7ByEIyt0Q==
=hoYA
-----END PGP SIGNATURE-----