[NTLUG:Discuss] restricting shell functions in a telnet session
Mark Bainter
mark-ntlug at firinn.org
Wed Apr 26 15:19:44 CDT 2000
Kevin Brannen [kbrannen at gte.net] wrote:
> David Camm wrote:
> >
> > several of our customers have asked if they could have telnet access to
> > their information on our server. those who need it already have guest
> > ftp access.
> >
> > in searching through the telnet and login docs, i can find no way to
> > restrict a user's login shell to NOT go above the user's home directory,
> > as guest or anonymous ftp does.
> >
> > since we've been a bit sloppy, going back and chekcing all permissions
> > on all files to ensure that a user couldn't inadvertantly (or
> > advertantly, for that matter) wreak any havoc would be a royal pain,
> >
> > is there any way of modifying (say) /etc/bashrc or /etc/profile to
> > accomplish this?
> >
> > is there another way?
>
> Have you considered changing their login shell to be "/bin/bash -r"?
> You could also create a script that does something like:
>
> chroot $HOME
> /bin/bash
>
> and make that their login shell (untested but the theory sounds good.
> :-)
>
This is not such a good idea. Unfortunately, the login process is not
instantaeous. So, if they can send an interrupt signal before the login
process gets to that point in the profile they can get an unrestricted shell.
Hrm. I dunno if telnet supports it but you can do forced chroot in ftp by
putting /./ at the end of a users home directory. (i.e. /home/user/./) If
the default shell doesn't support this (particularly in restricted mode) you
might be able to find a patch that honors it. Or you could write one. ;-)
I just wouldn't depend on the profile option providing much protection.
--
"25 States allow anyone to buy a gun, strap it on, and walk down the street
with no permit of any kind: some say it's crazy. However, 4 out of 5 US
murders are committed in the other half of the country: so who is crazy?"
-- Andrew Ford
More information about the Discuss
mailing list