Protecting against downloads
Wm E. Davidsen Jr
davidsen at sixhub.UUCP
Tue Sep 25 02:52:13 AEST 1990
In article <1990Sep23.061854.309 at csense.uucp> bote at csense.uucp (John Boteler) writes:
| The .profile of the user must be owned by root, and writeable ONLY by
| root.
Overkill. As long as the profile is not writable by the user, it
doesn't have to be owned by a special id (one more potential hole).
Someone like 'usradmin' would be nice.
| The .profile must define a PATH that includes a directory such as
| /rbin, and does NOT include /bin or /usr/bin.
This is useful but doesn't stop explicit /bin/sh (or whatever) unless
/bin just isn't there. ie. chroot. And the PATH better be readonly, a
feature of ksh and recent SysV shells.
| The .profile must define and export SHELL=/usr/rbin. This will ensure
| that any shell called from vi or other programs are also rsh.
Assuming they use that convention. Alas too many editors have /bin/sh
wired in rather than use the system() call. Microemacs disables shell
escapes completely in restricted mode, which is a good reason to offer
it instead of vi (depending on how well your vi behaves).
I prefer to offer guest users a menu program, which drives from a menu
which can be customized for them. Much tighter control than ever letting
them have shell access. If you have the disk you can provide shell
access in a chroot area and be safe. If you don't have enough disk to
copy rather than link, you might still be in trouble.
--
bill davidsen - davidsen at sixhub.uucp (uunet!crdgw1!sixhub!davidsen)
sysop *IX BBS and Public Access UNIX
moderator of comp.binaries.ibm.pc and 80386 mailing list
"Stupidity, like virtue, is its own reward" -me
More information about the Comp.unix.sysv386
mailing list