Secure (regular) Scripts_
Larry Taborek
larry at macom1.UUCP
Fri Dec 22 23:22:14 AEST 1989
>From article <9100020 at m.cs.uiuc.edu>, by carey at m.cs.uiuc.edu:
>
> I want to keep people in this shell script, and not allow them to have
> access to a regular shell. One thing I have tried to prevent is having
> people send interrupts and things like that to interrupt the shell
> script.
>
> Another big problem is that many things, like notes, mail, and even editors,
> have "shell escapes" built into them.
>
> Is there any way to prevent people from using these shell escapes, or at least
> having them not be able to do anything once they have done it? Do I have to
> rewrite mail and editors, to disable the shell escapes? I wanted to avoid
> using the "rsh" (restricted shell) since that is kind of an administrative
> hassle. It would be better than rewriting editors. The best thing would
> be some kind of trick to have them end up in a black hole somewhere when
> they do a shell escape.
Well, one thing I noticed in reading the login source for 5.2 is
that if you have a "*" character in the shell field of an account
in the password file, then login will do a change root to that
accounts home directory field and attempt to respin a local
login.
Once root has been changed to that subdirectory (now called
localroot), then underneith localroot you will need a bin, etc
and dev directory. Naturally you will need a login program in
either localroot/etc or localroot/bin. a /localroot/etc/passwd
file is also necessary. Now if you don't have a sh or csh or ksh
program available in localroot/bin, then I don't believe that
they can -ever- access the shell, as for them there is no shell
to access.
And if they did, where would they go...
:-)
By the way, NEAT feature guys...
--
Larry Taborek ..!uunet!grebyn!macom1!larry Centel Federal Systems
larry at macom1.UUCP 11400 Commerce Park Drive
Reston, VA 22091-1506
My views do not reflect those of Centel 703-758-7000
More information about the Comp.unix.wizards
mailing list