[NTLUG:Discuss] restricting shell functions in a telnet session

Seth Daniel seth at ti.com
Wed Apr 19 09:27:07 CDT 2000 

>From my bash man page:

RESTRICTED SHELL
If bash is started with the name rbash, or the  -r  option
is  supplied  at invocation, the shell becomes restricted.
A restricted shell is used to set up an  environment  more
controlled  than  the  standard shell.  


Basically it will know that it's supposed to be a restricted
shell.  It's the same thing as using the -r argument.

On Tue, Apr 18, 2000 at 05:19:07PM -0500, David Camm wrote:
> 
> 
> Seth Daniel wrote:
> > 
> > It's in there.  You can accomplish the same thing buy making
> > a symlink called rbash and pointing it at bash.  Then change the
> > shells in the passwd file to rbash.
> 
> i'm not sure a understand why ln -s /bin/bash rbash, then executing
> rbash would change the behavior of bash.  am i missing something?
> 
> > 
> > Perhaps you have an older bash?  Or an older bash man page?
> 
> redhat 5.2 - 2.0.36 kernel
> 
> > 
> > On Tue, Apr 18, 2000 at 02:17:06PM -0500, David Camm wrote:
> > > thanks, kevin....
> > >
> > > i look at the man pages for bash and couldn't find a -r parm.....
> > >
> > > Kevin Brannen wrote:
> > > >
> > > > David Camm wrote:
> > > > >
> > > > > several of our customers have asked if they could have telnet access to
> > > > > their information on our server.  those who need it already have guest
> > > > > ftp access.
> > > > >
> > > > > in searching through the telnet and login docs, i can find no way to
> > > > > restrict a user's login shell to NOT go above the user's home directory,
> > > > > as guest or anonymous ftp does.
> > > > >
> > > > > since we've been a bit sloppy, going back and chekcing all permissions
> > > > > on all files to ensure that a user couldn't inadvertantly (or
> > > > > advertantly, for that matter) wreak any havoc would be a royal pain,
> > > > >
> > > > > is there any way of modifying (say) /etc/bashrc or /etc/profile to
> > > > > accomplish this?
> > > > >
> > > > > is there another way?
> > > >
> > > > Have you considered changing their login shell to be "/bin/bash -r"?
> > > > You could also create a script that does something like:
> > > >
> > > >         chroot $HOME
> > > >         /bin/bash
> > > >
> > > > and make that their login shell (untested but the theory sounds good.
> > > > :-)
> > > >
> > > > Kevin
> > > >
> > > > _______________________________________________
> > > > http://ntlug.org/mailman/listinfo/discuss
> > >
> > > _______________________________________________
> > > http://ntlug.org/mailman/listinfo/discuss
> > 
> > --
> > seth daniel  |  Texas Instruments DMOS4/5
> > seth at ti.com  |   Automation Engineering
> > 
> > _______________________________________________
> > http://ntlug.org/mailman/listinfo/discuss
> 
> _______________________________________________
> http://ntlug.org/mailman/listinfo/discuss

-- 
seth daniel  |  Texas Instruments DMOS4/5
seth at ti.com  |   Automation Engineering

More information about the Discuss mailing list