[NTLUG:Discuss] restricting shell functions in a telnet session
Kevin Brannen
kbrannen at gte.net
Wed Apr 26 16:35:36 CDT 2000
Mark Bainter wrote:
>
> Kevin Brannen [kbrannen at gte.net] wrote:
> > David Camm wrote:
> > >
> > > several of our customers have asked if they could have telnet access to
> > > their information on our server. those who need it already have guest
> > > ftp access.
> > >
> >
> > Have you considered changing their login shell to be "/bin/bash -r"?
> > You could also create a script that does something like:
> >
> > chroot $HOME
> > /bin/bash
> >
> > and make that their login shell (untested but the theory sounds good.
> > :-)
> >
>
> This is not such a good idea. Unfortunately, the login process is not
> instantaeous. So, if they can send an interrupt signal before the login
> process gets to that point in the profile they can get an unrestricted shell.
Since the profile is not done till bash does it, and the chroot is
already done, then it's still secure. It would be a good idea to put
a ``trap "exit" 1 2 3 15 17 18 19 20 21 22 23'' at the top too.
Or are you discussing the "bash -r" thought? In which case, you have
a very valid point!
>
> Hrm. I dunno if telnet supports it but you can do forced chroot in ftp by
> putting /./ at the end of a users home directory. (i.e. /home/user/./) If
> the default shell doesn't support this (particularly in restricted mode) you
> might be able to find a patch that honors it. Or you could write one. ;-)
Writing a custom wrapper type app for that should be pretty easy. Of
course, someone also brought up the idea that a "chroot" might make
other parts of life pretty difficult (in not being able to find
shared-libs or "harmless utils" like "ls"). I think the final
solution really depends on what the goal is.
>
> I just wouldn't depend on the profile option providing much protection.
Agreed on that!
Kevin
More information about the Discuss
mailing list