restricted shell - not so restrict

restricted shell - not so restrict

Post by Vahid Moghaddas » Fri, 05 May 2006 02:25:51



Hi all,
We are required to assign a restricted shell to some users but they can
easily bypass the restriction and gain non-restricted shell. They can

shell.
Is there a way to completely restrict them to whatever command we put
in /usr/rbin/ directory?
Thanks,
 
 
 

restricted shell - not so restrict

Post by Daniel Roc » Fri, 05 May 2006 06:39:17



> Hi all,
> We are required to assign a restricted shell to some users but they can
> easily bypass the restriction and gain non-restricted shell. They can

> shell.
> Is there a way to completely restrict them to whatever command we put
> in /usr/rbin/ directory?
> Thanks,

You seem to have setup your restricted environment wrong:


Password:
rsh: /bin/ksh: restricted
Connection to localhost closed.

You *have* to set PATH in the user's .profile otherwise the default PATH
will be used (/usr/bin:) - pretty useless, since even the current
directory is in the PATH. And of course /usr/bin with all its shells.

To be even more safe the home directory and the .profile file should *not*
be owned by the restricted user.

BTW the restricted shell is /usr/lib/rsh (which should be a symbolic link to
../../sbin/sh)

--
Daniel

 
 
 

restricted shell - not so restrict

Post by Wolfgan » Fri, 05 May 2006 06:44:42


Vahid Moghaddasi schrieb:
> Hi all,
> We are required to assign a restricted shell to some users but they can
> easily bypass the restriction and gain non-restricted shell. They can

> shell.
> Is there a way to completely restrict them to whatever command we put
> in /usr/rbin/ directory?
> Thanks,

you can restrict keys to certain command (man sshd), but then you must
take care, that users can not modify the authorized_keys.

I dont believe they can bypass the login-shell, because ssh should fork
the process under the restricted shell, but I will try that ;-).do you
really mean the normal rsh (restricted not remote?

in spite of that, there is a ssh group...

 
 
 

restricted shell - not so restrict

Post by Vahid Moghaddas » Fri, 05 May 2006 12:04:56



> You *have* to set PATH in the user's .profile otherwise the default PATH
> will be used (/usr/bin:) - pretty useless, since even the current
> directory is in the PATH. And of course /usr/bin with all its shells.

> To be even more safe the home directory and the .profile file should *not*
> be owned by the restricted user.
did all of  that

> BTW the restricted shell is /usr/lib/rsh (which should be a symbolic link to
> ../../sbin/sh)

hmm, except this one, we have at the last line in .profile of the user:
exec /bin/rksh
thanks, this seem to be working for us.
 
 
 

restricted shell - not so restrict

Post by Daniel Roc » Fri, 05 May 2006 17:07:14



Quote:> hmm, except this one, we have at the last line in .profile of the user:
> exec /bin/rksh

Set the restricted shell as login-shell to the user:

usermod -s /usr/bin/rksh <username>

--
Daniel

 
 
 

restricted shell - not so restrict

Post by Vahid Moghaddas » Fri, 05 May 2006 21:05:58



> Set the restricted shell as login-shell to the user:

> usermod -s /usr/bin/rksh <username>

Thanks, did just that yesterday.
 
 
 

1. restricted shell/restricting login

A while ago I posted a question about how to restrict logins to our
ultrix systems.  Someone sent me a C or shell script which I'm
embarassed to say I've misplaced.  I think is was called "syslogin".
Please re-send it to me, whoever you are (were).

Here's the problem I wish to solve:

What I want to do is split the modem pool into 2 numbers - one for
students and one for faculty/staff.  

I want to the login procedure to check which terminal server a connection
is coming from.  The procedure should then check the account and see if that
account is entitled to connect from that terminal server...if so,
then continue normally, if not then print a message like "Please dial
the number xxx-xxxx".

We have DEC terminal servers (I don't wish to use lat groups) and
Ultrix 4.2a.

I'm certain I'm not re-inventing the wheel here.  Any comments, suggestions
and pointers are most welcome.

Thanks in advance...
-

Trent University Computing & Telecommunications  tel: (705)748-1540
Peterborough, Ontario, Canada, K9J 7B8           fax: (705)748-1246

2. Riva 128 Clock Timings

3. restricted shell or restricted access

4. A-A-P does more than make

5. how to restrict maximum login attempts for a restricted website in apache server

6. CD-ROM Mounting Problems

7. Restricting GET restricts HEAD too?

8. : how to format *.ms files with groff 1.08?

9. rsh (restricted shell) not safe??

10. rksh shell, how do i stop .profile from loading in restricted shell

11. Restricted Shell Script for Free Shell

12. using cd in restricted shell

13. restricted bash shell questions