security

[Bill Davidsen]

Wolfgang S. Rupprecht wrote:
> Mikkel <mikkel at infinity-ltd.com> writes:
>> You may also want to consider setting his shell to rbash. See the
>> "RESTRICTED SHELL" section of the bash man page.
> 
> Treat rbash as a fun puzzle, not as a security measure.  They did block
> ">" redirects and ./doit file execution, but that is far from enough.
> With a few minutes pondering this solution popped up.
> 
>     emacs doit
>     <insert  "bash -i" without the quotes>
>     . doit
>     <instant non-restricted shell>
> 

rbash isn't that insecure, it has its own PATH, and I can't imagine putting 
anything other than the minimum tools needed in it. In the past I have made a 
/usr/rbin directory and hard linked only the things absolutely needed.

It is not an optimal top security solution, but it's not quite as bad as you 
imply unless it's set up to be. It is quite useful for keeping newbies from 
hurting themselves. ;-)

See other post for related replies.

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot