Date: 2/15/96
From: BARRY L J PHILLIPS at MKNLHO01
To: internet.ibmmail at IBMMX INTERNET - IBMMAIL
Subject: SUMMARY: Prevent Access to the shell
===============================================================================
Many thanks to the following who offered advice.
From: Christophe Prevotaux <nighty_at_ebc.net>
From: Kent R Arnott <karnott_at_falcon.tamucc.edu>
From: David Warren <warren_at_atmos.washington.edu>
From: tom_at_homer.bus.miami.edu
From: "Andrew C. Saylor" <asaylor_at_alpha.comsource.net>
From: Doug Gould <dgj_at_omega.rtpnc.epa.gov>
From: thlis_at_bpc.co.nz (Tairawhiti Healthcare Ltd)
Summary: - My question:
Hi Managers,
I have a problem which I need a bit of help with.
I've written a simple menu to restrict some of our users. Unfortunately I
must invoke vi and mail. How can I prevent my users from dropping out of the
back these utilities to the shell ?
Also I wish to prevent them from using their account for FTP access to the
machine.
Any ideas are welcome
Suggestions:-
--<<<<<<<<<<<<<<<<<<<<<*>>>>>>>>>>>>>>>>>>>>>--
To prevent ftp access just give them a shell that is not in the /etc/shells
file. Alternatively you can list them all in the /etc/ftpusers file.
--<<<<<<<<<<<<<<<<<<<<<*>>>>>>>>>>>>>>>>>>>>>--
Don't let them change their shells put the default shell for those accts in
/usr/local/bin/<name of shell>
don't put <name of shell> in /etc/shells
if they try to ftp to that acct it will tell them they can't or it may even
tell them they have an invalid shell
for the no exit in vi try this
creat a file in each users home dir called .exrc
set shell=/dev/null
when they try to execute a shell command they will get something like
"Invalid SHELL value: /dev/null"
so they simply press return and return to normal mode.
you may want to set the perms on .exrc to read only just in case they
attempted trying to write to it. you may also want to change ownership of
the file to bin or root or somthin
--<<<<<<<<<<<<<<<<<<<<<*>>>>>>>>>>>>>>>>>>>>>--
Well, the problem with vi is, not only can it start a shell, but under
Ultrix it can break a restricted shell very easily. Unless vi was
modified in some way, I really can't think of a way to prevent that, at least
with OSF, the shell they can get is restricted...
Simply but their username in the ftpusers file. Any user in that file is
denied logins through ftp.
--<<<<<<<<<<<<<<<<<<<<<*>>>>>>>>>>>>>>>>>>>>>--
For these, I would recompile the programs to prevent shelling out. For
example: the Pine mail program can be compiled with a shell command. The
Pico editor (which come with pine) dosen't HAVE a shell command. I'm sure
that VI's could be disabled, perhaps by hacking the source code?
The easiest way to prevent this is to make sure the shell program they
are using is NOT listed in /etc/shells. Most FTP damons won't permit
login in that situation.
--<<<<<<<<<<<<<<<<<<<<<*>>>>>>>>>>>>>>>>>>>>>--
get rid of the menu.
use rsh, which performs a chroot() to the user's directory.
The commands you wish to allow the user to use must be
copied to their $HOME/bin directory. They can't access anything
above their HOME directory, whether by trying to escape out of
the program or otherwise.
Received on Thu Feb 15 1996 - 11:05:18 NZDT