On 1/2/25 1:13 PM, Rik Farrow wrote:
> 
> 
> On Thu, Jan 2, 2025 at 7:23 AM Chet Ramey <chet.ramey@case.edu 
> <mailto:chet.ramey@case.edu>> wrote:
> 
>     On 1/1/25 1:11 PM, Rik Farrow wrote:
>      > For example, the 3B2 I
>      > administered for a while in the late 80s had multiple accounts with
>     rsh,
>      > the restricted shell, as the login shell. That was okay, unless you
>     used su
>      > and then had access to a root shell.
> 
>     That's an administrator problem. Part of setting up a restricted shell
>     environment is creating a directory of necessary binaries and setting
>     PATH appropriately.
> 
> Each of these special accounts did have a home directory with a .profile to 
> set up the restricted environment, then run a shell script to perform some 
> task as root. For example, logging in as 'backup' would run /user/ 
> backup/.profile and allow a non-privileged user to run a backup script as root.
> 
> But typing "su backup" produced a root-owner shell without restrictions. 
> You need to type "su - " to run the account's .profile script.

OK, I thought you meant the other way, breaking out of a restricted
environment.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/