From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 17978 invoked from network); 21 Oct 2001 19:01:13 -0000 Received: from sunsite.dk (130.225.247.90) by ns1.primenet.com.au with SMTP; 21 Oct 2001 19:01:13 -0000 Received: (qmail 27876 invoked by alias); 21 Oct 2001 19:01:01 -0000 Mailing-List: contact zsh-users-help@sunsite.dk; run by ezmlm Precedence: bulk X-No-Archive: yes X-Seq: 4413 Received: (qmail 27862 invoked from network); 21 Oct 2001 19:01:00 -0000 From: Borsenkow Andrej To: Emre Yildirim Cc: zsh-users@sunsite.dk Subject: Re: restricted shell In-Reply-To: <3BD314E4.8090802@sgi.asper.org> References: <3BD30F75.7060904@sgi.asper.org> <20011021201625.F11977@staudinger.suse.de> <3BD314E4.8090802@sgi.asper.org> Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: quoted-printable X-Mailer: Evolution/0.14 (Preview Release) Date: 21 Oct 2001 23:00:49 +0400 Message-Id: <1003690856.3370.17.camel@localhost.localdomain> Mime-Version: 1.0 On =F7=D3=CB, 2001-10-21 at 22:33, Emre Yildirim wrote: > Ooops, Sorry I was reading the man page, and right after I sent this > email, I saw the restricted shell section. I have another question: >=20 > When I setup a restricted shell for a user, and let's say I put > PATH=3D/r in his .zprofile and /r contains no binaries, he is still > able to execute certain commands (like echo, pwd, export, etc). > How can I restrict the execution of those commands as well? >=20 Using disable builtin. Make .zshrc read-only for user (or do it in system zshrc and make user's home directory read-only) and put=20 disable echo there. > Also there are programs like pine that allow users to break out of > restricted shells. Any tips on how to limit that as well? >=20 Do not allow user to run them :-) Really, that is everything you can do - examine every program for possible back-doors before allowing restricted users to execute them. Pine allows you to have system-wide config file that takes precedence over any user settings. Vim has restricted mode as well IIRC -andrej