[comp.unix.shell] Help creating a restricted shell

[comp.unix.shell] Help creating a restricted shell

[Mark Borges]

I don't entirely agree with this (restricting users to a handful of
commands on the machine), but does anyone on this list have experience
with this?

I thought of making a simple script that would act as the login shell
and limit commands to the desired subset; would it be possible to
retain command line editing and filename completion in such a
scenario.

Thanks for any advice.

------- Start of forwarded message -------
From: Chesley McColl <ckm@cdc.noaa.gov>
Newsgroups: comp.unix.shell
Subject: Help creating a restricted shell
Date: Tue, 14 Jan 1997 11:00:55 -0700
Organization: University of Colorado at Boulder
Message-ID: <Pine.SOL.3.92.970114105954.12713D-100000@revelle>

Hi,

I have a couple machines on our LAN that I want users to only
be able to exec the simpilest of commands (ls,cp,cd,tar,...)
very similar to ftp, is there a simple way to do this?

Chesley

P.S. please reply back to ckm@cdc.noaa.gov THANKS ;-)

------- End of forwarded message -------

-- 
  -mb-

Re: [comp.unix.shell] Help creating a restricted shell

[Zoltan Hidvegi]

Zsh-3.1.1 will have restricted mode similar to bash and ksh.  It is already
ready and working, just waiting for the release.  This is controlled via a
new option, RESTRICTED.  This option is set when the command name used to
invoke zsh starts with the letter 'r' but the option can also be set with
setopt.  Once it is set, it cannot be unset.

The restricted option is only switched on after processing startup files.
In restricted mode, the SHELL, PATH, path, MODULE_PATH, module_path,
{E,}{U,G}ID, HISTSIZE, HISTFILE, USERNAME, LD_{,AOUT}{PRELOAD,LIBRARY_PATH}
parameters cannot be changed.  It is not possible to change the current
directory, to execute binaries with absoulte patchname and to use
redirections writing to a file.

The idea is to prohibit executing any binary code directly specified by the
user and to prevent writing to any file.

Zoltan