From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10848 invoked from network); 15 Jan 1997 21:10:02 -0000 Received: from euclid.skiles.gatech.edu (list@130.207.146.50) by coral.primenet.com.au with SMTP; 15 Jan 1997 21:10:02 -0000 Received: (from list@localhost) by euclid.skiles.gatech.edu (8.7.3/8.7.3) id QAA13994; Wed, 15 Jan 1997 16:17:58 -0500 (EST) Resent-Date: Wed, 15 Jan 1997 16:09:47 -0500 (EST) From: Zoltan Hidvegi Message-Id: <199701152111.WAA16792@bolyai.cs.elte.hu> Subject: Re: [comp.unix.shell] Help creating a restricted shell In-Reply-To: from Mark Borges at "Jan 15, 97 01:33:54 pm" To: mdb@cdc.noaa.GOV (Mark Borges) Date: Wed, 15 Jan 1997 22:11:05 +0100 (MET) Cc: zsh-users@math.gatech.edu Organization: Dept. of Comp. Sci., Eotvos University, Budapest, Hungary Phone: (36 1)2669833 ext: 2667, home phone: (36 1) 2752368 X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Resent-Message-ID: <"f6fCf.0.sM3.RUKto"@euclid> Resent-From: zsh-users@math.gatech.edu X-Mailing-List: archive/latest/606 X-Loop: zsh-users@math.gatech.edu X-Loop: zsh-workers@math.gatech.edu Precedence: list Resent-Sender: zsh-workers-request@math.gatech.edu Zsh-3.1.1 will have restricted mode similar to bash and ksh. It is already ready and working, just waiting for the release. This is controlled via a new option, RESTRICTED. This option is set when the command name used to invoke zsh starts with the letter 'r' but the option can also be set with setopt. Once it is set, it cannot be unset. The restricted option is only switched on after processing startup files. In restricted mode, the SHELL, PATH, path, MODULE_PATH, module_path, {E,}{U,G}ID, HISTSIZE, HISTFILE, USERNAME, LD_{,AOUT}{PRELOAD,LIBRARY_PATH} parameters cannot be changed. It is not possible to change the current directory, to execute binaries with absoulte patchname and to use redirections writing to a file. The idea is to prohibit executing any binary code directly specified by the user and to prevent writing to any file. Zoltan