Re: restricted shell

[Emre Yildirim <emre@sgi.asper.org>]

Ooops, Sorry I was reading the man page, and right after I sent this
email, I saw the restricted shell section.  I have another question:

When I setup a restricted shell for a user, and let's say I put
PATH=/r in his .zprofile and /r contains no binaries, he is still
able to execute certain commands (like echo, pwd, export, etc).
How can I restrict the execution of those commands as well?

Also there are programs like pine that allow users to break out of
restricted shells.  Any tips on how to limit that as well?

Thanks for the prompt reply, and any help ;-D

Mads Martin Joergensen wrote:

> * Emre Yildirim <emre@sgi.asper.org> [Oct 21. 2001 20:12]:
> 
>>Is there anything in zsh that makes it restricted?  I.e. when I cp bash 
>>rbash, and execute rbash
>>it is a restricted shell.  Is there anything similar to that in zsh?  If 
>>not, does anyone have tips on
>>how to make zsh really really restricted?
>>
>>Thanks for any help
>>
> 
> _From the zsh man page:
> 
> RESTRICTED SHELL
>        When the basename of the command used to invoke zsh starts
>        with the letter `r' or the `-r'  command  line  option  is
>        supplied  at  invocation,  the  shell  becomes restricted.
>        Emulation mode is determined after  stripping  the  letter
>        `r'  from the invocation name.  The following are disabled
>        in restricted mode:
> 
>        ·      changing directories with the cd builtin
> 
>        ·      changing or unsetting the PATH, path,  MODULE_PATH,
>               module_path,  SHELL, HISTFILE, HISTSIZE, GID, EGID,
>               UID,     EUID,      USERNAME,      LD_LIBRARY_PATH,
>               LD_AOUT_LIBRARY_PATH,         LD_PRELOAD        and
>               LD_AOUT_PRELOAD parameters
> 
>        ·      specifying command names containing /
> 
>        ·      specifying command pathnames using hash
> 
>        ·      redirecting output to files
> 
>        ·      using the exec builtin command to replace the shell
>               with another command
> 
>        ·      using jobs -Z to overwrite the shell process' argu­
>               ment and environment space
> 
>        ·      using the ARGV0 parameter to override  argv[0]  for
>               external commands
> 
>        ·      turning off restricted mode with set +r or unsetopt
>               RESTRICTED
> 
>        These  restrictions  are  enforced  after  processing  the
>        startup  files.   The  startup files should set up PATH to
>        point to a directory  of  commands  which  can  be  safely
>        invoked  in the restricted environment.  They may also add
>        further restrictions by disabling selected builtins.
> 
>        Restricted mode can also be activated any time by  setting
>        the  RESTRICTED  option.  This immediately enables all the
>        restrictions described above even if the shell  still  has
>        not processed all startup files.
> 
> 



-- 
Emre Yildirim <emre@asper.org>
GPG KeyID 0xF9E4A1D1 (keyserver.pgp.com)