From: Emre Yildirim <emre@sgi.asper.org>
To: Mads Martin Joergensen <mmj@suse.de>
Cc: zsh-users@sunsite.dk
Subject: Re: restricted shell
Date: Sun, 21 Oct 2001 13:33:08 -0500 [thread overview]
Message-ID: <3BD314E4.8090802@sgi.asper.org> (raw)
In-Reply-To: <20011021201625.F11977@staudinger.suse.de>
Ooops, Sorry I was reading the man page, and right after I sent this
email, I saw the restricted shell section. I have another question:
When I setup a restricted shell for a user, and let's say I put
PATH=/r in his .zprofile and /r contains no binaries, he is still
able to execute certain commands (like echo, pwd, export, etc).
How can I restrict the execution of those commands as well?
Also there are programs like pine that allow users to break out of
restricted shells. Any tips on how to limit that as well?
Thanks for the prompt reply, and any help ;-D
Mads Martin Joergensen wrote:
> * Emre Yildirim <emre@sgi.asper.org> [Oct 21. 2001 20:12]:
>
>>Is there anything in zsh that makes it restricted? I.e. when I cp bash
>>rbash, and execute rbash
>>it is a restricted shell. Is there anything similar to that in zsh? If
>>not, does anyone have tips on
>>how to make zsh really really restricted?
>>
>>Thanks for any help
>>
>
> _From the zsh man page:
>
> RESTRICTED SHELL
> When the basename of the command used to invoke zsh starts
> with the letter `r' or the `-r' command line option is
> supplied at invocation, the shell becomes restricted.
> Emulation mode is determined after stripping the letter
> `r' from the invocation name. The following are disabled
> in restricted mode:
>
> · changing directories with the cd builtin
>
> · changing or unsetting the PATH, path, MODULE_PATH,
> module_path, SHELL, HISTFILE, HISTSIZE, GID, EGID,
> UID, EUID, USERNAME, LD_LIBRARY_PATH,
> LD_AOUT_LIBRARY_PATH, LD_PRELOAD and
> LD_AOUT_PRELOAD parameters
>
> · specifying command names containing /
>
> · specifying command pathnames using hash
>
> · redirecting output to files
>
> · using the exec builtin command to replace the shell
> with another command
>
> · using jobs -Z to overwrite the shell process' argu
> ment and environment space
>
> · using the ARGV0 parameter to override argv[0] for
> external commands
>
> · turning off restricted mode with set +r or unsetopt
> RESTRICTED
>
> These restrictions are enforced after processing the
> startup files. The startup files should set up PATH to
> point to a directory of commands which can be safely
> invoked in the restricted environment. They may also add
> further restrictions by disabling selected builtins.
>
> Restricted mode can also be activated any time by setting
> the RESTRICTED option. This immediately enables all the
> restrictions described above even if the shell still has
> not processed all startup files.
>
>
--
Emre Yildirim <emre@asper.org>
GPG KeyID 0xF9E4A1D1 (keyserver.pgp.com)
next prev parent reply other threads:[~2001-10-21 18:35 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-10-21 18:09 Emre Yildirim
2001-10-21 18:16 ` Mads Martin Joergensen
2001-10-21 18:33 ` Emre Yildirim [this message]
2001-10-21 19:00 ` Borsenkow Andrej
2001-10-21 19:12 ` Emre Yildirim
2001-10-21 19:21 ` Nadav Har'El
2001-10-21 19:32 ` Emre Yildirim
2001-10-21 19:53 ` Bart Schaefer
2001-10-21 20:10 ` Emre Yildirim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3BD314E4.8090802@sgi.asper.org \
--to=emre@sgi.asper.org \
--cc=mmj@suse.de \
--cc=zsh-users@sunsite.dk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).