From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 15923 invoked from network); 21 Oct 2001 18:35:56 -0000 Received: from sunsite.dk (130.225.247.90) by ns1.primenet.com.au with SMTP; 21 Oct 2001 18:35:56 -0000 Received: (qmail 20977 invoked by alias); 21 Oct 2001 18:35:43 -0000 Mailing-List: contact zsh-users-help@sunsite.dk; run by ezmlm Precedence: bulk X-No-Archive: yes X-Seq: 4412 Received: (qmail 20964 invoked from network); 21 Oct 2001 18:35:42 -0000 Message-ID: <3BD314E4.8090802@sgi.asper.org> Date: Sun, 21 Oct 2001 13:33:08 -0500 From: Emre Yildirim User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.4) Gecko/20010913 X-Accept-Language: en-us MIME-Version: 1.0 To: Mads Martin Joergensen Cc: zsh-users@sunsite.dk Subject: Re: restricted shell References: <3BD30F75.7060904@sgi.asper.org> <20011021201625.F11977@staudinger.suse.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Ooops, Sorry I was reading the man page, and right after I sent this email, I saw the restricted shell section. I have another question: When I setup a restricted shell for a user, and let's say I put PATH=/r in his .zprofile and /r contains no binaries, he is still able to execute certain commands (like echo, pwd, export, etc). How can I restrict the execution of those commands as well? Also there are programs like pine that allow users to break out of restricted shells. Any tips on how to limit that as well? Thanks for the prompt reply, and any help ;-D Mads Martin Joergensen wrote: > * Emre Yildirim [Oct 21. 2001 20:12]: > >>Is there anything in zsh that makes it restricted? I.e. when I cp bash >>rbash, and execute rbash >>it is a restricted shell. Is there anything similar to that in zsh? If >>not, does anyone have tips on >>how to make zsh really really restricted? >> >>Thanks for any help >> > > _From the zsh man page: > > RESTRICTED SHELL > When the basename of the command used to invoke zsh starts > with the letter `r' or the `-r' command line option is > supplied at invocation, the shell becomes restricted. > Emulation mode is determined after stripping the letter > `r' from the invocation name. The following are disabled > in restricted mode: > > · changing directories with the cd builtin > > · changing or unsetting the PATH, path, MODULE_PATH, > module_path, SHELL, HISTFILE, HISTSIZE, GID, EGID, > UID, EUID, USERNAME, LD_LIBRARY_PATH, > LD_AOUT_LIBRARY_PATH, LD_PRELOAD and > LD_AOUT_PRELOAD parameters > > · specifying command names containing / > > · specifying command pathnames using hash > > · redirecting output to files > > · using the exec builtin command to replace the shell > with another command > > · using jobs -Z to overwrite the shell process' argu­ > ment and environment space > > · using the ARGV0 parameter to override argv[0] for > external commands > > · turning off restricted mode with set +r or unsetopt > RESTRICTED > > These restrictions are enforced after processing the > startup files. The startup files should set up PATH to > point to a directory of commands which can be safely > invoked in the restricted environment. They may also add > further restrictions by disabling selected builtins. > > Restricted mode can also be activated any time by setting > the RESTRICTED option. This immediately enables all the > restrictions described above even if the shell still has > not processed all startup files. > > -- Emre Yildirim GPG KeyID 0xF9E4A1D1 (keyserver.pgp.com)