restricted shell

restricted shell

[Emre Yildirim]

Is there anything in zsh that makes it restricted?  I.e. when I cp bash 
rbash, and execute rbash
it is a restricted shell.  Is there anything similar to that in zsh?  If 
not, does anyone have tips on
how to make zsh really really restricted?

Thanks for any help

-- 
Emre Yildirim <emre@asper.org>
GPG KeyID 0xF9E4A1D1 (keyserver.pgp.com)

Re: restricted shell

[Mads Martin Joergensen]

* Emre Yildirim <emre@sgi.asper.org> [Oct 21. 2001 20:12]:
> 
> Is there anything in zsh that makes it restricted?  I.e. when I cp bash 
> rbash, and execute rbash
> it is a restricted shell.  Is there anything similar to that in zsh?  If 
> not, does anyone have tips on
> how to make zsh really really restricted?
> 
> Thanks for any help

_From the zsh man page:

RESTRICTED SHELL
       When the basename of the command used to invoke zsh starts
       with the letter `r' or the `-r'  command  line  option  is
       supplied  at  invocation,  the  shell  becomes restricted.
       Emulation mode is determined after  stripping  the  letter
       `r'  from the invocation name.  The following are disabled
       in restricted mode:

       ·      changing directories with the cd builtin

       ·      changing or unsetting the PATH, path,  MODULE_PATH,
              module_path,  SHELL, HISTFILE, HISTSIZE, GID, EGID,
              UID,     EUID,      USERNAME,      LD_LIBRARY_PATH,
              LD_AOUT_LIBRARY_PATH,         LD_PRELOAD        and
              LD_AOUT_PRELOAD parameters

       ·      specifying command names containing /

       ·      specifying command pathnames using hash

       ·      redirecting output to files

       ·      using the exec builtin command to replace the shell
              with another command

       ·      using jobs -Z to overwrite the shell process' argu­
              ment and environment space

       ·      using the ARGV0 parameter to override  argv[0]  for
              external commands

       ·      turning off restricted mode with set +r or unsetopt
              RESTRICTED

       These  restrictions  are  enforced  after  processing  the
       startup  files.   The  startup files should set up PATH to
       point to a directory  of  commands  which  can  be  safely
       invoked  in the restricted environment.  They may also add
       further restrictions by disabling selected builtins.

       Restricted mode can also be activated any time by  setting
       the  RESTRICTED  option.  This immediately enables all the
       restrictions described above even if the shell  still  has
       not processed all startup files.

-- 
Mads Martin Joergensen, http://mmj.dk
"Why make things difficult, when it is possible to make them cryptic
 and totally illogic, with just a little bit more effort."
                                -- A. P. J.

Re: restricted shell

[Emre Yildirim]

Ooops, Sorry I was reading the man page, and right after I sent this
email, I saw the restricted shell section.  I have another question:

When I setup a restricted shell for a user, and let's say I put
PATH=/r in his .zprofile and /r contains no binaries, he is still
able to execute certain commands (like echo, pwd, export, etc).
How can I restrict the execution of those commands as well?

Also there are programs like pine that allow users to break out of
restricted shells.  Any tips on how to limit that as well?

Thanks for the prompt reply, and any help ;-D

Mads Martin Joergensen wrote:

> * Emre Yildirim <emre@sgi.asper.org> [Oct 21. 2001 20:12]:
> 
>>Is there anything in zsh that makes it restricted?  I.e. when I cp bash 
>>rbash, and execute rbash
>>it is a restricted shell.  Is there anything similar to that in zsh?  If 
>>not, does anyone have tips on
>>how to make zsh really really restricted?
>>
>>Thanks for any help
>>
> 
> _From the zsh man page:
> 
> RESTRICTED SHELL
>        When the basename of the command used to invoke zsh starts
>        with the letter `r' or the `-r'  command  line  option  is
>        supplied  at  invocation,  the  shell  becomes restricted.
>        Emulation mode is determined after  stripping  the  letter
>        `r'  from the invocation name.  The following are disabled
>        in restricted mode:
> 
>        ·      changing directories with the cd builtin
> 
>        ·      changing or unsetting the PATH, path,  MODULE_PATH,
>               module_path,  SHELL, HISTFILE, HISTSIZE, GID, EGID,
>               UID,     EUID,      USERNAME,      LD_LIBRARY_PATH,
>               LD_AOUT_LIBRARY_PATH,         LD_PRELOAD        and
>               LD_AOUT_PRELOAD parameters
> 
>        ·      specifying command names containing /
> 
>        ·      specifying command pathnames using hash
> 
>        ·      redirecting output to files
> 
>        ·      using the exec builtin command to replace the shell
>               with another command
> 
>        ·      using jobs -Z to overwrite the shell process' argu­
>               ment and environment space
> 
>        ·      using the ARGV0 parameter to override  argv[0]  for
>               external commands
> 
>        ·      turning off restricted mode with set +r or unsetopt
>               RESTRICTED
> 
>        These  restrictions  are  enforced  after  processing  the
>        startup  files.   The  startup files should set up PATH to
>        point to a directory  of  commands  which  can  be  safely
>        invoked  in the restricted environment.  They may also add
>        further restrictions by disabling selected builtins.
> 
>        Restricted mode can also be activated any time by  setting
>        the  RESTRICTED  option.  This immediately enables all the
>        restrictions described above even if the shell  still  has
>        not processed all startup files.
> 
> 



-- 
Emre Yildirim <emre@asper.org>
GPG KeyID 0xF9E4A1D1 (keyserver.pgp.com)

Re: restricted shell

[Borsenkow Andrej]

On Вск, 2001-10-21 at 22:33, Emre Yildirim wrote:
> Ooops, Sorry I was reading the man page, and right after I sent this
> email, I saw the restricted shell section.  I have another question:
> 
> When I setup a restricted shell for a user, and let's say I put
> PATH=/r in his .zprofile and /r contains no binaries, he is still
> able to execute certain commands (like echo, pwd, export, etc).
> How can I restrict the execution of those commands as well?
> 

Using disable builtin. Make .zshrc read-only for user (or do it in
system zshrc and make user's home directory read-only) and put 

disable echo

there.

> Also there are programs like pine that allow users to break out of
> restricted shells.  Any tips on how to limit that as well?
> 

Do not allow user to run them :-) Really, that is everything you can do
- examine every program for possible back-doors before allowing
restricted users to execute them.

Pine allows you to have system-wide config file that takes precedence
over any user settings. Vim has restricted mode as well IIRC

-andrej

Re: restricted shell

[Emre Yildirim]

Thank you, all of you have been very helpful :-D



-- 
Emre Yildirim <emre@asper.org>
GPG KeyID 0xF9E4A1D1 (keyserver.pgp.com)

Re: restricted shell

[Nadav Har'El]

On Sun, Oct 21, 2001, Borsenkow Andrej wrote about "Re: restricted shell":
> On ÷ÓË, 2001-10-21 at 22:33, Emre Yildirim wrote:
> > able to execute certain commands (like echo, pwd, export, etc).
> > How can I restrict the execution of those commands as well?
> > 
> 
> Using disable builtin. Make .zshrc read-only for user (or do it in
> system zshrc and make user's home directory read-only) and put 
> 
> disable echo
> 
> there.

And probably also
	disable enable

If you don't want the user to "enable echo" back...

-- 
Nadav Har'El                        |      Sunday, Oct 21 2001, 5 Heshvan 5762
nyh@math.technion.ac.il             |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |"Computers are useless. They can only
http://nadav.harel.org.il           |give you answers." -- Pablo Picasso

Re: restricted shell

[Emre Yildirim]

Borsenkow Andrej wrote:


> Using disable builtin. Make .zshrc read-only for user (or do it in
> system zshrc and make user's home directory read-only) and put 
> 
> disable echo

Hmm, that didn't work.  I can still use echo after doing the above.

I tried putting it in ~/.zlogin, still the same result.  Am I doing
somethign wrong?




-- 
Emre Yildirim <emre@asper.org>
GPG KeyID 0xF9E4A1D1 (keyserver.pgp.com)

Re: restricted shell

[Bart Schaefer]

On Oct 21,  2:32pm, Emre Yildirim wrote:
}
} Borsenkow Andrej wrote:
} 
} > Using disable builtin. Make .zshrc read-only for user (or do it in
} > system zshrc and make user's home directory read-only) and put 
} > 
} > disable echo
} 
} Hmm, that didn't work.  I can still use echo after doing the above.

"disable" only disables the builtin.  If there's still an external
command named "echo" in the path, that will get executed instead.

zsh% which echo
echo: shell built-in command
zsh% disable echo
zsh% which echo
/bin/echo
zsh% 


-- 
Bart Schaefer                                 Brass Lantern Enterprises
http://www.well.com/user/barts              http://www.brasslantern.com

Zsh: http://www.zsh.org | PHPerl Project: http://phperl.sourceforge.net   

Re: restricted shell

[Emre Yildirim]

Bart Schaefer wrote:


> "disable" only disables the builtin.  If there's still an external
> command named "echo" in the path, that will get executed instead.
> 
> zsh% which echo
> echo: shell built-in command
> zsh% disable echo
> zsh% which echo
> /bin/echo


Thanks it worked :-D



-- 
Emre Yildirim <emre@asper.org>
GPG KeyID 0xF9E4A1D1 (keyserver.pgp.com)