[aschneid@mail.slc.edu: Re: Accounts with Restricted privileges]

[aschneid@mail.slc.edu: Re: Accounts with Restricted privileges]

[Anthony Schneider]

[-- Attachment #1.1: Type: text/plain, Size: 4461 bytes --]

i thought you all might be interested in a thread on freebsd-security@freebsd.org.
the question came up about restricted shells, and forked into the idea of having
a restricted shell in a chroot()'ed environment, but where the cd builtin would
work.  i came up with a very crude, very untested patch which seems to allow cd
to work when zsh is invoked with -r or with argv[0] as rzsh.  All it does, as you
can see, is comment out the isset(RESTRICTED) conditional in bin_cd(), but i
thought i might bring up the possibility of compile-time restriction configuration,
where, say, one could ./configure with --exempt-restrictions=cd,slash...

just a thought.  here is the patch (for zsh-4.0.4), in case anyone's interested.
please cc me in this thread as i'm not subscribed to the list.
sorry if this is an idea that has come up before.  again, i'm not subscribed. :)
-Anthony.



----- Forwarded message from Anthony Schneider <aschneid@mail.slc.edu> -----

Delivered-To: freebsd-security@freebsd.org
Date: Wed, 8 May 2002 23:25:07 -0400
From: Anthony Schneider <aschneid@mail.slc.edu>
To: "Dalin S. Owen" <dowen@pstis.com>
Cc: security@FreeBSD.ORG
Subject: Re: Accounts with Restricted privileges
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <200205081608.21273.dowen@pstis.com>; from dowen@pstis.com on Wed, May 08, 2002 at 04:08:21PM -0600
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org
Precedence: bulk
X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
X-UIDL: 7[F!!U05!!hDQ!!c<:!!

ah, my bad.
i'll try to read better next time. :)
so what you really want is rbash without the 'cd' limitation, but also
chrooted?  I have here a patch i just sorta whipped up (read:  crude
and hardly tested, but seems to work) which allows the cd builtin to
be executed.  so, if you are in a chrooted environment, cd should work,
and all of the rest of the restritions should apply that come along with
using restricted zsh (zsh, in case you don't know, is IMStubbornlyHO, a
very nice shell, with almost, if not exactly, the same syntax features
as bash, including restriction by copying zsh to rzsh).  Again, this is
very untested, but you should be able to apply this to builtin.c in the
Src/ directory of zsh-4.0.4.  I'll email zsh-workers, and see if maybe
they'd consider making compilation of particular environment restrictions
configurable on a per-restriction basis.
Hope this helps.
-Anthony.

On Wed, May 08, 2002 at 04:08:21PM -0600, Dalin S. Owen wrote:
> On May 8, 2002 03:17 pm, you wrote:
> 
> Nope.  rbash disables "cd", remember? :)  I need to be able to browse 
> subdirectories.
> 
> > if you don't have any luck finding a shell with chrootability, you could
> > easily write a simple setuid wrapper to chroot() and then execute rbash,
> > where rbash is located within the chrooted file hierarchy.
> > -Anthony.
> >
> > On Wed, May 08, 2002 at 02:43:51PM -0600, Dalin S. Owen wrote:
> > > On May 8, 2002 10:31 am, Justin King wrote:
> > >
> > > Actually.. I am looking for the almost same answer... what about a
> > > chroot-ed shell?  ie. they can "cd" forwards but not back beyond my
> > > designated "/"... and I quote (from bash's manpage):
> > >
> > >        "When  a command that is found to be a shell script is exe-
> > >        cuted (see COMMAND EXECUTION above), rbash turns  off  any
> > >        restrictions in the shell spawned to execute the script."
> > >
> > > I don't want that.  I want all other processes to be chrooted too.  By
> > > now some of you are thinking "jail"... A jail won't cut it, because you
> > > can't use quotas in a jail.
> > >
> > > Does anyone know to do this with bash, or any other shell?  I recall
> > > someone talking about a shell that could do all of the above.
> > >
> > > Thanks!:)
> > >
> > > FreeBSD Rox, BTW!

----- End forwarded message -----
-----------------------------------------------
PGP key at:
    http://www.keyserver.net/
    http://www.anthonydotcom.com/gpgkey/key.txt
Home:
    http://www.anthonydotcom.com
-----------------------------------------------


[-- Attachment #1.2: zsh_restr_cd.patch --]
[-- Type: text/plain, Size: 512 bytes --]

--- builtin.c.orig	Wed May  8 23:29:29 2002
+++ builtin.c	Wed May  8 23:22:27 2002
@@ -685,10 +685,14 @@
     LinkNode dir;
     struct stat st1, st2;
 
+    /* -- added 5.08.02, Anthony Schneider; allow cd in restricted mode
+          so rzsh may run slightly less restricted in a chroot()'ed
+	  environment.
     if (isset(RESTRICTED)) {
 	zwarnnam(nam, "restricted", NULL, 0);
 	return 1;
     }
+    */
     doprintdir = (doprintdir == -1);
 
     for (; *argv && **argv == '-'; argv++) {

[-- Attachment #2: Type: application/pgp-signature, Size: 238 bytes --]