rbash

junkken · 01-29-2005, 12:14 AM

With PATH="" set, rbash still permits pwd. Does anyone know if or where it is documented exactly what internal non-path commands rbash permits? Thanks!

junkken · 01-31-2005, 09:53 AM

I am trying to set up a user which can do absolutely nothing after logging in, but am alarmed to find even a restricted shell provides surprising capabilities. Typing "help" lists a variety of stuff one can do. I want to control every thing the user can do starting with nothing. Anyone have any thoughts? Any good reading on the subject other than the man page.??

peacebwitchu · 01-31-2005, 02:24 PM

You will need to recompile bash with these options ./configure --enable-minimal-config --enable-restricted
I would recommend installing it elsewhere so you will actually have two bash commands, since this takes out alot of features you are accustomed to.

peacebwitchu · 01-31-2005, 03:05 PM

The above does not work correctly. Sorry. But you can disable the builtins with "enable -n pwd" you can get more information by doing a "man builtins".

junkken · 01-31-2005, 04:43 PM

Thanks,
Looks like I will have to enable -n 57 different commands..? Is there an easier way to exclude all with the possible exception of exit?

After builtins are unavailable, will this restricted shell be secure enough to allow unknown users to access the box? Or will there be more safeguards needed?

junkken · 02-02-2005, 08:46 AM

Here is an article which suggests rbash may not be secure enough.
Article

Does anyone know how ISP's setup their login accounts so users cant do bad things, while still allowing some commands?