bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Restricted Bash - Not so restrictive (in 4.2 as well)


From: Sarnath K - ERS, HCLTech
Subject: RE: Restricted Bash - Not so restrictive (in 4.2 as well)
Date: Thu, 12 Jan 2012 16:21:13 +0530

Oops.. It actually works! That's a great catch!

I thought "redirection" is not supported in restricted mode though..!
I just checked... It is mostly related to "output" re-direction.

Hmm......I think I am going to tinker "bash" source code to disable the "echo" 
builtin. :-)

Any ideas?

-----Original Message-----
From: Pierre Gaston [mailto:pierre.gaston@gmail.com]
Sent: Thursday, January 12, 2012 4:05 PM
To: Sarnath K - ERS, HCLTech
Cc: bug-bash@gnu.org; bash@packages.debian.org
Subject: Re: Restricted Bash - Not so restrictive (in 4.2 as well)

On Thu, Jan 12, 2012 at 12:26 PM, Sarnath K - ERS, HCLTech
<k_sarnath@hcl.com> wrote:
> Hello Jonathan,
>
> Thanks for your inputs. I was able to created a super-restricted login.
> Here are a few things that I learnt during this process:
>
> 1. "vim" has a restricted mode called "rvim (or) vim -Z". This way, I can 
> restrict the user from running shell commands from vim and peep into the 
> Filesystem
>    a) CAVEAT: "vim" allows the user to "read" and "write" files in the 
> file-system provided the user _knows_ the path (or guesses some file path)

>    b) So, to make it foolproof, I had to go with "nano" editor
>        - which supports a restricted mode that does not allow the user to 
> edit any other file than the one specified in the command line

Can't you read a file with: echo "$(< pathtofile)"?
I never really tried, but I'd probably look into things like chroot
(or even a vm) to provide something really restricted.

::DISCLAIMER::
-----------------------------------------------------------------------------------------------------------------------

The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only.
It shall not attach any liability on the originator or HCL or its affiliates. 
Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the 
opinions of HCL or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification, 
distribution and / or publication of
this message without the prior written consent of the author of this e-mail is 
strictly prohibited. If you have
received this email in error please delete it and notify the sender 
immediately. Before opening any mail and
attachments please check them for viruses and defect.

-----------------------------------------------------------------------------------------------------------------------



reply via email to

[Prev in Thread] Current Thread [Next in Thread]