[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Restricted Bash - Not so restrictive (in 4.2 as well)
From: |
Sarnath K - ERS, HCLTech |
Subject: |
Restricted Bash - Not so restrictive (in 4.2 as well) |
Date: |
Wed, 11 Jan 2012 15:52:35 +0530 |
Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-pc-linux-gnu' -DCONF$
uname output: Linux ubuntu 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 05:14:15
UTC 2010 x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu
Bash Version: 4.1
Patch Level: 5
Release Status: release
Description:
I see this problem in the latest Bash 4.2 as well. Say, I invoke "rbash"
or "bash -r". This leaves me in a restrictive shell. However, this restrictive
shell allows me to run "bash" or any other shell (without execing - just simply
run) which leaves me in a normal shell. This shell does not have any restricted
capabilities. So, the entire purpose of having a restricted shell goes for a
toss. I was trying to restrict a user by making "rbash" as his default shell.
Now, with this bug, I don't think I can be fool-proof.
Repeat-By:
sarnath@ubuntu:~$ bash -r
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
sarnath@ubuntu:~$ cd /
bash: cd: restricted
sarnath@ubuntu:~$
sarnath@ubuntu:~$ bash
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
sarnath@ubuntu:~$
sarnath@ubuntu:~$ cd /
sarnath@ubuntu:/$ cd
sarnath@ubuntu:~$
Fix:
Just my 2 cents. Please apply your discretion:
Just make sure that while in restricted mode, the user can spawn only "rbash"
and no other shell.
Any invocation of "bash" must be replaced with "bash -r".
A list of shells/applications could be black-listed in a configuration file
which is processed while processing .bashrc
This will make bash foolproof.
________________________________
::DISCLAIMER::
-----------------------------------------------------------------------------------------------------------------------
The contents of this e-mail and any attachment(s) are confidential and intended
for the named recipient(s) only.
It shall not attach any liability on the originator or HCL or its affiliates.
Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the
opinions of HCL or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification,
distribution and / or publication of
this message without the prior written consent of the author of this e-mail is
strictly prohibited. If you have
received this email in error please delete it and notify the sender
immediately. Before opening any mail and
attachments please check them for viruses and defect.
-----------------------------------------------------------------------------------------------------------------------
- Restricted Bash - Not so restrictive (in 4.2 as well),
Sarnath K - ERS, HCLTech <=
- Re: Restricted Bash - Not so restrictive (in 4.2 as well), Jonathan Nieder, 2012/01/11
- Re: Restricted Bash - Not so restrictive (in 4.2 as well), Chet Ramey, 2012/01/11
- RE: Restricted Bash - Not so restrictive (in 4.2 as well), Sarnath K - ERS, HCLTech, 2012/01/11
- Re: Restricted Bash - Not so restrictive (in 4.2 as well), Jonathan Nieder, 2012/01/11
- RE: Restricted Bash - Not so restrictive (in 4.2 as well), Sarnath K - ERS, HCLTech, 2012/01/12
- Re: Restricted Bash - Not so restrictive (in 4.2 as well), Pierre Gaston, 2012/01/12
- RE: Restricted Bash - Not so restrictive (in 4.2 as well), Sarnath K - ERS, HCLTech, 2012/01/12
- Re: Restricted Bash - Not so restrictive (in 4.2 as well), Pierre Gaston, 2012/01/12
- RE: Restricted Bash - Not so restrictive (in 4.2 as well), Sarnath K - ERS, HCLTech, 2012/01/12