[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Restricted Bash - Not so restrictive (in 4.2 as well)
From: |
Sarnath K - ERS, HCLTech |
Subject: |
RE: Restricted Bash - Not so restrictive (in 4.2 as well) |
Date: |
Wed, 11 Jan 2012 16:54:42 +0530 |
Hello Jonathan,
Thanks for the quick hint.
What I understand is that you are suggesting me to collate all required
commands in a special directory and then use it in the PATH and remove
everything else from the PATH in ".bashrc".
I think that would really serve my purpose. Thanks!
As far as changes to BASH documentation goes, I think the existing
documentation is just fine. It clearly says that "A restricted shell is used to
setup an environment more controlled than the shell". I think it is up to the
administrator to use it innovatively.
Apart from this, BASH Documentation says "When a command that is found to be a
shell script is executed (see COMMAND EXECUTION above), rbash turns off any
restrictions in the shell spawned to execute the script.".
Does this mean that a guy with restricted shell can just write a shell script
to do a privileged operation and get away with it?
Thanks for your time and such a quick response,
Best Regards,
Sarnath
-----Original Message-----
From: Jonathan Nieder [mailto:jrnieder@gmail.com]
Sent: Wednesday, January 11, 2012 4:43 PM
To: Sarnath K - ERS, HCLTech
Cc: bug-bash@gnu.org; bash@packages.debian.org
Subject: Re: Restricted Bash - Not so restrictive (in 4.2 as well)
Hi,
Sarnath K - ERS, HCLTech wrote:
> I see this problem in the latest Bash 4.2 as well. Say, I invoke
> "rbash" or "bash -r". This leaves me in a restrictive shell.
> However, this restrictive shell allows me to run "bash" or any other
> shell (without execing - just simply run) which leaves me in a
> normal shell.
Typically rbash is used with a nonstandard PATH setting to give users
access to a restricted set of commands.
However, I notice that the bash(1) manpage does not mention anything
about that. If you can come up with a way to hint at it without
making the manpage much longer (maybe by tweaking the sentence that
starts "A restricted shell is used to set up an environment"), I
imagine that would be helpful.
Thanks and hope that helps,
Jonathan
::DISCLAIMER::
-----------------------------------------------------------------------------------------------------------------------
The contents of this e-mail and any attachment(s) are confidential and intended
for the named recipient(s) only.
It shall not attach any liability on the originator or HCL or its affiliates.
Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the
opinions of HCL or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification,
distribution and / or publication of
this message without the prior written consent of the author of this e-mail is
strictly prohibited. If you have
received this email in error please delete it and notify the sender
immediately. Before opening any mail and
attachments please check them for viruses and defect.
-----------------------------------------------------------------------------------------------------------------------
- Restricted Bash - Not so restrictive (in 4.2 as well), Sarnath K - ERS, HCLTech, 2012/01/11
- Re: Restricted Bash - Not so restrictive (in 4.2 as well), Jonathan Nieder, 2012/01/11
- Re: Restricted Bash - Not so restrictive (in 4.2 as well), Chet Ramey, 2012/01/11
- RE: Restricted Bash - Not so restrictive (in 4.2 as well),
Sarnath K - ERS, HCLTech <=
- Re: Restricted Bash - Not so restrictive (in 4.2 as well), Jonathan Nieder, 2012/01/11
- RE: Restricted Bash - Not so restrictive (in 4.2 as well), Sarnath K - ERS, HCLTech, 2012/01/12
- Re: Restricted Bash - Not so restrictive (in 4.2 as well), Pierre Gaston, 2012/01/12
- RE: Restricted Bash - Not so restrictive (in 4.2 as well), Sarnath K - ERS, HCLTech, 2012/01/12
- Re: Restricted Bash - Not so restrictive (in 4.2 as well), Pierre Gaston, 2012/01/12
- RE: Restricted Bash - Not so restrictive (in 4.2 as well), Sarnath K - ERS, HCLTech, 2012/01/12