On Thu, Apr 23, 2009 at 7:57 AM, J. Bakshi <bakshi12 (at) gmail (dot) com [email concealed]> wrote:
> On Wed, 22 Apr 2009 11:21:06 -0600
> Benny Helms <benny (at) egovmt (dot) com [email concealed]> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> You always have the option of changing their login shell to
>> '/bin/bash -s' which locks them in.  Unfortunately, it also takes
>> away their access to things like, 'ls' and 'cp' and 'vi', etc.,
>> unless you include copies in their home folder.
>>
>> You also need to remember that some apps like 'vim' will allow a user
>> a shell escape which can break the limits you set.  Make sure to give
>> them access only to the secure version.  For 'vim' that would be
>> 'rvim'.
>
> thanks a lot for the rvim tip.
> I am grateful to you to make me aware that vim allows shell access.

A lot of utilities allow shell access.
more
less
vi
nvi
vim
emacs
nano
pico
awk
...

If you have perl access, you have fork/exec access.

uploading your own binaries that fork/exec...

general shell access is not easy to do securely.

chroot is basically your only choice.

--
And, did Galoka think the Ulus were too ugly to save?
-Centauri

[ reply ]