Editor With NO Shell Access?
Joshua Isom
jrisom at gmail.com
Tue Mar 13 06:39:52 UTC 2012
On 3/12/2012 5:23 PM, Polytropon wrote:
> On Mon, 12 Mar 2012 15:19:51 -0700, Edward M. wrote:
>> On 03/12/2012 03:10 PM, Polytropon wrote:
>>> /etc/shells to work, but a passwd entry like
>>>
>>> bob:*:1234:1234:Two-loop-Bob:/home/bob:/usr/local/bin/joe
>>
>>
>> I think this would not let the user to login,etc
>
> I'm not sure... I assume logging in is handled by /usr/bin/login,
> and control is then (i. e. after successful login) transferred
> to the login shell, which is the program specified in the
> "shell" field (see "man 5 passwd") of /etc/passwd. How is
> login supposed to know if the program specified in this
> field is actually a dialog shell?
>
>> From "man 1 login" I read that many shells have a built-in
> login command, but /usr/bin/login is the system's default
> binary for this purpose if the "shell" (quotes deserved if
> it is an editor as shown in my assumption) has no capability
> of performing a login.
>
>
>
Are they logging in from the console or from ssh? If it's from a
console, I'd send them directly into a jail with limited file system
access, so that excecutables don't matter. If it's from ssh, I'd do the
same thing.
Assume they can break out of the editor or that something will happen.
Make it minimalist about what they can do. Use the /rescue/vi in an
empty jail with the files available. Don't think about changing
editors, change the system.
More information about the freebsd-questions
mailing list