restricted shell

[Mark Bucciarelli]

I'm looking into using ibsh as a restricted shell for ssh access
to virtual host containers.  For the most part, our customers are
trustworthy and for us ibsh strikes a nice balance between
security, complexity and functionality.  I've looked at rbash,
ondir and chroot ssh (and a post from Theo that says chroot ssh
is not worth the effort).

I see ibsh is vulnerable to programs that can spawn their own
shells (like vim and emacs).  I am assuming there is a way to
disable this features from both editors.  Customers will want an
editor.

Can folks here suggest other ways I might try to crack ibsh?  

What vulnerabilities can you imagine?

Thanks,

m