Securely allowing just one application via telnet
Andreas Davour
ante at Update.UU.SE
Tue Apr 5 04:38:38 PDT 2005
On Tue, 5 Apr 2005, Anthony Atkielski wrote:
> If I want to allow external users to log on under only one permissible
> username, which immediately and unconditionally executes only one
> program (no shell access), via telnet, what is the most secure way to
> set this up? I've always understood telnet to be somewhat of a
> Pandora's box for security, but I don't know if that applies to the
> protocol itself, or to telnetd, or if it just refers to the many dangers
> of shell access, or what. If there is a way to secure this type of
> access, I'd like to try it on my test server (I won't risk the
> production server, of course), as an exercise in setting up custom
> environments.
>
> Any suggestions on how best to do this securely?
>
> If a specific user is restricted to a specific program at login (via
> /etc/passwd), is there _any_ way he can sneak out to a shell, assuming
> that the program he is forced to run does _not_ provide shellout access?
Sure there is. If there is any possibility of a buffer overflow error in
that one program you let your users run, or "login" for that matter.
But, running the program as a login shell could at least minimize the
possibilities I guess. Not that I've tried it myself. Go read about
chroot and jail in the manpages and you'll think of something.
/andreas
--
A: Because it fouls the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?
More information about the freebsd-questions
mailing list