Escaping from shell-scripts

Gary Gatten Ggatten at waddell.com
Thu Nov 18 14:05:36 UTC 2010 

I can't speak directly to your question, but also consider proper "base" security, so IF someone can get outside your script they're limited.  Ie; proper user/group assignments, perms, etc. - file sysems, ulimit, et al. Maybe chroot.

----- Original Message -----
From: owner-freebsd-questions at freebsd.org <owner-freebsd-questions at freebsd.org>
To: freebsd-questions at freebsd.org <freebsd-questions at freebsd.org>
Sent: Thu Nov 18 07:52:39 2010
Subject: Escaping from shell-scripts

Hi,

I'm planning a service with a login-user-interface. Thus, I want to restrict
the user somehow to this script and to do nothing else.

The straight-forward way would be to write this script, have all input parsed
by read and then let the script act according to this input (let's assume
that these tools are secure, it's just cp'ing and writing to
non-sensitive files.

Are there possibilities to escape from such a script down to a prompt?

On the other hand, if I would take python for this, so a python-script is
executed, are there ways to get to a generic python-prompt?

The restriction to that script would be done by either setting the
login-shell to that script, setting the ssh-command for that account/key (and
ensuring that it can't be altered), or both.


All in all, this is a more general question I have for quite a time: Can you
use shell-scripts for security-relevant environments? Does an attacker have
the possibility to escape from a script down to a prompt?

I'm not that into shell-programming and there are too many legacies about
terminals (some time ago, I had to cope with termcap...) and shells which one
just can't all know.
E.g., it was just a few days ago I found out what a terminal-stop means and
that it is still interpreted by screen, though using it for several years now.


Regards, Julian





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

More information about the freebsd-questions mailing list