Editor With NO Shell Access?

Tim Daneliuk tundra at tundraware.com
Tue Mar 13 15:43:32 UTC 2012

On 03/13/2012 01:39 AM, Joshua Isom wrote:
> On 3/12/2012 5:23 PM, Polytropon wrote:
>> On Mon, 12 Mar 2012 15:19:51 -0700, Edward M. wrote:
>>> On 03/12/2012 03:10 PM, Polytropon wrote:
>>>> /etc/shells to work, but a passwd entry like
>>>> bob:*:1234:1234:Two-loop-Bob:/home/bob:/usr/local/bin/joe
>>> I think this would not let the user to login,etc
>> I'm not sure... I assume logging in is handled by /usr/bin/login,
>> and control is then (i. e. after successful login) transferred
>> to the login shell, which is the program specified in the
>> "shell" field (see "man 5 passwd") of /etc/passwd. How is
>> login supposed to know if the program specified in this
>> field is actually a dialog shell?
>>> From "man 1 login" I read that many shells have a built-in
>> login command, but /usr/bin/login is the system's default
>> binary for this purpose if the "shell" (quotes deserved if
>> it is an editor as shown in my assumption) has no capability
>> of performing a login.
> Are they logging in from the console or from ssh? If it's from a console, I'd send them directly into a jail with limited file system access, so that excecutables don't matter. If it's from ssh, I'd do the same thing.
> Assume they can break out of the editor or that something will happen. Make it minimalist about what they can do. Use the /rescue/vi in an empty jail with the files available. Don't think about changing editors, change the system.

That's a really good idea, but we're talking about almost 1000 systems
here.  That's a whole bunch of configuration...

Tim Daneliuk     tundra at tundraware.com
PGP Key:         http://www.tundraware.com/PGP/

More information about the freebsd-questions mailing list