Editor With NO Shell Access?
Tim Daneliuk
tundra at tundraware.com
Tue Mar 13 15:43:32 UTC 2012
On 03/13/2012 01:39 AM, Joshua Isom wrote:
> On 3/12/2012 5:23 PM, Polytropon wrote:
>> On Mon, 12 Mar 2012 15:19:51 -0700, Edward M. wrote:
>>> On 03/12/2012 03:10 PM, Polytropon wrote:
>>>> /etc/shells to work, but a passwd entry like
>>>>
>>>> bob:*:1234:1234:Two-loop-Bob:/home/bob:/usr/local/bin/joe
>>>
>>>
>>> I think this would not let the user to login,etc
>>
>> I'm not sure... I assume logging in is handled by /usr/bin/login,
>> and control is then (i. e. after successful login) transferred
>> to the login shell, which is the program specified in the
>> "shell" field (see "man 5 passwd") of /etc/passwd. How is
>> login supposed to know if the program specified in this
>> field is actually a dialog shell?
>>
>>> From "man 1 login" I read that many shells have a built-in
>> login command, but /usr/bin/login is the system's default
>> binary for this purpose if the "shell" (quotes deserved if
>> it is an editor as shown in my assumption) has no capability
>> of performing a login.
>>
>>
>>
>
> Are they logging in from the console or from ssh? If it's from a console, I'd send them directly into a jail with limited file system access, so that excecutables don't matter. If it's from ssh, I'd do the same thing.
>
> Assume they can break out of the editor or that something will happen. Make it minimalist about what they can do. Use the /rescue/vi in an empty jail with the files available. Don't think about changing editors, change the system.
That's a really good idea, but we're talking about almost 1000 systems
here. That's a whole bunch of configuration...
--
----------------------------------------------------------------------------
Tim Daneliuk tundra at tundraware.com
PGP Key: http://www.tundraware.com/PGP/
More information about the freebsd-questions
mailing list