From kragen@dnaco.net Sun Aug 2 12:04:50 1998 Date: Sun, 2 Aug 1998 12:04:49 -0400 (EDT) From: Kragen To: "systalk@ml.org" Subject: Re: [ST] Restricting shell access In-Reply-To: <35C48426.8C21DE37@agni.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Keywords: X-UID: 959 Status: O X-Status: On Sun, 2 Aug 1998, Harpreet Singh Giani wrote: > I need to restrict shell access on my server. I want people having > POP-only email boxes to be able to telnet in and automatically get the > passwd program. The moment they successfully/unsuccessfully change their > pwd, they should be logged off. > > In the /etc/passwd directory, these accounts are pointing to > "/bin/emailonly" - but there is no such shell in the /bin dir. > > If I create a single line /etc/bash with the line "passwd", will it > solve my purpose ? Can anyone hack/break in via this ? By /etc/bash, do you mean /etc/profile? This will make everyone (including root) change their password every time they log in, and then give them a normal shell prompt. I don't think this is a good idea. 1. If you give you "restricted" users a "real" shell, no other program (other than bash, and then only in a login shell) will be able to tell that they are restricted. So sendmail will let them pipe their mail to programs, ftp will give them full (user-level) access, etc., unless you go and close each of these holes individually. 2. You should never take a program that was written to be untrusted (i.e. executes with no privileges, other than the ones it inherits from its invoker) and try to use it to safeguard a security boundary. It's likely to be full of security holes (buffer overflows, failing to check permissions on file accesses, etc.). (Although I do have a CGI or two written in bash. I also think someone's broken into my system.) 3. If the user is able to shell out in some way, they'll get their normal shell. Making /bin/passwd their shell might work, as I think it would do everything you want it to, and also be reasonably secure. Kragen