Hi,
I need (as many of us) to restrict some user account in order to provide
only some services on our Linux boxes.
For this purpose it is important to give users a restricted shell that lock
them in their home directory.
Under Berkley UNIX, you can create a restricteed shell by creating a hard
link to the /bin/sh program and giving the name of rsh. When sh starts up,
it looks at the program name that it was called to determine what behavior
it should have.
When it starts up it executes commands in the $HOME/.profile and once it is
processed, the following restrictions go into effect:
- the user can't change the current directory
- the user can't change the value of the the PATH environment variable
- the user can't use command names containing slashes
- the user can't redirect output using > or >>
generally on Berkley UNIX it is enough to do:
#ln /bin/sh /usr/etc/rsh
and you have the restricted shell.
Note: It is important not to place the rsh in any of the standard system
program directories so people don't execute it for mistake when they are
using remote shell command (rsh).
I tried it and.. on Caldera OplenLinux Standard 1.1 it is not working...
Does it work on RedHat? (Right now I can only access to OpenLinux, tomorrow
I'll check it myself on RH 5.0)
Well, if I want to do it on OpenLinux (or RedHat?) I have to look for a sh source
that would allow me to do it, then compile it, install on my box, create the user
home directory with all the hard link to the commands he needs (like for
example pine and lynx).
After that I'll have to modify the mail delivery agent in order to deliver
all the user mail in to to $HOME/.mail (so he will be able to read it... and
than modify pine).
After that, since I want the user to ftp in a restricted envirnonment I have
to compile and link ls statically, modify ftpaccess file, etc...
After that I'll (of course) enable quota.
Well, I was wondering if it does't make sense if in the next release of
RedHat we would have to add restricted users as a normal option in
adduser.... I mean: root would be able to choose to create a normal user or
one with restricted options..
In my opinion the following changes in future release of OpenLinux (but also
RedHat, Suse, Slackware, etc) would only benefit the Linux world:
- mail delivery agent shoud always send mail in the user's home directory
since even if the user is not restricted this won't bother him.
- quota should be always be enabled since even if the user is not restricted
this won't bother him. we can always set it to 500MB or more
- a statically linked copy of all bin utils should be installed (somewhere)
by default for emergencies purpose
- a restricted shell like rsh on Berkeley UNIX should be installed by
default somewhere
- all the proper permission/restriction shoul be set
I'd like to hear what do you think about that..
(maybe I didn't consider something and my proposal doesn't worth 0.2c.. in that
case, please forgive me)
regards,
Marco
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
