Restricted shell (was Re: rsh environment)
Wolf N. Paul
wnp at dcs.UUCP
Mon Dec 26 22:57:35 AEST 1988
In article <901 at philmds.UUCP> leo at philmds.UUCP (Leo de Wit) writes:
> (demo of restricted shell deleted)
>Restriction seems to imply both not to be able to change the working
>directory and execute only commands that are found using $PATH (they
>may not contain a slash).
>
>I'm interested both in what restriction means in System V, and whether
>there is any documentation about -r (set -r, sh -r) for the BSD /bin/sh.
>Furthermore I'm interested in hearing about its use (for what, and how).
The following is from the manual page for sh(1) under System V R.2:
-----beginning of quote
Rsh is used to set up login names and execution environments whose capabilities
are more controlled than those of the standard shell. The actions of rsh are
identical to sh, except that the following are disallowed:
changing directory
setting the value of $PATH,
specifying path or command names containing /,
redirecting output (> and >>).
These restrictions are enforced after .profile is interpreted.
...
The net effect of these rules is that the writer of the .profile has complete
control over user actions, by performing guaranteed setup actions and leaving
-----end of quote
Some notes: sh and rsh are links to the same binary, with "sh -r" being
equivalent to an invocation of rsh. "set -r" after the shell has started
also has the same effect, as Leo's demo showed. The manual further points out
that shell scripts are executed using standard sh, thus the restriction can
probably be gotten around.
the user in an appropriate directory (probably not the login directory).
--
Wolf N. Paul * 3387 Sam Rayburn Run * Carrollton TX 75007 * (214) 306-9101
UUCP: killer!dcs!wnp ESL: 62832882
DOMAIN: dcs!wnp at killer.dallas.tx.us TLX: 910-380-0585 EES PLANO UD
More information about the Comp.unix.wizards
mailing list