Secure (regular) Scripts_

Clifford C. Skolnick cliffs at sun.com
Wed Dec 20 03:21:12 AEST 1989 

I'll tell you what I did at a former job.  It's ugly, but it worked.  What
we did was check argv[0][0] in the shell to see if it was a "-", which will
usually signifies a login shell.  If it was not equal, we would check the uid
to see if it matched a list of uid's to not allow interactive shell access.
This did break some things, like runing "grep" and "awk" stuff out of vi.  I
also remember rn "follow-up" feature breaking.  There were many others, but
this was better than nothing.  You can also place this in a wrapper on the
real /bin/sh if you do not have source.

In article <9100020 at m.cs.uiuc.edu> carey at m.cs.uiuc.edu writes:

   Path: playroom!east!newstop!sun-barr!apple!mips!zaphod.mps.ohio-state.edu!brutus.cs.uiuc.edu!ux1.cso.uiuc.edu!ux1.cso.uiuc.edu!m.cs.uiuc.edu!carey
   From: carey at m.cs.uiuc.edu
   Newsgroups: comp.unix.wizards
   Date: 19 Dec 89 01:38:49 GMT
   Lines: 21
   Nf-ID: #N:m.cs.uiuc.edu:9100020:000:1071
   Nf-From: m.cs.uiuc.edu!carey    Dec 18 10:42:00 1989


   I have made a  guest login on one of our machines, for outside people
   to get access to some notesfiles and send mail to users and things like
   that.  It runs a shell script (bourne shell), which allows the guest
   user to choose from a menu of things to do.

   I want to keep people in this shell script, and not allow them to have
   access to a regular shell.  One thing I have tried to prevent is having
   people send interrupts and things like that to interrupt the shell
   script.

   Another big problem is that many things, like notes, mail, and even editors,
   have "shell escapes" built into them.

   Is there any way to prevent people from using these shell escapes, or at least
   having them not be able to do anything once they have done it?  Do I have to 
   rewrite mail and editors, to disable the shell escapes?  I wanted to avoid
   using the "rsh" (restricted shell) since that is kind of an administrative 
   hassle.  It would be better than rewriting editors.  The best thing would
   be some kind of trick to have them end up in a black hole somewhere when
   they do a shell escape.
--
Cliff Skolnick                                                cliffs at sun.com

    Sun Microsystems Inc. (I only work for them. I do not speak for them)
         "The floggings will continue until morale improves"

More information about the Comp.unix.wizards mailing list