bash script interruption - Security

This is a discussion on bash script interruption - Security ; Hello I'm building restricted environment with rbash as shell. Now, I want restricted user to be able to only run binaries from /usr/local/rbin. So I set such line in his .bash_profile: PATH=/usr/local/rbin He gets this PATH set, he can run ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: bash script interruption

  1. bash script interruption

    Hello

    I'm building restricted environment with rbash as
    shell. Now, I want restricted user to be able to only run binaries
    from /usr/local/rbin. So I set such line in his .bash_profile:

    PATH=/usr/local/rbin

    He gets this PATH set, he can run only these binaries, and
    everything is fine. But what i'm woried is: can he interrupt
    executing this .bash_profile script by any means, say by sending
    CTRL+C (SIGINT) signal? Because if he could, he would get a default
    PATH that's not "/usr/local/rbin".

    I've checked one thing, i.e I set .bash_profile file as folows:

    echo "hello restricted user"
    sleep 5
    echo "sleep finished"
    PATH=/usr/local/rbin

    When user logs in, he sees hello text, now if he press CTRL+C
    (during 'sleep'), he wont get "sleep finished", he wont have PATH
    set either.

    So you see what my wondering is about. Can the same be done with the
    first script (only PATH)?

    Thanks for all responses.


    --
    If you want to contact me via e-mail, remove NOSPAM before '@'.
    Best regards
    ~di0xid~

  2. Re: bash script interruption

    try set PATH before any other commands.

    PATH=/usr/local/rbin
    echo "hello restricted user"
    sleep 5
    echo "sleep finished"


  3. Re: bash script interruption

    Also note that the user can still run commands by giving the full
    path. (/bin/ls ~)


  4. Re: bash script interruption

    mmiikkee13 wrote:
    > Also note that the user can still run commands by giving the full
    > path. (/bin/ls ~)


    Not in rbash. Sigh.
    Chris

  5. Re: bash script interruption

    On 19 May 2007 21:55:07 -0700, mmiikkee13 wrote:
    | Also note that the user can still run commands by giving the full
    | path. (/bin/ls ~)


    Actually, no they can't.

    From the bash man page:

    RESTRICTED SHELL
    If bash is started with the name rbash, or the -r option is
    supplied at invocation, the shell becomes restricted.
    A restricted shell is used to set up an environment more
    controlled than the standard shell. It behaves identically
    to bash with the exception that the following are disallowed
    or not performed:

    * changing directories with cd

    * setting or unsetting the values of SHELL, PATH, ENV, or
    BASH_ENV

    * specifying command names containing /

    * specifying a file name containing a / as an argument to
    the . builtin command

    * Specifying a filename containing a slash as an argument to
    the -p option to the hash builtin command

    * importing function definitions from the shell environment
    at startup

    * parsing the value of SHELLOPTS from the shell environment
    at startup

    * redirecting output using the >, >|, <>, >&, &>, and >>
    redirection operators

    * using the exec builtin command to replace the shell with
    another command

    * adding or deleting builtin commands with the -f and -d
    options to the
    enable builtin command

    * Using the enable builtin command to enable disabled shell
    builtins

    * specifying the -p option to the command builtin command

    * turning off restricted mode with set +r or set +o
    restricted.

    These restrictions are enforced after any startup files are read.

    When a command that is found to be a shell script is executed
    (see COMMAND EXECUTION above), rbash turns off any restrictions
    in the shell spawned to execute the script.



    --
    Reverend Paul Colquhoun, ULC. http://andor.dropbear.id.au/~paulcol
    Asking for technical help in newsgroups? Read this first:
    http://catb.org/~esr/faqs/smart-questions.html#intro

+ Reply to Thread