Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

limited functionality accounts (was: Re: History Files)

From: alex.andrews () BINARYGOD CO UK (Alex Andrews)
Date: Tue, 25 Apr 2000 12:33:46 +0100

Hi list,
Just to resurrect a almost dead thread.
Anyway, we were talking about restricting the users a command usage in
a shell, especially cmds such as export, = and set/uset to prevent
him/her from adapting shell variables. These commands are of course
all shell builtins. The thing no person has mentioned (as far as i can
see) is another shell (bash) builtin the 'enable' command. This
command allows us to disable shell builtins. For example:
enable -n cd
disables the cd command. Using the cd command displays an error
message. We can then use this command to disable all shell builtins
which could cause problems, allow the resetting of $PATH or other such
restrictive variables. To see a full list of shell builtins simply
give the enable command with no arguements.
We can then, using commands in the .profile set our values and prevent
the changing of them with enable (including = uset set etc),
concluding with (blatantly .profile would not be user adaptable):
enable -n enable
to prevent enable being used to reintialise these commands.
Using this command coupled with an $path variable set to /rbin, a
restricted bin with a number of ln-ed programs from the main /bin and
/usr/bin can cripple any attempt by a user to cause problems. This of
course assumes that all binaries on the system are not world
executable (on my box most users are placed in an execute group in
addition to there normal group if they are allowed to use the normal
bins). This in addition to ttysnoop or another program will really
mean that big brother both controls and watches you.

Oh and another point, this time in regard to the thread "Controlling a
program's resource usage on Unix" the bash shell (and others)can
restrict a processes resources with the ulimit. For example you can
restrict the maximum number of processes avalible to the user with the
command:
ulimit -u 2
There are also several other options which can limit the time taken
for a program to execute, the memory avalible, but i wont bore you
with the details here (unless you ask me to later in the thread). You
could set these in a users uneditable .profile and prevent them from
adaption by the, you've guessed it, enable -n ulimit at the end of the
.profile.
Anyhow thats all I can think of at the moment. See you guys later.
Alex Andrews
alex () binarygod co uk
~~~~~~~~~~~~~~~~~~~~~~~
Previous By Date Next
Previous By Thread Next

Current thread: