dropdown menu

EXTRA - RSH

Rsh:

The effect of this restriction is to prevent the user from running any command that is not in a directory contained in the PATH variable.

1. add /usr/bin/Rsh to the list of shells

vi /etc/security/login.cfg         <--all valid login shells are listed in this file, in the usw stanza

...
usw:
        shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/sbin/sliplogin,/bin/ftponly,/usr/sbin/uucp/uucico,/share/bin/bash,/usr/sbin/snappd,/usr/bin/Rsh
...


2. assign the restricted shell to the user

chuser shell=/usr/bin/Rsh bubba    <--bubba can't: change directory, change PATH variable, use command names with /, redirect output (>,>>)


3. make sure PATH variable does not contain /usr/bin or /bin

vi /home/bubba/.profile

...
#PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:$HOME/bin:/usr/bin/X11:/sbin:.
PATH=/usr/rbin                    <--copy those commands, what user can run, from /usr/bin or from /bin to /usr/rbin
...


4. create /usr/rbin dir if needed and copy the needed commands

$ ls -l /usr/rbin
-r-xr-xr-x   1 root     system        10842 Sep 26 00:21 cat
-r-xr-xr-x   1 root     system        28594 Sep 26 00:18 ls
-r-xr-xr-x   1 root     system       298886 Sep 26 00:24 vi

(Once I put the /usr/bin/ssh there, in order to login to the server)
(if extended history is turned on in /etc/profile it could cause problems, because Rsh does not understand those commands, I put those 2 lines from /etc/profile to the .profile file of root)

No comments: