Rsh:
The effect of this restriction is to prevent the user from running any command that is not in a directory contained in the PATH variable.
1. add /usr/bin/Rsh to the list of shells
vi /etc/security/login.cfg <--all valid login shells are listed in this file, in the usw stanza
...
usw:
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/sbin/sliplogin,/bin/ftponly,/usr/sbin/uucp/uucico,/share/bin/bash,/usr/sbin/snappd,/usr/bin/Rsh
...
2. assign the restricted shell to the user
chuser shell=/usr/bin/Rsh bubba <--bubba can't: change directory, change PATH variable, use command names with /, redirect output (>,>>)
3. make sure PATH variable does not contain /usr/bin or /bin
vi /home/bubba/.profile
...
#PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:$HOME/bin:/usr/bin/X11:/sbin:.
PATH=/usr/rbin <--copy those commands, what user can run, from /usr/bin or from /bin to /usr/rbin
...
4. create /usr/rbin dir if needed and copy the needed commands
$ ls -l /usr/rbin
-r-xr-xr-x 1 root system 10842 Sep 26 00:21 cat
-r-xr-xr-x 1 root system 28594 Sep 26 00:18 ls
-r-xr-xr-x 1 root system 298886 Sep 26 00:24 vi
(Once I put the /usr/bin/ssh there, in order to login to the server)
(if extended history is turned on in /etc/profile it could cause problems, because Rsh does not understand those commands, I put those 2 lines from /etc/profile to the .profile file of root)
No comments:
Post a Comment