home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.unix.shell
- Path: sparky!uunet!think.com!ames!haven.umd.edu!news.umbc.edu!gmuvax2!wvarga
- From: wvarga@gmuvax2.gmu.edu (Wilson Varga)
- Subject: Re: How to make Restrict Shell more safely?
- Message-ID: <1993Jan6.135639.1668@gmuvax2.gmu.edu>
- Summary: try a commercial product for the purpose
- Organization: George Mason University, Fairfax, Va.
- References: <cslee.225.726145569@pds.nchu.edu.tw> <1993Jan4.194925.7364@crd.ge.com> <1993Jan4.200732.7262@news.acns.nwu.edu>
- Date: Wed, 6 Jan 1993 13:56:39 GMT
- Lines: 23
-
- In article <1993Jan4.200732.7262@news.acns.nwu.edu> navarra@casbah.acns.nwu.edu (John Navarra) writes:
- >In article <1993Jan4.194925.7364@crd.ge.com> davidsen@crd.ge.com (bill davidsen) writes:
- >> 4. Remember that some programs give shell access via escapes, like vi,
- >>emacs, etc. Some versions use PATH and are safe, some use /bin/sh and
- >>are not at all safe.
- >
- >Yeah, here is the BIG problem. If you want to let restricted users have
- >access to vi, mail, and news, you have the shell escape problem. This
- >is not a trivial thing to fix -- especially if you don't have the source.
- >
- >> 5. The *really* safe way to have guest users is to run them in a tiny
- >>system of their own using chroot. It is very hard to do this without
- >>losing a lot of functionality, however, so I don't do that.
-
- There is a commercial product, CENTRUS UX, that solves all of this by
- keeping end-users within a menu system. What the resrticted class of
- end-users is permitted to do/not do is entirely under the control of
- the system administrator. Access to any of the unix shells is also
- effectively eliminated, without restricting the functionality of
- applications such as vi. Contact the company directly for more
- information. I know that CENTRUS is currently available for HP-UX, but
- the company is seeking to compile for other versions of unix.
- Contact uss@uii.com.
-
