Vulnerability Development mailing list archives
limited functionality accounts (was: Re: History Files)
From: alex.andrews () BINARYGOD CO UK (Alex Andrews)
Date: Tue, 25 Apr 2000 12:33:46 +0100
Hi list, Just to resurrect a almost dead thread. Anyway, we were talking about restricting the users a command usage in a shell, especially cmds such as export, = and set/uset to prevent him/her from adapting shell variables. These commands are of course all shell builtins. The thing no person has mentioned (as far as i can see) is another shell (bash) builtin the 'enable' command. This command allows us to disable shell builtins. For example: enable -n cd disables the cd command. Using the cd command displays an error message. We can then use this command to disable all shell builtins which could cause problems, allow the resetting of $PATH or other such restrictive variables. To see a full list of shell builtins simply give the enable command with no arguements. We can then, using commands in the .profile set our values and prevent the changing of them with enable (including = uset set etc), concluding with (blatantly .profile would not be user adaptable): enable -n enable to prevent enable being used to reintialise these commands. Using this command coupled with an $path variable set to /rbin, a restricted bin with a number of ln-ed programs from the main /bin and /usr/bin can cripple any attempt by a user to cause problems. This of course assumes that all binaries on the system are not world executable (on my box most users are placed in an execute group in addition to there normal group if they are allowed to use the normal bins). This in addition to ttysnoop or another program will really mean that big brother both controls and watches you. Oh and another point, this time in regard to the thread "Controlling a program's resource usage on Unix" the bash shell (and others)can restrict a processes resources with the ulimit. For example you can restrict the maximum number of processes avalible to the user with the command: ulimit -u 2 There are also several other options which can limit the time taken for a program to execute, the memory avalible, but i wont bore you with the details here (unless you ask me to later in the thread). You could set these in a users uneditable .profile and prevent them from adaption by the, you've guessed it, enable -n ulimit at the end of the .profile. Anyhow thats all I can think of at the moment. See you guys later. Alex Andrews alex () binarygod co uk ~~~~~~~~~~~~~~~~~~~~~~~
Current thread:
- Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions., (continued)
- Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Zoa_Chien (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Bob Fiero (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Ron DuFresne (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Zoa_Chien (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Markus Kern (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Zoa_Chien (Apr 23)
- koules again Kotz (Apr 21)
- Re: koules again Ron DuFresne (Apr 21)
- Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 25)
- Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 26)
- limited functionality accounts (was: Re: History Files) Alex Andrews (Apr 25)
- Re: limited functionality accounts (was: Re: History Files) Rob Kouwenberg (Apr 28)
- Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 26)
- long file names in explorer.exe kj (Apr 26)
- Re: long file names in explorer.exe Rory Savage (Apr 28)
- Re: long file names in explorer.exe kj (Apr 28)
- Lotus notes + windows98 overflow Alistair Orchard (Apr 27)
- Blind Remote Buffer Overflow Granquist, Lamont (Apr 27)
- Eudora Pro Buffer Overflow testing in progress - help needed. Zoa_Chien (Apr 28)
- Re: Eudora Pro Buffer Overflow testing in progress - help needed. Blue Boar (Apr 28)
- Re: Blind Remote Buffer Overflow Marc (Apr 28)