Re: [cobalt-users] RaQ4 and Raq550 , restrict telnet and/or ssh logins to ONLY their own site folder ?

[Jeff Lasman <jblists@xxxxxxxxxxxxx>]

Bruce Timberlake wrote:

> In my _brief_ experiments, it appears that there are multiple bash
> RPMS installed on my RaQ 4:
> 
> bash-1.14.7-22
> bash2-2.03-8
> bash2-doc-2.03-8

bash-1.14.7-22 is the original bash shell, version 1.

bash2-2.03-8 is the new bash shell version 2.  The reason it's got
another name and a separate rpm is so you and I and a lot of other
people can continue to use the original bash (which is still being
maintained), yet still call bash2 (if we need to, to run a bash2-script)
within a script (for example, with a #!/bin/bash line).

bash2-doc-2.03-8 is the documentation for bash2.  See the
/home/doc/bas2-doc-2.03 directory.

> And the sample script to prove 'restrictedness' from TLDP (at
> http://www.tldp.org/LDP/abs/html/restricted-sh.html) doesn't appear
> to work on the RaQ 4... (-r is an unknown option)

But it will work fine if you make bash2 the user shell... since bash
version 2 is the version that specifically implements the -r option.

> But on my desktop machine running RH8 with these bash versions:
> 
> bash-doc-2.05b-5
> bash-2.05b-5

Because bash-2.05b is version 2.05b of bash version 2.

> it works just as advertised...
> 
> I definitely need to play with this a bit more, to see how/if it
> restricts access to 'external' apps, commands, etc.  But it
> definitely seems a lot simpler than setting up chroot stuff...

It may very well work on the RaQ, using the /bin/bash2 shell that's
already there, as the linux shell for users you want restricted.

Of course you won't be able to maintain said users through the gui, but
that may be the price we're willing to pay <smile>.

Jeff
-- 
Jeff Lasman, nobaloney.net, P. O. Box 52672, Riverside, CA  92517 US
Internet & Unix/Linux/Sun/Cobalt Consulting +1 909 778-9980
Our jblists address used on lists is for list email only
To contact us offlist: "http://www.nobaloney.net/contactus.html";