QUESTION:
I have a question submitted directly from a customer:
"I have an RS/6000 running AIX v. 3.2.5 with XLFortran v. 2.3
and I want to set up a restricted shell (/bin/Rsh) for a user
that needs to be tied down. All went fine until I checked to see
if he could still compile. The answer is NO. The compiler will
produce object code, but not link them. As it turns out, the
link portion of compile is issuing a "/bin/mv" command, illegal
under /bin/Rsh.
Question: Is there any way I can allow compiles under /bin/Rsh?
Note: This problem also exists with the C compiler (cc)."
---------- ---------- ---------- --------- ---------- ----------
A: The /bin/mv command is not illegal under Rsh. The big
restriction under Rsh is that a user cannot change his path
variable or use fully qualified pathnames. Thus, if the user
were to set his path to include /bin before invoking the Rsh,
he would be able to use the /bin/mv command within Rsh.
For example, the following will allow a user to compile his
sample program:
export PATH=.:/bin
Rsh
Now within this Rsh, the user will be able to compile any source
code within his home directory.
---------- ---------- ---------- --------- ---------- ----------
QUESTION:
The customer asked me to reopen this item with the following info:
"When I said that the "/bin/mv" command was illegal under /bin/Rsh,
did not mean the mv was illegal: The difference is the presence of the
"/" character in the path. The shell will not execute any command that
is issued with a "/" (like /bin/cp file1 file2.) The problem is that
the compiler is NOT issuing a "mv" command, it is issuing a "/bin/mv"
command. The shell sees the "/" and does not allow the command.
As the responder said, when you issue Rsh from your login shell, it all
works. But I have set Rsh to be the login shell for a given user, and
here it does NOT work. I tried exactly
what you said and got the following result:
-----
Last unsuccessful login: Mon Oct 17 10:23:05 1994 on tty0
Last login: Tue Oct 18 12:22:21 1994 on tty0
$ ps
PID TTY TIME CMD
18185 pts/1 0:00 ps
19718 pts/1 0:00 -Rsh
$ ls -l
total 32
-rw-r----- 1 boeing contract 1866 Oct 17 13:22 time.c
-rw-r----- 1 boeing contract 1277 Oct 18 12:22 time.o
-rw-r----- 1 boeing contract 349 Oct 17 10:11 times.f
-rw-r----- 1 boeing contract 1524 Oct 18 12:22 times.o
$ cc time.c
bsh: /bin/mv: restricted
0706-927 ERROR: Cannot mv the temporary object file: ./bind.FAONVEcAAA
to the output object file: a.out
Check path name and permissions or
use local problem reporting procedures.
$ f77 times.f
** time_test === End of Compilation 1 ===
1501-510 Compilation successful for file times.f.
bsh: /bin/mv: restricted
0706-927 ERROR: Cannot mv the temporary object file: ./bind.FAYNVEcAAA
to the output object file: a.out
Check path name and permissions or
use local problem reporting procedures.
$ set
EDITOR=/bin/vi
HOME=/home4/boeing
IFS=
LANG=C
LOCPATH=/usr/lib/nls/loc
LOGNAME=boeing
MAIL=/usr/spool/mail/boeing
MAILCHECK=600
MAILMSG=.YOU HAVE NEW MAIL.
MANPATH=/usr/man:/usr/local/man:/usr/local/share/man:/usr/lpp/LoadL/nfs
NLSPATH=/usr/lib/nls/msg/ L/ N:/usr/lib/nls/msg/prime/ N
ODMDIR=/etc/objrepos
OPTIND=1
PATH=/home4/boeing/bin:/bin:/usr/bin:/etc:/usr/sbin:/usr/ucb:/sbin
PS1=$
PS2=>
SHELL=/bin/Rsh
TERM=iris-ansi-net
TERM_DEFAULT=hft
TZ=EST5EDT
USER=boeing
------
As you can see the path is set properly, but things still don't
work.
Any other ideas we had for restricting a user just aren't as
thorough as Rsh.
---------- ---------- ---------- --------- ---------- ----------
QUESTION:
Please address these quoted questions from the customer:
1) IBM's official position on Rsh is...
2) The customer asks: An Rsh user, who is set up with Rsh as the
initial shell, "cannot compile anything because the C compiler
(/bin/cc) and the XL Fortran compiler have a system call to
"/bin/mv" and the Rsh does not allow execution of full-path-name
commands". Please address a workaround for this if there is one?
Note that the user must be able to compile and debug code on the
machine. This may include using "make".
3) The customer asks: An Rsh user, who has Rsh as the initial shell,
"can still make a shell script whose first line is #¢/bin/ksh
and do anything they want... e.g.,
#¢/bin/ksh
cd /usr/bin
ls -l yp*
/usr/bin/ypcat passwd
... Why can a user under Rsh fire off a shell like this when he
isn't allowed to type /bin/ksh from the command line?"
---------- ---------- ---------- --------- ---------- ----------
A: IBM officially supports Rsh. Rsh was originally intended as a means
to allow a guest user access to view and execute particular files. It
is not well suited to constrain the activities of a developer who
might need write authority in a particular directory.
However, the following approach was found to work well in producing
a secure environment in which a developer can create and execute 'C'
programs as well as write, but not execute, shell scripts.
1) mkuser guest
2) change guest's initial program to '/usr/bin/Rsh' in '/etc/passwd'
3) change default PATH to '/usr/rbin:.' in '/etc/environment'
4) add the following stanza to '/etc/profile'
if . $LOGNAME ¢= guest .
then PATH=
fi
where is the original path found in '/etc/environment'
change TERM=`termdef`to TERM=`/usr/bin/termdef` in the same file.
5) chmod 777 ~guest
6) mkdir /usr/rbin
7) chmod 711 /usr/rbin
8) link all commands you wish guest to run into the '/usr/rbin'
directory (commands such as 'ls', 'vi', etc.)
For example:
ln -s /usr/bin/vi /usr/rbin/vi
ln -s /usr/bin/ls /usr/rbin/ls
9) Create the file '/usr/rbin/cc'
#¢/bin/ksh
SHELL=/bin/ksh
/usr/bin/cc $@
10) chmod +x /usr/rbin/cc
The problem with breaking out of Rsh can easily be avoided by simply
not linking the 'chmod' command into the '/usr/rbin' directory.
---------- ---------- ---------- --------- ---------- ----------
This item was created from library item Q673538 CWLDH
Additional search words:
BIN COMPILERS CWLDH DEC94 FORTRAN IX LANGUAGE OZNEW RESTRICTED RISCL
RISCSYSTEM RSH SHELL SOFTWARE UNABLE
WWQA: ITEM: RTA000050189 ITEM: RTA000050189
Dated: 06/1996 Category: RISCL
This HTML file was generated 99/06/24~12:43:19
Comments or suggestions?
Contact us