[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Lynx-dev] forbid local file browsing?
From: |
Craig Skinner |
Subject: |
Re: [Lynx-dev] forbid local file browsing? |
Date: |
Mon, 8 Jan 2007 20:05:34 +0000 |
User-agent: |
Mutt/1.5.12-2006-07-14 |
On Sun, Jan 07, 2007 at 05:05:40PM -0500, Stef Caunter wrote:
> Was going to say, even if the alias worked there would be too many ways to
> get around it, so a recompile (check ./configure --help|more) is the way to
> go.
Thanks, I'll look into this.
>
> It's not particularly on topic, but chrooting users is the preferred way to
> restrict access to the file system.
Yes. I was hoping to be able to restrict the shell enough without having
to setup a chroot environment. Truth be told, I'd probably set up a
single use, passwordless PII box and give more liberal access than I
have done so at the moment for testing, without it becoming a garbage
spewing pest. Another box is more secure than locking down one acount
on a general purpose box.
>
> I believe the options to build lynx without file
> system browsing or jumping out to a shell were for public access systems
> where lynx was a raison d'etre; others will have personal recollections.
>
> Does your system just provide lynx, or is it a regular shell access box?
Commands are only (at the mo):
cidr
dig
dlint
dnstracer
drill
host
less
lynx
man
nslookup
nsping
ping
telnet
traceroute
whois
The packet filter blocks all access, even to the localhost, apart from
icmp, udp/tcp dns, tcp port 25, 43 & 80.
>
> The /etc/passwd file is a userlist that has to be readable for anything to
> work properly; your users are going to see it from the shell without other
> measures, but it probably doesn't matter.
>
Readable by the login process, but not readable by the user once logged
in. eg:
<net-test.kepax.co.uk>$ ls
rksh: ls: not found
<net-test.kepax.co.uk>$ echo *
<net-test.kepax.co.uk>$ echo /*
<net-test.kepax.co.uk>$ print *
<net-test.kepax.co.uk>$ print /etc/*
<net-test.kepax.co.uk>$ cat .profile
rksh: cat: not found
<net-test.kepax.co.uk>$ less /etc/passwd
Missing filename ("less --help" for help)
rksh: /etc/passwd: restricted
<net-test.kepax.co.uk>$ pwd
<net-test.kepax.co.uk>$ uptime
rksh: uptime: not found
<net-test.kepax.co.uk>$ w
rksh: w: not found
<net-test.kepax.co.uk>$ fgrep root /etc/passwd
rksh: fgrep: not found
<net-test.kepax.co.uk>$
OpenBSD lets me do some funky items without using chroot. Try it:
$ ssh address@hidden
The temporary password is >HodUptib3
I'm thinking of this account as like a dnsstuff.com public access shell
account for testing your network from a remote ip. Still to get ironed
out before I throw up a wee web page for it.
Just playing about for the noo.
OpenBSD comes with lynx in base, so I thought it would be neat to allow
users to do an offsite check of their sites, outside of any ISP/colo
firewalls/proxies/wotnot.
- [Lynx-dev] forbid local file browsing?, Craig Skinner, 2007/01/06
- Re: [Lynx-dev] forbid local file browsing?, Thomas Dickey, 2007/01/06
- Re: [Lynx-dev] forbid local file browsing?, Craig Skinner, 2007/01/06
- Re: [Lynx-dev] forbid local file browsing?, Thomas Dickey, 2007/01/06
- Re: [Lynx-dev] forbid local file browsing?, Stef Caunter, 2007/01/07
- Re: [Lynx-dev] forbid local file browsing?,
Craig Skinner <=
- Re: [Lynx-dev] forbid local file browsing?, Thomas Dickey, 2007/01/08
- Re: [Lynx-dev] forbid local file browsing?, Craig Skinner, 2007/01/08
- Re: [Lynx-dev] forbid local file browsing?, Thorsten Glaser, 2007/01/08
- Re: [Lynx-dev] forbid local file browsing?, Thorsten Glaser, 2007/01/08
- Re: [Lynx-dev] forbid local file browsing?, Thomas Dickey, 2007/01/08
- Re: [Lynx-dev] forbid local file browsing?, Craig Skinner, 2007/01/08
- Re: [Lynx-dev] forbid local file browsing?, Thorsten Glaser, 2007/01/08
- Re: [Lynx-dev] forbid local file browsing?, Craig Skinner, 2007/01/08