rbash

Archaic archaic at indy.rr.com
Fri Jan 23 12:32:51 PST 2004


On Fri, Jan 23, 2004 at 08:48:02AM -0500, Robert Connolly wrote:
> Anything thoughts on using rbash (or rksh) for boot scripts? It would prevent 
> LD_PRELOAD, among other things. Redirecting data needs to be done with dd. 
> And root's bashrc would need to only use /bin and /sbin. rbash doesn't stop 
> anyone from opening another shell within rbash (be it uploaded or whatever) 
> so its not much of a security messure. But it does button up what the scripts 
> can do.

Is rbash to be symlinked to /bin/sh? Is there anything else that might
need /bin/sh that would bark on rbash?

Either way, I don't know enough about it to know if it's worth the cost.
Seems to be script == program. If you don't trust it, dont' run it.
Luckily with a script you can easily see what it does and how.

I'll read up on it this weekend and give a real opinion once I know a
bit more.

-- 
Archaic

Of all tyrannies, a tyranny exercised for the good of its victims may be
the most oppressive. It may be better to live under robber barons than
under omnipotent moral busybodies. The robber baron's cruelty may
sometimes sleep, his cupidity may at some point be satiated; but those
who torment us for our own good will torment us without end, for they do
so with the approval of their consciences.

- C. S. Lewis




More information about the hlfs-dev mailing list