Unknown@hplabs.UUCP (04/27/86)
This message is empty.
campbell@maynard (04/28/86)
> A thought on making un-shar'ing safer: > > Obviously making a chroot'd account with a private bin, usr/bin and > usr/ucb (if applicable) would make this much, much safer. One could > also carefully limit the commands (is there any good reason for an > unshar to ever do an 'rm'? you could put 'rm' somewhere else for use > within this account.) ... > -Barry Shein, Boston University This code already exists, I think... "uuhosts" comes with a program called "mapsh" that chroots to a specified directory and then execs an arbitrary program. You just need to pipe the shar archive into a "mapsh /bin/sh". All we need is to standardize on what set of programs need to be available to shar scripts (many sites don't have the disk space to have two copies of everything in /usr/bin, and you *don't* want to use links for obvious reasons). -- Larry Campbell The Boston Software Works, Inc. ARPA: maynard.UUCP:campbell@harvard.ARPA 120 Fulton Street UUCP: {harvard,cbosgd}!wjh12!maynard!campbell Boston MA 02109
levy@ttrdc (05/01/86)
In article <288@maynard.UUCP>, campbell@maynard.UUCP writes: >> Obviously making a chroot'd account with a private bin, usr/bin and >> usr/ucb (if applicable) would make this much, much safer. One could >> also carefully limit the commands (is there any good reason for an >> unshar to ever do an 'rm'? you could put 'rm' somewhere else for use >> within this account.) ... >> -Barry Shein, Boston University >This code already exists, I think... "uuhosts" comes with a program >called "mapsh" that chroots to a specified directory and then execs an >arbitrary program. You just need to pipe the shar archive into a >"mapsh /bin/sh". All we need is to standardize on what set of >programs need to be available to shar scripts (many sites don't have >the disk space to have two copies of everything in /usr/bin, and you >*don't* want to use links for obvious reasons). >Larry Campbell The Boston Software Works, Inc. >ARPA: maynard.UUCP:campbell@harvard.ARPA 120 Fulton Street >UUCP: {harvard,cbosgd}!wjh12!maynard!campbell Boston MA 02109 It's not very obvious to me (why links won't do) unless the shar archive must be run as 'root' or some other account that has the privilege to overwrite the linked executables. -- ------------------------------- Disclaimer: The views contained herein are | dan levy | yvel nad | my own and are not at all those of my em- | an engihacker @ | ployer or the administrator of any computer | at&t computer systems division | upon which I may hack. | skokie, illinois | -------------------------------- Path: ..!{akgua,homxb,ihnp4,ltuxa,mvuxa, vax135}!ttrdc!levy
campbell@maynard.UUCP (Larry Campbell) (05/14/86)
> >> Barry Shein > > me > Dan Levy me again > >> Obviously making a chroot'd account with a private bin, usr/bin and > >> usr/ucb (if applicable) would make this much, much safer. One could > >> also carefully limit the commands (is there any good reason for an > >> unshar to ever do an 'rm'? you could put 'rm' somewhere else for use > >> within this account.) ... > >> -Barry Shein, Boston University > >This code already exists, I think... "uuhosts" comes with a program > >called "mapsh" that chroots to a specified directory and then execs an > >arbitrary program. You just need to pipe the shar archive into a > >"mapsh /bin/sh". All we need is to standardize on what set of > >programs need to be available to shar scripts (many sites don't have > >the disk space to have two copies of everything in /usr/bin, and you > >*don't* want to use links for obvious reasons). > >Larry Campbell The Boston Software Works, Inc. > It's not very obvious to me (why links won't do) unless the shar archive must > be run as 'root' or some other account that has the privilege to overwrite the > linked executables. > | dan levy | yvel nad | my own and are not at all those of my em- You're right, there's no reason not to use links, although on a non-BSD system they might not be possible since they might cross filesystems. -- Larry Campbell The Boston Software Works, Inc. ARPA: maynard.UUCP:campbell@harvard.ARPA 120 Fulton Street UUCP: {harvard,cbosgd}!wjh12!maynard!campbell Boston MA 02109