[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] forbid local file browsing?

From: Craig Skinner
Subject: Re: [Lynx-dev] forbid local file browsing?
Date: Mon, 8 Jan 2007 20:05:34 +0000
User-agent: Mutt/1.5.12-2006-07-14

On Sun, Jan 07, 2007 at 05:05:40PM -0500, Stef Caunter wrote:
> Was going to say, even if the alias worked there would be too many ways to 
> get around it, so a recompile (check ./configure --help|more) is the way to 
> go.

Thanks, I'll look into this.

> It's not particularly on topic, but chrooting users is the preferred way to 
> restrict access to the file system.

Yes. I was hoping to be able to restrict the shell enough without having
to setup a chroot environment. Truth be told, I'd probably set up a
single use, passwordless PII box and give more liberal access than I
have done so at the moment for testing, without it becoming a garbage
spewing pest. Another box is more secure than locking down one acount
on a general purpose box.

> I believe the options to build lynx without file 
> system browsing or jumping out to a shell were for public access systems 
> where lynx was a raison d'etre; others will have personal recollections.
> Does your system just provide lynx, or is it a regular shell access box?

Commands are only (at the mo):


The packet filter blocks all access, even to the localhost, apart from
icmp, udp/tcp dns, tcp port 25, 43 & 80.

> The /etc/passwd file is a userlist that has to be readable for anything to 
> work properly; your users are going to see it from the shell without other 
> measures, but it probably doesn't matter.

Readable by the login process, but not readable by the user once logged
in. eg:

<>$ ls
rksh: ls: not found
<>$ echo *
<>$ echo /*
<>$ print *
<>$ print /etc/*
<>$ cat .profile
rksh: cat: not found
<>$ less /etc/passwd
Missing filename ("less --help" for help)
rksh: /etc/passwd: restricted
<>$ pwd
<>$ uptime
rksh: uptime: not found
<>$ w
rksh: w: not found
<>$ fgrep root /etc/passwd
rksh: fgrep: not found

OpenBSD lets me do some funky items without using chroot. Try it:

$ ssh address@hidden

The temporary password is >HodUptib3

I'm thinking of this account as like a public access shell
account for testing your network from a remote ip. Still to get ironed
out before I throw up a wee web page for it.

Just playing about for the noo.

OpenBSD comes with lynx in base, so I thought it would be neat to allow
users to do an offsite check of their sites, outside of any ISP/colo

reply via email to

[Prev in Thread] Current Thread [Next in Thread]