Session recording
Tom Buskey
tom at buskey.name
Mon Mar 31 13:16:57 EDT 2008
On Mon, Mar 31, 2008 at 1:03 PM, Paul Lussier <p.lussier at comcast.net> wrote:
> "Kenny Lussier" <klussier at gmail.com> writes:
>
> > The control characters aren't the only reason that script doesn't work
> > for us. Script will write out to a file, but the lines aren't time
> > stamped, so it's impossible to know when a command was run. Also, the
> > file would need to be writable by the user, which defeats the point of
> > all the logging :-)
> >
> Wow, the lack of creativity here is astounding! :)
>
> /etc/bashrc:
> ...
> export PS1='[ `date` ]'
> ...
>
>
> If you're going to the extent of limiting them to a single shell, you
> might as well restrict them further by not allowing them to customize
> their own environment and disregarding any ~/.*rc files.
>
I once looked into using the restricted shell on Ultrix/SunOS (and probably
Solaris).
If you ln /bin/sh to rsh (or /bin/ksh to rksh) you get a shell that
disallows editing .profile and the like. You also can restrict the programs
the user can run. This is important because anything that lets the user
shell out (vi) will defeat the restricted shell. And of course, there was a
restriced vi.
Bash has a -r mode for Restricted Shell as well. It's in the manpage at
least.
I concluded it was lots of work to provide security that was not auditable.
I can't imagine it's as easy to do this on Linux as it is (??) with
propriatary systems. I think some kind of chroot jail would be more secure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20080331/b8579c05/attachment.html
More information about the gnhlug-discuss
mailing list