Thursday, May 28, 2009

How to Implement Restricted Shell

If you want to limit your users from running wild in your system, you may want to consider providing them with restricted shell such as /usr/lib/rsh or /bin/rksh.

According to man page of /usr/lib/rsh, the actions of rsh are identical to those of sh, except that the following are disallowed:

  • changing directory
  • setting the value of $PATH
  • specifying path or command names containing /
  • redirecting output (> and >>)

According to man page of /bin/rksh, the actions of rksh are identical to those of ksh, except that the following are disallowed:

  • changing directory
  • setting the value of SHELL, ENV, or PATH
  • specifying path or command names containing /
  • redirecting output (>, >|, <>, and >>)
  • changing group

Let's start to see how restrictive it can be:

# PATH=/some/dir/do/not/exist /bin/rksh

# ls
/bin/rksh: ls:  not found

# cd /
/bin/rksh: cd: restricted

# /usr/bin/ls
/bin/rksh: /usr/bin/ls: restricted

# echo $PATH

# ../../../usr/bin/ls
/bin/rksh: ../../../usr/bin/ls: restricted

# pwd

# echo abc
As you can see, your search PATH does not exist and therefore you have no access to any of the binaries. Also, you really cannot run anything with absolute or relative path. The only commands you can run are the builtin commands like echo and pwd. That's far too restrictive. In order to really limit the users to run only a subset of commands, we create a /rbin directory and copy (or hard link) binaries that are absolutely required. In this demo, I only provide ls, vi, more and grep.
# mkdir /rbin

# for i in ls vi more grep
ln /usr/bin/$i /rbin/.

# PATH=/rbin /bin/rksh

# ls /var/adm
acct        log         messages.2  sm.bin      utmpx
aculog      messages    messages.3  spellhist   vold.log
exacct      messages.0  pool        streams     wtmpx
lastlog     messages.1  sa          sulog

# more /etc/release
                        Solaris 10 1/06 s10x_u1wos_19a X86
           Copyright 2005 Sun Microsystems, Inc.  All Rights Reserved.
                        Use is subject to license terms.
                           Assembled 07 December 2005

# grep Solaris /etc/release
                        Solaris 10 1/06 s10x_u1wos_19a X86

# date
/bin/rksh: date:  not found

I am sure you feel pretty convinced that you are really in control of what your users can and cannot run. Now all you have to do is to set their login shell and ensure /etc/profile set the corresponding PATH to the restricted directory (/rbin).

Labels: ,

OpenSolaris CommunityOne West Presentation Material

Saturday, May 23, 2009

Highlight Those Files With Space, Backslash or Non-Printable Characters

In UNIX, if your filename contains space, blackslash or non-printable characters, you may have issue with applications that are not space/backslash/non-printable aware. Recently I realised that Netbackup will fail to backup files with filename ends with space. Space is not a non-printable character and it is pretty hard to identify them when you simply do a ls listing.

ls has a -b flag that is able to print those non-printable characters to be in the octal \ddd notation. It is possible to recursively list subdirectories using ls -R -b to find out file names with non-printable characters with \ddd octal string. Together with the -1 (minus one) option, we can print one entry per line of output. The output of ls -1Rb can be piped to a regular expression grep to single out those problematic filenames.
ls -1Rb | egrep '\\[0-7][0-7][0-7]|[\\ ]' will grab filenames with \ddd octal, blackslash or space.

You can even give those special characters some colour which I blogged about it before. Here is the script that will highlight these characters. ^[ means "Escape" and you need to type Ctrl-V followed by Esc to get that.

#! /bin/sh

ls -1Rb ${1:-.} | \
nawk '
/:$/ {
$0 != "" {
}' | \
egrep '\\[0-7][0-7][0-7]|[\\ ]' | \
sed '
# non-printable character in octal \ddd

# space
s/\([ ]\)/^[[42m\1^[[0m/g

# blackslash but not \ddd in octal


Sunday, May 17, 2009

WolframApha, a new kind of search

Wolfram Reseach, developer for Mathematica, has just launched the WolframAlpha (Computational Knowledge Engine).

If you want to find out what it can do, watch this introduction. I am sure you will be impressed.

You can even find out the details of genome sequence ( AAGCTAGCTAGC ) or plot this function ( plot sin(x*x+y*y) ):

Wednesday, May 13, 2009


Today, I received this from my 'the other email':
Once upon a time, a very strong woodcutter asked for a job in a timber merchant, and he got it. The pay was really good and so were the work conditions. For that reason, the woodcutter was determined to do his best.

His boss gave him an axe and showed him the area where he was supposed to work.

The first day, the woodcutter brought down 18 trees.

"Congratulations," the boss said. "Go on that way!"

Very motivated for the boss’ words, the woodcutter tried harder the next day, but he only could bring down 15 trees. The third day he tried even harder, but he only could cut 10 trees. Day after day he was bringing down lesser and lesser trees.

"I must be losing my strength", the woodcutter thought. He went to the boss and apologized, saying that he could not understand what was going on.

"When was the last time you sharpened your axe?" the boss asked.

"Sharpen my axe? I have no time to sharpen my axe, I have been very busy trying to cut trees..."

by Stephen Covey, 7 Habits of Highly Effective People:
  • Habit 1: Be Proactive: Principles of Personal Choice
  • Habit 2: Begin with the End in Mind: Principles of Personal Vision
  • Habit 3: Put First Things First: Principles of Integrity & Execution
  • Habit 4: Think Win/Win: Principles of Mutual Benefit
  • Habit 5: Seek First to Understand, Then to be Understood: Principles of Mutual Understanding
  • Habit 6: Synergize: Principles of Creative Cooperation
  • Habit 7: Sharpen the Saw: Principles of Balanced Self-Renewal


Which Process Deleted My File ?

Ever asked this question before: "Which process deleted my file ?". In Solaris 10, you can rely on DTrace to help you to figure that out. A simple one-liner is all your need.

# dtrace -qn 'syscall::unlink:entry {printf("PID=%d, CMD=%s, FILE=%s\n", pid, curpsinfo->pr_psargs, copyinstr(arg0));}'
PID=26993, CMD=/usr/sbin/cron, FILE=/tmp/croutTKG5dKjU0
PID=26993, CMD=/usr/sbin/cron, FILE=/tmp/croutUKG6dKjU0
PID=13668, CMD=/usr/bin/mail chihung, FILE=/var/tmp/mail5iaGSA
PID=10389, CMD=/usr/sbin/cron, FILE=/tmp/croutLIEDWaOsu
PID=13669, CMD=/usr/lib/sendmail -oi -- chihung, FILE=./xfn4DCU0Ua013669
PID=26993, CMD=/usr/sbin/cron, FILE=/tmp/croutVKG7dKjU0
PID=13678, CMD=/usr/bin/mail chihung, FILE=/var/tmp/mailq0aWTA
PID=13679, CMD=/usr/lib/sendmail -oi -- chihung, FILE=./xfn4DCV0BF013679
PID=26993, CMD=/usr/sbin/cron, FILE=/tmp/croutWKG8dKjU0
PID=13689, CMD=/usr/bin/mail chihung, FILE=/var/tmp/mailtFaiVA
PID=13690, CMD=/usr/lib/sendmail -oi -- chihung, FILE=./xfn4DCW0qf013690

In UNIX, the system call to delete/remove file is "unlink" and you can see that the "path" of the file to be deleted is the only parameter passed to the function call and that's why we de-reference the pointer using copyinstr(arg0)

# man -s 2 unlink
System Calls                                            unlink(2)

     unlink, unlinkat - remove directory entry


     int unlink(const char *path);

     int unlinkat(int dirfd, const char *path, int flag);

     The unlink() function removes a link  to  a  file.  If  path
     names  a  symbolic  link, unlink() removes the symbolic link
     named by path and does not  affect  any  file  or  directory
     named by the contents of the symbolic link.
      Otherwise, unlink() removes the link named by the  pathname
     pointed to by path and decrements the link count of the file
     referenced by the link.

Wanna to learn that, here are some tutorial materal I gathered from the web:

You may also want to download the DTraceToolkit to see how powerful DTrace is.

Labels: ,