[PATCH] prevent users from changing their environment

[Bob Proulx]

> In our situation chroot isn't a solution. Users are allowed to upload
> and download any files they want -- usually mailboxes, since this is
> a mail server, but that implies that we can't restrict things at that
> point. Secondly, they are allowed to put things in ~/.ssh so that they
> can use public key authentication. The two combined mean that even if
> the chroot were initially restricted, it could be exploited and turned
> into a warez distribution point etc.

I myself would set up something like that differently.  I might allow
them unrestricted upload but I would use filesystem permissions to
keep them from accessing ~/.ssh/ (and other files) so as to protect
anyone from being able to get out of the box they were placed in.

To allow them to be able to place keys into the authorized_keys file I
would create a cgi interface on a web page.  I would scan the uploaded
key for trojans before having the program place it into the final
location of the authorized_keys file.

This way users would be able to add/modify keys and upload download
files but are otherwise prevented from elevating that to any other
privileges on the machine.  Many will be thinking of Sourceforge which
does something similar.  But you case need not be as extensive as
sourceforge and a simple cgi should suffice.

> We have been using a patch like this for several years, and since I
> think it would be helpful in environments other than ours, and since
> I believe in contributing improvements to software that I use, I
> thought you -- or your users -- might like to benefit from my work.

Hmm...  Please don't take this harshly but as a consumer of this I
dislike your proposed design on philosophical grounds.  It seems wrong
way to try to add security in the way you are proposing it.  It is
like pushing a string.  It is at the wrong end.

Bob