summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoe Rayhawk <jrayhawk@omgwallhack.org>2014-10-29 15:17:21 -0700
committerJoe Rayhawk <jrayhawk@omgwallhack.org>2014-10-29 15:17:21 -0700
commit646b92e39c7b46b706de364c2d1d22c7849e5036 (patch)
tree1b3d770599a24b72b2c4052731e9fdc2b6e5c12c
parent77d61b6bdc1db054206d1341c20587794fb3c0e1 (diff)
downloadpiny-code-646b92e39c7b46b706de364c2d1d22c7849e5036.tar.gz
piny-code-646b92e39c7b46b706de364c2d1d22c7849e5036.zip
pinyadmin: bash -r -> ksh -r because the bash people apparently like to deprecate security features without bothering to tell anyone
-rw-r--r--docs/architecture/needed_admin_infrastructure.mdwn2
-rwxr-xr-xpinyadmin/bin/pinyhelp2
-rwxr-xr-xpinyadmin/bin/pinyshell2
-rw-r--r--pinyadmin/debian/control2
-rw-r--r--pinyadmin/doc/pinyshell.latex2
5 files changed, 5 insertions, 5 deletions
diff --git a/docs/architecture/needed_admin_infrastructure.mdwn b/docs/architecture/needed_admin_infrastructure.mdwn
index 59365c2..f6a3831 100644
--- a/docs/architecture/needed_admin_infrastructure.mdwn
+++ b/docs/architecture/needed_admin_infrastructure.mdwn
@@ -1,6 +1,6 @@
- DONE: HTTP AUTH from PAM through the magic of mod-auth-pam
- DONE: HTTP access from /etc/group through the magic of mod-auth-sys-group
-- DONE: Shell security through rbash and privilege escalation security (for mkwiki, mkuser, etc) through sudo
+- DONE: Shell security through a restricted shell and privilege escalation security (for mkwiki, mkuser, etc) through sudo
- DONE: Guaranteed namespace coherence with the vhosting of cgi, secure, and normal with the aid of a wildcard SSL certificate
- TODO: Work out how to pass mailing list emails around. Probably either ssh or vserver namespace magic.
- DONE: manual [[setup file overrides]], /etc/ikiwiki/piny/$reponame.setup.pl, included directly with 'do' before dumping state.
diff --git a/pinyadmin/bin/pinyhelp b/pinyadmin/bin/pinyhelp
index 5e65540..22f27fa 100755
--- a/pinyadmin/bin/pinyhelp
+++ b/pinyadmin/bin/pinyhelp
@@ -1,7 +1,7 @@
#!/bin/sh
if [ $SHELL = /usr/bin/pinyshell ]; then
- echo "You are in a restricted shell. Along with some safe Bash builtins, you are able to execute the following Piny commands:"
+ echo "You are in a restricted shell. Along with some safe KornShell builtins, you are able to execute the following Piny commands:"
else
echo "You are able to execute the following Piny commands:"
fi
diff --git a/pinyadmin/bin/pinyshell b/pinyadmin/bin/pinyshell
index 65adfe1..2cfc3cf 100755
--- a/pinyadmin/bin/pinyshell
+++ b/pinyadmin/bin/pinyshell
@@ -3,4 +3,4 @@ cd /srv/rbin
umask 0022
export PATH=/srv/rbin
-exec /bin/rbash "$@"
+exec /bin/ksh -r "$@"
diff --git a/pinyadmin/debian/control b/pinyadmin/debian/control
index b41d5b5..93122fc 100644
--- a/pinyadmin/debian/control
+++ b/pinyadmin/debian/control
@@ -8,7 +8,7 @@ Standards-version: 3.9.1
Package: pinyadmin
Architecture: all
-Depends: ${perl:Depends}, ${misc:Depends}, libpiny-perl (>= 0.14), libgetopt-tabular-perl, moreutils
+Depends: ${perl:Depends}, ${misc:Depends}, libpiny-perl (>= 0.14), libgetopt-tabular-perl, moreutils, ksh
Description: Administrative programs for piny
The command-line programs for day-to-day administrative tasks in the Piny
infrastructure.
diff --git a/pinyadmin/doc/pinyshell.latex b/pinyadmin/doc/pinyshell.latex
index 481ddf3..23a7209 100644
--- a/pinyadmin/doc/pinyshell.latex
+++ b/pinyadmin/doc/pinyshell.latex
@@ -10,7 +10,7 @@
\section{Description}
-\Prog{pinyshell} is just another way to invoke \Cmd{1}{rbash}; the separate name is used for accounting purposes within the piny infrastructure.
+\Prog{pinyshell} is just another way to invoke \Cmd{1}{ksh -r}; the separate name is used for accounting purposes within the piny infrastructure.
Users which should be managed by the Piny infrastructure should have \Prog{pinyshell} as their shell.