From 646b92e39c7b46b706de364c2d1d22c7849e5036 Mon Sep 17 00:00:00 2001 From: Joe Rayhawk Date: Wed, 29 Oct 2014 15:17:21 -0700 Subject: pinyadmin: bash -r -> ksh -r because the bash people apparently like to deprecate security features without bothering to tell anyone --- docs/architecture/needed_admin_infrastructure.mdwn | 2 +- pinyadmin/bin/pinyhelp | 2 +- pinyadmin/bin/pinyshell | 2 +- pinyadmin/debian/control | 2 +- pinyadmin/doc/pinyshell.latex | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/architecture/needed_admin_infrastructure.mdwn b/docs/architecture/needed_admin_infrastructure.mdwn index 59365c2..f6a3831 100644 --- a/docs/architecture/needed_admin_infrastructure.mdwn +++ b/docs/architecture/needed_admin_infrastructure.mdwn @@ -1,6 +1,6 @@ - DONE: HTTP AUTH from PAM through the magic of mod-auth-pam - DONE: HTTP access from /etc/group through the magic of mod-auth-sys-group -- DONE: Shell security through rbash and privilege escalation security (for mkwiki, mkuser, etc) through sudo +- DONE: Shell security through a restricted shell and privilege escalation security (for mkwiki, mkuser, etc) through sudo - DONE: Guaranteed namespace coherence with the vhosting of cgi, secure, and normal with the aid of a wildcard SSL certificate - TODO: Work out how to pass mailing list emails around. Probably either ssh or vserver namespace magic. - DONE: manual [[setup file overrides]], /etc/ikiwiki/piny/$reponame.setup.pl, included directly with 'do' before dumping state. diff --git a/pinyadmin/bin/pinyhelp b/pinyadmin/bin/pinyhelp index 5e65540..22f27fa 100755 --- a/pinyadmin/bin/pinyhelp +++ b/pinyadmin/bin/pinyhelp @@ -1,7 +1,7 @@ #!/bin/sh if [ $SHELL = /usr/bin/pinyshell ]; then - echo "You are in a restricted shell. Along with some safe Bash builtins, you are able to execute the following Piny commands:" + echo "You are in a restricted shell. Along with some safe KornShell builtins, you are able to execute the following Piny commands:" else echo "You are able to execute the following Piny commands:" fi diff --git a/pinyadmin/bin/pinyshell b/pinyadmin/bin/pinyshell index 65adfe1..2cfc3cf 100755 --- a/pinyadmin/bin/pinyshell +++ b/pinyadmin/bin/pinyshell @@ -3,4 +3,4 @@ cd /srv/rbin umask 0022 export PATH=/srv/rbin -exec /bin/rbash "$@" +exec /bin/ksh -r "$@" diff --git a/pinyadmin/debian/control b/pinyadmin/debian/control index b41d5b5..93122fc 100644 --- a/pinyadmin/debian/control +++ b/pinyadmin/debian/control @@ -8,7 +8,7 @@ Standards-version: 3.9.1 Package: pinyadmin Architecture: all -Depends: ${perl:Depends}, ${misc:Depends}, libpiny-perl (>= 0.14), libgetopt-tabular-perl, moreutils +Depends: ${perl:Depends}, ${misc:Depends}, libpiny-perl (>= 0.14), libgetopt-tabular-perl, moreutils, ksh Description: Administrative programs for piny The command-line programs for day-to-day administrative tasks in the Piny infrastructure. diff --git a/pinyadmin/doc/pinyshell.latex b/pinyadmin/doc/pinyshell.latex index 481ddf3..23a7209 100644 --- a/pinyadmin/doc/pinyshell.latex +++ b/pinyadmin/doc/pinyshell.latex @@ -10,7 +10,7 @@ \section{Description} -\Prog{pinyshell} is just another way to invoke \Cmd{1}{rbash}; the separate name is used for accounting purposes within the piny infrastructure. +\Prog{pinyshell} is just another way to invoke \Cmd{1}{ksh -r}; the separate name is used for accounting purposes within the piny infrastructure. Users which should be managed by the Piny infrastructure should have \Prog{pinyshell} as their shell. -- cgit v1.2.3