From 8f2a63b936ddf781c5b591d76108b11579485f39 Mon Sep 17 00:00:00 2001 From: Joe Rayhawk Date: Sun, 23 Sep 2018 00:19:02 -0700 Subject: pinyshell: use zsh and restrict read builtin Along with rbash careening towards crazytown, rksh has some problematic behavior around HISTFILE creation that forces us to use zsh. We are additionally disabling the "read" builtin for extra safety. Other builtins should maybe also be disabled in the future. --- pinyadmin/Makefile | 2 ++ pinyadmin/bin/pinyshell | 4 +++- pinyadmin/debian/control | 2 +- pinyadmin/zdotdir/zshenv | 1 + 4 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 pinyadmin/zdotdir/zshenv diff --git a/pinyadmin/Makefile b/pinyadmin/Makefile index 2f679e7..d49547c 100644 --- a/pinyadmin/Makefile +++ b/pinyadmin/Makefile @@ -6,6 +6,8 @@ install: install -o root -g root -m 755 -d $(DESTDIR)/usr/bin $(DESTDIR)/usr/sbin install -o root -g root -m 755 bin/* $(DESTDIR)/usr/bin install -o root -g root -m 755 sbin/* $(DESTDIR)/usr/sbin + mkdir -p $(DESTDIR)/usr/share/piny/zdotdir + install -o root -g root -m 755 zdotdir/zshenv $(DESTDIR)/usr/share/piny/zdotdir clean: rm -rf man diff --git a/pinyadmin/bin/pinyshell b/pinyadmin/bin/pinyshell index 2cfc3cf..9a63b14 100755 --- a/pinyadmin/bin/pinyshell +++ b/pinyadmin/bin/pinyshell @@ -3,4 +3,6 @@ cd /srv/rbin umask 0022 export PATH=/srv/rbin -exec /bin/ksh -r "$@" + +export ZDOTDIR=/usr/share/piny/zdotdir +exec /bin/zsh-static -r "$@" diff --git a/pinyadmin/debian/control b/pinyadmin/debian/control index 93122fc..7e2df32 100644 --- a/pinyadmin/debian/control +++ b/pinyadmin/debian/control @@ -8,7 +8,7 @@ Standards-version: 3.9.1 Package: pinyadmin Architecture: all -Depends: ${perl:Depends}, ${misc:Depends}, libpiny-perl (>= 0.14), libgetopt-tabular-perl, moreutils, ksh +Depends: ${perl:Depends}, ${misc:Depends}, libpiny-perl (>= 0.14), libgetopt-tabular-perl, moreutils, zsh-static Description: Administrative programs for piny The command-line programs for day-to-day administrative tasks in the Piny infrastructure. diff --git a/pinyadmin/zdotdir/zshenv b/pinyadmin/zdotdir/zshenv new file mode 100644 index 0000000..a8924af --- /dev/null +++ b/pinyadmin/zdotdir/zshenv @@ -0,0 +1 @@ +disable read -- cgit v1.2.3