Iron Bars SHell, or short ibsh is my first attempt to
create a restricted working environment for Linux/Unix. I'm sure
that many system administrators wish or have wished for a way to lock
some/all users into a safe dungeon, where they can only do harm to their
own files. Even more important is the protection against users reading
sensitive files, for example the /etc/passwd file, which is accessible
for any person with an unrestricted shell. But many system files may be listed here.
Users could easily gain information, that could help malicious hackers to compromise
the system, the network, the company.
Many attempts have already been made to fix this problem. Menu-based and other
interactive shells have been created, but they were not able to completely
satisfy worried system administrators. The amount of documents available at
various security sites about how to bypass restrictions, how to hack through these
shells and gain full access, shows, that ANY experienced Linux user is able to
cause big problems.
I don't say, that IBSH is the ultimate restricted shell, the final frontier, the
only tool you'll ever need, absolutely bugfree and secure. It is also obvious,
that one software is not enough to grant security. But i try to create a system here
objectively, without thinking that whoever will use it is incompetent,
without leaving any hole unfixed, without leaving any chance to anybody to abuse
a bug. Bugs in the software are not as dangerous as bugs in the planning, in the
thinking, in the design. And this is only the first step. A big step nonetheless.
To create a functional, workable environment, additional tools are needed.
Text editors, mail clients, browsers, etc. All posing huge threats, all easily
abusable, and all already abused a number of times to bypass restrictions.
So, while i continue developing the main project, ibsh, i will also try to create
restricted tools or restricted tool environments.
These will allow users to actually use the shell account for
something sensible.
|