Commit c08dbcf9 authored by Robert Ricci's avatar Robert Ricci

Be more paranoid about environment variables - nuke 'em all,

except for a few that we consider to be 'safe'.

Also, fixed a message to use @USERNODE@ instead of hardcoding to
ops.emulab.net .
parent b121ac2d
......@@ -21,6 +21,7 @@
# Configure variables
#
my $TB = "@prefix@";
my $USERNODE = "@USERNODE@";
# List of allowed commands - Mapping is from command entered by the user
# to the actual binary to run
......@@ -42,17 +43,28 @@ my $TB = "@prefix@";
"endexp" => "$TB/bin/endexp",
);
#
# Scrub the environment - delete all but a few variables we consider to be
# safe.
#
my %SAFE_ENV_VARS = (LOGNAME => 1, TERM => 1, SHELL => 1, HOME => 1, USER => 1,
SSH_CLIENT => 1, SSH_CONNECTION => 1, SSH_AUTH_SOCK => 1, SSH_TTY => 1);
foreach my $var (keys %ENV) {
if (!$SAFE_ENV_VARS{$var}) {
delete $ENV{$var};
}
}
# Need to provide a simple path, because some scripts we call need one
$ENV{PATH} = "$TB/bin:/bin:/usr/bin:/usr/local/bin";
# Clean the environment of potentially nasty variables
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
$prompt = "paperbag> "; # Prompt for interactive commands
# Following message gets displayed to interactive users
$message = "This is a restricted shell, and will only allow you to run
a limited set of commands. For an unrestrictive shell, log into
ops.emulab.net\n";
$USERNODE\n";
# Whether or not to allow interactive sessions
$allow_interactive = 0;
......
......@@ -21,6 +21,7 @@
# Configure variables
#
my $TB = "@prefix@";
my $USERNODE = "@USERNODE@";
# List of allowed commands - Mapping is from command entered by the user
# to the actual binary to run
......@@ -42,17 +43,28 @@ my $TB = "@prefix@";
"endexp" => "$TB/bin/endexp",
);
#
# Scrub the environment - delete all but a few variables we consider to be
# safe.
#
my %SAFE_ENV_VARS = (LOGNAME => 1, TERM => 1, SHELL => 1, HOME => 1, USER => 1,
SSH_CLIENT => 1, SSH_CONNECTION => 1, SSH_AUTH_SOCK => 1, SSH_TTY => 1);
foreach my $var (keys %ENV) {
if (!$SAFE_ENV_VARS{$var}) {
delete $ENV{$var};
}
}
# Need to provide a simple path, because some scripts we call need one
$ENV{PATH} = "$TB/bin:/bin:/usr/bin:/usr/local/bin";
# Clean the environment of potentially nasty variables
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
$prompt = "paperbag> "; # Prompt for interactive commands
# Following message gets displayed to interactive users
$message = "This is a restricted shell, and will only allow you to run
a limited set of commands. For an unrestrictive shell, log into
ops.emulab.net\n";
$USERNODE\n";
# Whether or not to allow interactive sessions
$allow_interactive = 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment