Security
tif at cpe.UUCP
tif at cpe.UUCP
Tue Sep 27 05:36:00 AEST 1988
Written 2:47 pm Sep 23, 1988 by dasys1.UUCP!jpr in cpe:comp.unix.xenix
>In article <6800030 at cpe> tif at cpe.UUCP writes:
>>Experiment with the environment variable, SHELL. I have a limited
>>login which sets SHELL="". It effectively prevents shell escapes from
>>most programs. You might be satisfied with setting SHELL=rsh.
>
>The rub in that last answer is the "most". The desire would seem to be
>to prevent shell escapes from ALL programs, and 'vi' is a particularly
>nasty culprit properly in that regard: Whatever you set SHELL to, vi
>has its own "sh" parameter, and you can't just tell the users to
>type :set sh=/bin/rsh.
That is not the case on my system. I just tried it to make sure.
I did
SHELL=""
export SHELL
vi
Then from vi, ":sh" didn't work, ":!ls" didn't work, and even "!!ls"
didn't work. I also did ":set all" which said "shell=".
Oops. Come to think of it, you could set shell to anything you want
from within vi (i.e. ":set shell=/bin/sh"). So much for my secure login.
Paul Chamberlain
Computer Product Engineering, Tandy Corp.
{convex,killer}!ninja!cpe!tif
More information about the Comp.unix.xenix
mailing list