How to prevent VI from getting a shell?

Dominic Dunlop domo at tsa.co.uk
Wed Sep 19 02:42:30 AEST 1990 

In article <501 at trux.UUCP> car at trux.UUCP (Chris Rende) writes:
>If I want to give someone access to VI and yet deny them access to a shell,
>how do I prevent the user from using VI's "<ESC>:!" command?

And several people have said:

1.  Set SHELL=/bin/true in the environment (no good -- can :set shell
    from with vi)

2.  Get public domain vi (like elvis) and hack out the :sh and :! code.

3.  As 2, but hack out code for :r to read and :w to write arbitrary
    files.

This begins to be usefully restrictive (if such a concept can be
entertained), but I'll add the following further points:

4.  Disable :r !command, to run an arbitrary command and
    capture its output in the edit buffer; and w !command to write all
    or part of edit buffer through an arbitrary command.

5.  Also disable :e and :n (edit arbitrary files), :fi
    (change name of file to which vi will write), and :cd command (where
    it gets written if its name is not a full pathname).

6.  Disable !<multi-line motion>command which passes the lines selected
    by <multi-line motion> through an arbitrary command, and replaces
    them with the output of the command.

While you can't get interactive shells with some of these, you can
easily hand off scripts to shells and do arbitrary things to arbitrary
files.

Bottom line?  You'll have to break vi exceptionally comprehensively to
block all the loopholes.  And, talking of breaking things (did I say
that?):

Incidentally, the IEEE 1003.2 working group, in its User Portability
Extension, is standardizing vi.  The current draft of the proposed
standard specifies a new option, -n, to ``disable or restrict editor
features, so that the vi utility can be used in a more secure manner.
The features affected are the sh and ! commands, which shall be
disabled completely, and all commands taking a pathname as an argument,
for which absolute pathnames and relative pathnames containing a
dot-dot ("..") element shall be disallowed.''

The standardized vi incorporates colon escapes into ex in the
time-honoured manner.  Both vi and ex implement shell-spawning actions
introduced by exclamation points.  The description of ex also calls out
a -n option, with a description identical to that for vi.  In both
cases it appears that the security holes introduced by actions
involving exclamation points have been overlooked.  Damn.  Maybe I
should tell someone.
-- 
Dominic Dunlop

More information about the Comp.unix.questions mailing list