How to prevent VI from getting a shell?

[John Macdonald]

In article <570 at DIALix.UUCP> bernie at DIALix.oz.au (Bernd Felsche) writes:
|In article <501 at trux.UUCP> car at trux.UUCP (Chris Rende) writes:
|>If I want to give someone access to VI and yet deny them access to a shell,
|>how do I prevent the user from using VI's "<ESC>:!" command?
|>
|>I have an application program which launches VI. I don't want the user to
|>be able to get to a shell from VI. (I also don't want the user to be able
|>to launch other commands from VI. I.e., No :!pwd, or !!sort, etc...).
|
|set SHELL in the environment to something which doest nothing, say
|/bin/true.  vi forks-execs whatever SHELL is defined to be, or the
|shell if undefined.

Sorry, that is insufficient.  A user can just use the vi command
":set SHELL=/bin/sh" to change it to something usable.  The only
way to prevent shell access is to patch vi to prevent it.  A
copy of vi should be used, call it rvi or some such so that it
doesn't get used by trusted users by mistake.  Figuring out what
has to be patched to disable all possible shell invokations is
still a significant effort - and is specific to the particular
machine you are running on - and will be a lot of work to figure
out [easy to do afterward] - and you may still wonder whether you
missed any variants [e.g. read and write have variants to run a
program instead of using a file].  Perhaps a better solution
would be to provide a more limited editor that is easier to check
for any external command capability, if you can find one.
-- 
Algol 60 was an improvment on most           | John Macdonald
of its successors - C.A.R. Hoare             |   jmm at eci386