\"special\" shells a security hole?
decot at hpisod2.UUCP
decot at hpisod2.UUCP
Tue Feb 3 09:40:58 AEST 1987
> i've just been trying to decide whether to password some accounts on our
> system that run special programs instead of a normal shell. If a program,
> e.g. a bulletin-board system, does not allow shell escapes is it relatively
> secure even if it doesn't run in a chroot'd environment?
As long as it doesn't run such programs as more(1) or ex(1), either, since
they can be used to get someplace where a shell escape is available. A
bulletin board system is rather clumsy without a text editor, but it is
currently impossible to tell more(1) or vi(1) to disallow shell escapes.
In general, the fewer outside programs the application permits the user
to use, the more secure such applications are.
Dave Decot
hpda!decot
More information about the Comp.unix.wizards
mailing list