Security
Jean-Pierre Radley
jpr at dasys1.UUCP
Sat Sep 24 05:47:00 AEST 1988
In article <6800030 at cpe> tif at cpe.UUCP writes:
>Written 10:24 am Aug 14, 1988 by raider.UUCP!root in cpe:comp.unix.xenix
>>I have ... set up a 'restricted' bin directory containing just a few
>>commands ... I set all restricted users PATH to this directory only.
>>Here's the rub:
>>
>>They can use shell commands from within either vnews or vi...
>
>Experiment with the environment variable, SHELL. I have a limited
>login which sets SHELL="". It effectively prevents shell escapes from
>most programs. You might be satisfied with setting SHELL=rsh.
>
> Paul Chamberlain
The rub in that last answer is the "most". The desire would seem to be
to prevent shell escapes from ALL programs, and 'vi' is a particularly
nasty culprit properly in that regard: Whatever you set SHELL to, vi
has its own "sh" parameter, and you can't just tell the users to
type :set sh=/bin/rsh.
A solution for a restricted vi was devised by Fred Buck, and can be
found in the LIBraries of the TANGENT Forum on Compuserve. If there is
a feeling that it should be posted here, I will ask Fred for permission
to do so.
--
Time is nature's way of Jean-Pierre Radley
making sure that everything ..!cmcl2!phri!dasys1!jpr
doesn't happen all at once. CIS: 76120,1341
More information about the Comp.unix.xenix
mailing list