Security

Theo A. DeRaadt deraadt at xenlink.UUCP
Sat Sep 10 20:02:47 AEST 1988 

In article <288 at hawkmoon.MN.ORG>, det at hawkmoon.MN.ORG (Derek E. Terveer) writes:
> In article <4 at raider.UUCP>, root at raider.UUCP (Bob Reineri) writes:
> > They can use shell commands from within either vnews of vi and do anything  
> > their heart desires (within normal system security, of course). Well, this
> > just won't work ! I know there is a 'red' editor, but I hate to confine them
> > to that. 
...
> I can't help with vnews or vi (i wish there was an "rvi" ! (for those of us w/o
> the source code that is!)), but if you happen to let them use less, the public
> domain version (4.0, i believe) has a compile time option that allows/disallows
> shell escapes.  Simply turn this off. (0)


What you want to do is write a wrapper for each program they use that does
the approximately the following:

/* this program is called "umacs", in some other directory that rsh has
 * access to. It is really actually "umacs_wrapper"
 */
#define REAL_PROGRAM "/usr/bin/umacs"
#define NEWENV 2
char table[NEWENV][] = {		/* whatever you want */
    "SHELL=/bin/echo",
    "USERNAME=idiot"
};

main(argv, argc, envp)
    char *argv[];
    int argc;
    char *envp[];
{
    int i, j;
    char **newenv;

    for(i=0; envp[i]; i++) ;

    newenv = (char **)malloc( (i+NEWENV) * sizeof(int));

    for(j=0; j<NEWENV; j++)		/* ours first, sequential search */
	newenv[j] = table[j];
    for(i=0; envp[i]; i++)
	newenv[i+NEWENV] = envp[i];

    argv[0] = REAL_PROGRAM;

    execv(argv, argc, newenv);
}


Basically........, this is what it does:

It copies the old process environment after a new one that we have set up,
which makes the user have a restricted environment. Look at the table and
see what I make his 'shell' - this means that if from umacs he does an
'pause-emacs' he will get almost nowhere!

One thing for you to deal with - I have been up for 24 hours now, and I am
going to sleep now - but this should give you the basics and maybe you can
do it yourself or reach someone else who can read the manuals and figure it
out. The basics are there........ ZZZZzzzz....
---
_____                 _                   -------------------------------------
  / /            /   / \ _   _      /_/_  Theo de Raadt:         (403) 289-4620
 / /_ _  ___  __/_  /__/ _\  _\  __/ /    Xenix386 login:        (403) 295-2541
/ / /</_(_)  (_/</_/  \_(_/\(_/\(_/_(_/   ihnp4!alberta!calgary!xenlink!deraadt

More information about the Comp.unix.xenix mailing list