Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!aplcen!uunet!mcsun!ukc!axion!tsa!domo From: domo@tsa.co.uk (Dominic Dunlop) Newsgroups: comp.unix.questions Subject: Re: How to prevent VI from getting a shell? Summary: !sh: Yet more ways to get a shell from vi Message-ID: <1990Sep18.164230.3380@tsa.co.uk> Date: 18 Sep 90 16:42:30 GMT References: <501@trux.UUCP> Reply-To: domo@tsa.co.uk (Dominic Dunlop) Organization: The Standard Answer Ltd. Lines: 55 In article <501@trux.UUCP> car@trux.UUCP (Chris Rende) writes: >If I want to give someone access to VI and yet deny them access to a shell, >how do I prevent the user from using VI's ":!" command? And several people have said: 1. Set SHELL=/bin/true in the environment (no good -- can :set shell from with vi) 2. Get public domain vi (like elvis) and hack out the :sh and :! code. 3. As 2, but hack out code for :r to read and :w to write arbitrary files. This begins to be usefully restrictive (if such a concept can be entertained), but I'll add the following further points: 4. Disable :r !command, to run an arbitrary command and capture its output in the edit buffer; and w !command to write all or part of edit buffer through an arbitrary command. 5. Also disable :e and :n (edit arbitrary files), :fi (change name of file to which vi will write), and :cd command (where it gets written if its name is not a full pathname). 6. Disable !command which passes the lines selected by through an arbitrary command, and replaces them with the output of the command. While you can't get interactive shells with some of these, you can easily hand off scripts to shells and do arbitrary things to arbitrary files. Bottom line? You'll have to break vi exceptionally comprehensively to block all the loopholes. And, talking of breaking things (did I say that?): Incidentally, the IEEE 1003.2 working group, in its User Portability Extension, is standardizing vi. The current draft of the proposed standard specifies a new option, -n, to ``disable or restrict editor features, so that the vi utility can be used in a more secure manner. The features affected are the sh and ! commands, which shall be disabled completely, and all commands taking a pathname as an argument, for which absolute pathnames and relative pathnames containing a dot-dot ("..") element shall be disallowed.'' The standardized vi incorporates colon escapes into ex in the time-honoured manner. Both vi and ex implement shell-spawning actions introduced by exclamation points. The description of ex also calls out a -n option, with a description identical to that for vi. In both cases it appears that the security holes introduced by actions involving exclamation points have been overlooked. Damn. Maybe I should tell someone. -- Dominic Dunlop