Path: utzoo!attcan!uunet!zephyr.ens.tek.com!tektronix!percy!nosun!tessi!onion!jeff
From: jeff@onion.pdx.com (Jeff Beadles)
Newsgroups: comp.unix.questions
Subject: Re: How to prevent VI from getting a shell?
Keywords: vi
Message-ID: <1990Sep20.000246.20234@onion.pdx.com>
Date: 20 Sep 90 00:02:46 GMT
References: <501@trux.UUCP> <570@DIALix.UUCP>
Organization: Little to none.
Lines: 23

In article <570@DIALix.UUCP> bernie@DIALix.oz.au (Bernd Felsche) writes:

>set SHELL in the environment to something which doest nothing, say
>/bin/true.  vi forks-execs whatever SHELL is defined to be, or the
>shell if undefined.

>Many applications allow SHELL escapes, and cause security holes
>because they don't set the real user id before they shell-off.  Some
>time ago I wrote a shell-wrapper which did the right thing before
>allowing the user a real shell. The application program also
>required a wrapper to set SHELL to the shell-wrapper.


Bleep.  Wrong answer.  Take vi, for example...  You can set "SHELL" to be
whatever you desire.  However, from within vi, you can use
":set shell=/bin/sh" and be on your merry way.

There's no easy way to prevent shell escapes like this without The Source.


	-Jeff
-- 
Jeff Beadles   jeff@onion.pdx.com