Xref: utzoo alt.security:1634 comp.unix.sysv386:806
Path: utzoo!utgpu!cs.utexas.edu!sun-barr!apple!julius.cs.uiuc.edu!rpi!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!aplcen!uunet!mcsun!ukc!stl!robobar!ronald
From: ronald@robobar.co.uk (Ronald S H Khoo)
Newsgroups: alt.security,comp.unix.sysv386
Subject: Re: Here's how to stop shell escapes from vi
Message-ID: <1990Sep28.224754.19581@robobar.co.uk>
Date: 28 Sep 90 22:47:54 GMT
References: <PA06YE4@xds13.ferranti.com> <WAYNE.90Sep27073633@dsndata.uucp> <1990Sep28.072202.1184@brolga.cc.uq.oz.au>
Organization: Robobar Ltd., Perivale, Middx., ENGLAND.
Lines: 17

ant@brolga.cc.uq.oz.au (Anthony Murdoch) writes:

> If you change SHELL to something and then make vi unreadable then surely that
> makes it secure enough for you (unless of course you don't want to allow root
> to have a shell ;-)

NO!  Security through obscurity doesn't work.  Just leave the normal copy
of vi alone, and put the hacked copy of vi into your secure chrooted area.
Oh, and *don't* call the copy "vi" -- sysadmins might get confused and
link the original one back into the was-secure area, and anyway you
don't want to accidentally invoke it -- it gets VERY annoying when *you*
can't shell escape.

-- 
   ronald@robobar.co.uk | +44 81 991 1142 (O) | +44 71 229 7741 (H) | YELL!
   "Nothing sucks like a VAX"   --   confirmed after recent radiator burst!
Hit 'R' <RETURN> to continue .....