Xref: utzoo alt.security:1650 comp.unix.sysv386:877
Path: utzoo!attcan!uunet!wuarchive!julius.cs.uiuc.edu!apple!snorkelwacker!bloom-beacon!athena.mit.edu!jik
From: jik@athena.mit.edu (Jonathan I. Kamens)
Newsgroups: alt.security,comp.unix.sysv386
Subject: Re: Here's how to stop shell escapes from vi
Message-ID: <1990Oct1.190141.29659@athena.mit.edu>
Date: 1 Oct 90 19:01:41 GMT
References: <PA06YE4@xds13.ferranti.com> <WAYNE.90Sep27073633@dsndata.uucp> <1990Sep28.072202.1184@brolga.cc.uq.oz.au> <1990Sep30.174404.6132@gorgon.uucp>
Sender: daemon@athena.mit.edu (Mr Background)
Reply-To: jik@athena.mit.edu (Jonathan I. Kamens)
Organization: Massachusetts Institute of Technology
Lines: 21

In article <1990Sep30.174404.6132@gorgon.uucp>, dag@gorgon.uucp (Daniel A. Glasser) writes:
|> My suggestion is to write a wrapping routine which checks the users gid or
|> uid (or whatever) and based on that either leaves the users PATH and SHELL
|> alone (for those who should be allowed to shell out of vi) or changes both
|> PATH and SHELL environment variables to something safe, (SHELL will point
|> to something like 'main(){write(0,"No shell for you!\n");exit(1);}'
|> and PATH to something which just has what vi might legitimately have to
|> get at.  This program will then exec the real vi.

  As someone else has already pointed out, it is possible to set the SHELL
environment variable from inside vi, using a vi command.

\begin{soapbox}
  Read the net before you post.  RTFM before you post.
\end{soapbox}

-- 
Jonathan Kamens			              USnail:
MIT Project Athena				11 Ashford Terrace
jik@Athena.MIT.EDU				Allston, MA  02134
Office: 617-253-8495			      Home: 617-782-0710