Xref: utzoo alt.security:1669 comp.unix.sysv386:1085 Path: utzoo!attcan!uunet!snorkelwacker!bloom-beacon!athena.mit.edu!jik From: jik@athena.mit.edu (Jonathan I. Kamens) Newsgroups: alt.security,comp.unix.sysv386 Subject: Re: Here's how to stop shell escapes from vi Message-ID: <1990Oct9.182650.6250@athena.mit.edu> Date: 9 Oct 90 18:26:50 GMT References: <1990Sep28.072202.1184@brolga.cc.uq.oz.au> <1990Sep30.174404.6132@gorgon.uucp> <1990Oct1.190141.29659@athena.mit.edu> <1990Oct09.010323.22960@gorgon.uucp> Sender: daemon@athena.mit.edu (Mr Background) Reply-To: jik@athena.mit.edu (Jonathan I. Kamens) Organization: Massachusetts Institute of Technology Lines: 94 In article <1990Oct09.010323.22960@gorgon.uucp>, dag@gorgon.uucp (Daniel A. Glasser) writes: |> Okay, I just finished reading TFM. The only version of vi docs that I have |> on hand are from a SYS-III implementation. It is not my fault if your documentation is out-of-date. In the rest of this posting I will quote from the document "Vi Command & Function Reference", dated April, 1986, from the standard 4.3 BSD USD documents (taken from /usr/doc/usd/15.vi/vi.apwh.ms on my system). |> They make no mention of how |> to set an environment variable from within vi. You can't set ANY environment variable, you can set the SHELL environment variable, which is what I said in my posting. Or, at least, you can set the shell option in a way that will make vi use that shell in the future, no matter what SHELL is set to when vi is started (I don't know whether or not vi actually goes ahead and changes the environment variable, or only stores the shell to use in variable somewhere, but that's an irrelevant distinction, since the end result is pretty much the same). |> I've checked the man page |> under the version of SYS-V that I am using (ISC V2.2), and that also gives |> no clue of how to go about changing an environment variable from within vi. The command you want is ":set shell=foo", e.g. ":set shell=/bin/sh". You probably couldn't find it because you weren't looking for what I said you could do. I said you could change SHELL, you tried to find out how to change an arbitrary environment variable. From the document I mentioned above: Vi has a number of internal variables and switches which can be set to achieve special affects. These options come in three forms, those that are switches, which toggle from off to on and back, those that require a numeric value, and those that require an alphanumeric string value. ... Commands requiring a value are set with a command of the form: :set option=value ... Most of the options have a long form and an abbrevia- tion. Both are listed in the following table as well as the normal default value. ... shell sh Default: sh=from environment SHELL or /bin/sh Type: string This is the name of the sh to be used for "escaped" commands. |> I'll admit that I've hated vi from the day I first set eyes on it oh so many |> years ago, thus have never learned the backdoors, etc., that lurk within |> vi. I had read the entire thread up to that point as it had arrived at |> my site. I've read much of the thread that has followed. I still have |> not seen this. |> |> DO NOT ASSUME THAT ALL MESSAGES FROM ALL PLACES GET TO A SITE IN THE SAME |> ORDER AS THEY DO TO YOUR SITE. OR EVEN THAT THEY GET THERE AT ALL. There has been an entire thread about nuking the string "shell" in the vi binary so that people cannot use ":set shell" to change it. There are currently five messages from that thread in my spool area before the message of mine to which you responded, and that's not including the message that started the thread and at least one other message in the thread that I can recall (which is the one I was thinking above when I wrote that it had already been mentioned). The earliest one in my spool area is dated September 26, and as I said, there were earlier ones than that. My message is dated October 1. That's seven messages which *I* got before I got the one I posted to which you are responding. They were posted several days before the message of mine to which you are responding. I doubt very much that you didn't see any of them. |> In all likelyhood, I've been posting to the net longer than you've had |> access to any kind of unix system, possibly computer. I've been a Unix |> user from very early 7th edition days. I have written several programs |> like the one I've described under RSTS/E, VMS, Unix v7, SysIII, and |> System V. I've never had any problems with any of them. It may be |> that vi has a back door that I don't know about. That is no reason |> to assume that tone. Give me a break. "I'm older [or more experienced] than you, so you have to respect me and talk nice to me." Hogwash. If you do something brain-damaged, you still did something brain-damaged, whether you've been using Unix for a month or fifteen years. -- Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8495 Home: 617-782-0710