Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/18/84; site brl-tgr.ARPA
Path: utzoo!watmath!clyde!bonnie!akgua!sdcsvax!dcdwest!ittvax!decvax!genrad!panda!talcott!harvard!seismo!brl-tgr!tgr!cottrell@nbs-vms.ARPA
From: cottrell@nbs-vms.ARPA
Newsgroups: net.unix-wizards
Subject: disallowing subshell in More
Message-ID: <8258@brl-tgr.ARPA>
Date: Mon, 11-Feb-85 19:32:38 EST
Article-I.D.: brl-tgr.8258
Posted: Mon Feb 11 19:32:38 1985
Date-Received: Fri, 15-Feb-85 04:15:10 EST
Sender: news@brl-tgr.ARPA
Organization: Ballistic Research Lab
Lines: 24

/*
> Does anyone know of a way to pipe a file to more and disallow a user from
> invoking a subshell while More is running?
> 
> Here's the senario, I have a menu that allows certain users to have
	root access
> to several functions (unjamming the print queue, archiving &
	restoring files, 
> etc).  One of the options is to allow the user to get a listing of a tape
> archive to the screen (piped through More) which of course allows the user to
> type a '!sh<return>' and viola! a root shell.

One way is to pipe it to a program that:

	1) calls setuid to remove root permission
	2) exec's more

Another thing to do is to set up a dummy user such as `print' which owns the
resources such as the line printer spool ques. Even if the user manages to
break out of your scripts, he only has access to limited resources. You
might also investigate using the group feature, as once a user has group
privileges he is more restricted than with owner privilege. Too many people
resort to root owning setuid progs/scripts. It doesn't have to be this way.
*/