Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!rutgers!sri-spam!sri-unix!hplabs!hpcea!hpda!hppcgo!hpdsd!hpisod2!decot
From: decot@hpisod2.UUCP
Newsgroups: comp.unix.wizards
Subject: Re: \"special\" shells a security hole?
Message-ID: <2590002@hpisod2.HP>
Date: Mon, 2-Feb-87 18:40:58 EST
Article-I.D.: hpisod2.2590002
Posted: Mon Feb  2 18:40:58 1987
Date-Received: Sat, 7-Feb-87 07:24:41 EST
References: <3953@brl-adm.ARPA>
Lines: 15

> i've just been trying to decide whether to password some accounts on our
> system that run special programs instead of a normal shell.  If a program,
> e.g. a bulletin-board system, does not allow shell escapes is it relatively
> secure even if it doesn't run in a chroot'd environment?

As long as it doesn't run such programs as more(1) or ex(1), either, since
they can be used to get someplace where a shell escape is available.  A
bulletin board system is rather clumsy without a text editor, but it is
currently impossible to tell more(1) or vi(1) to disallow shell escapes.

In general, the fewer outside programs the application permits the user
to use, the more secure such applications are.

Dave Decot
hpda!decot