Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!watmath!clyde!cbatt!gatech!gitpyr!robert From: robert@gitpyr.UUCP Newsgroups: comp.unix.wizards Subject: Re: \"special\" shells a security hole? Message-ID: <3037@gitpyr.gatech.EDU> Date: Thu, 5-Feb-87 13:24:01 EST Article-I.D.: gitpyr.3037 Posted: Thu Feb 5 13:24:01 1987 Date-Received: Sat, 7-Feb-87 13:33:57 EST References: <3953@brl-adm.ARPA> <2590002@hpisod2.HP> Reply-To: robert@gitpyr.UUCP (Robert Viduya) Organization: Office of Computing Services, Georgia Tech Lines: 30 >decot@hpisod2.HP (Dave Decot) (decot@hpisod2.HP, <2590002@hpisod2.HP>): > > i've just been trying to decide whether to password some accounts on our > > system that run special programs instead of a normal shell. If a program, > > e.g. a bulletin-board system, does not allow shell escapes is it relatively > > secure even if it doesn't run in a chroot'd environment? > > As long as it doesn't run such programs as more(1) or ex(1), either, since > they can be used to get someplace where a shell escape is available. A > bulletin board system is rather clumsy without a text editor, but it is > currently impossible to tell more(1) or vi(1) to disallow shell escapes. Actually, you can "disable" shell escapes from more(1) or ex(1) or any other program that follows conventions by simply setting the SHELL environment variable to a null program before executing the program. I'd recommend /bin/true, but vi(1) on our system doesn't seem to like shell scripts as shells; an alternate could be /bin/sync, which is another command that ignores arguments, returns a "good" status and doesn't do anything apparent to the user. This is a kludge, true, but it works and can be quite valuable if you are a binary-only site. Watch out for programs that allow shell escapes but ignore SHELL, though. I don't know of any that do, but that doesn't mean they don't exists. They're anti-social anyway. robert -- Robert Viduya robert@pyr.ocs.gatech.edu Office of Computing Services (404) 894-4660 Georgia Institute of Technology Atlanta, Georgia 30332