Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!rutgers!bellcore!tness7!ninja!cpe!tif
From: tif@cpe.UUCP
Newsgroups: comp.unix.xenix
Subject: Re: Security
Message-ID: <6800040@cpe>
Date: 26 Sep 88 19:36:00 GMT
References: <6609@dasys1.UUCP>
Lines: 27
Nf-ID: #R:dasys1.UUCP:6609:cpe:6800040:000:1104
Nf-From: cpe.UUCP!tif    Sep 26 14:36:00 1988


Written  2:47 pm  Sep 23, 1988 by dasys1.UUCP!jpr in cpe:comp.unix.xenix
>In article <6800030@cpe> tif@cpe.UUCP writes:
>>Experiment with the environment variable, SHELL.  I have a limited
>>login which sets SHELL="".  It effectively prevents shell escapes from
>>most programs.  You might be satisfied with setting SHELL=rsh.
>
>The rub in that last answer is the "most". The desire would seem to be
>to prevent shell escapes from ALL programs, and 'vi' is a particularly
>nasty culprit properly in that regard: Whatever you set SHELL to, vi
>has its own "sh" parameter, and you can't just tell the users to
>type :set sh=/bin/rsh.

That is not the case on my system.  I just tried it to make sure.
I did
	SHELL=""
	export SHELL
	vi
Then from vi, ":sh" didn't work, ":!ls" didn't work, and even "!!ls"
didn't work.  I also did ":set all" which said "shell=".

Oops.  Come to think of it, you could set shell to anything you want
from within vi (i.e.  ":set shell=/bin/sh").  So much for my secure login.

			Paul Chamberlain
			Computer Product Engineering, Tandy Corp.
			{convex,killer}!ninja!cpe!tif