Xref: utzoo comp.unix.wizards:13442 news.sysadmin:1941 Path: utzoo!attcan!uunet!lll-winken!lll-tis!ames!mailrus!cwjcc!hal!ncoast!allbery From: allbery@ncoast.UUCP (Brandon S. Allbery) Newsgroups: comp.unix.wizards,news.sysadmin Subject: Re: Trojan horse FIX for Rnmail and Pnews Message-ID: <13253@ncoast.UUCP> Date: 13 Dec 88 23:17:20 GMT References: <6798@rosevax.Rosemount.COM> <591@auspex.UUCP> <6811@rosevax.Rosemount.COM> Reply-To: allbery@ncoast.UUCP (Brandon S. Allbery) Followup-To: comp.unix.wizards Organization: Cleveland Public Access UN*X, Cleveland, Oh Lines: 40 As quoted from <6811@rosevax.Rosemount.COM> by news@rosevax.Rosemount.COM (News administrator): +--------------- | > = Guy Harris | >If you insist on sticking "+set nomodeline" here, rather than in the | >user's ".exrc" where it belongs... | | No, it belongs in any code that puts uncontrolled text into a file | and executes a "vi"-like editor. A number of vi's have "modeline" | on by default, and many people don't know about it. If Pnews can be | made more robust, it should be. +--------------- And just how does this protect the superuser who edits /etc/passwd when someone's username ends with "ex", etc.? Pnews is not the only culprit, and you can't catch *all* programs that might do it. (And if you propose blocking "ex[colon]" sequences in the password file, you'll be in for a lot of hate mail....) The proper place to put it is $HOME/.exrc; it should be in the .exrc that is copied in for new users (assuming that everyone uses a program/shell script/whatever to install new users; a shell script, at least, is trivial). +--------------- | Now for a different question... any other common editors (emacs, etc) with | a similar hook? Any way to disable it? +--------------- Emacs (FULL emacs, NOT Jove/Microemacs/mg/etc.) has a feature for modifying the editor's settings from a loaded file; but invoking it is non-trivial (you need a VERY fancy sequence in the file) and it won't execute generalized commands (s-expressions) (at least, I *think* it won't...) so it's nowhere near as dangerous. ++Brandon (P.S. And just how does your Pnews fix change what /usr/bin/postnews does?) -- Brandon S. Allbery, comp.sources.misc moderator and one admin of ncoast PA UN*X uunet!hal.cwru.edu!ncoast!allbery ncoast!allbery@hal.cwru.edu allberyb@skybridge.sdi.cwru.edu allbery@uunet.uu.net comp.sources.misc is moving off ncoast -- please do NOT send submissions direct Send comp.sources.misc submissions to comp-sources-misc@.