Path: utzoo!attcan!uunet!dasys1!jpr From: jpr@dasys1.UUCP (Jean-Pierre Radley) Newsgroups: comp.unix.xenix Subject: Re: Security Message-ID: <6609@dasys1.UUCP> Date: 23 Sep 88 19:47:00 GMT References: <4@raider.UUCP> <6800030@cpe> Reply-To: jpr@dasys1.UUCP (Jean-Pierre Radley) Organization: TANGENT Lines: 29 In article <6800030@cpe> tif@cpe.UUCP writes: >Written 10:24 am Aug 14, 1988 by raider.UUCP!root in cpe:comp.unix.xenix >>I have ... set up a 'restricted' bin directory containing just a few >>commands ... I set all restricted users PATH to this directory only. >>Here's the rub: >> >>They can use shell commands from within either vnews or vi... > >Experiment with the environment variable, SHELL. I have a limited >login which sets SHELL="". It effectively prevents shell escapes from >most programs. You might be satisfied with setting SHELL=rsh. > > Paul Chamberlain The rub in that last answer is the "most". The desire would seem to be to prevent shell escapes from ALL programs, and 'vi' is a particularly nasty culprit properly in that regard: Whatever you set SHELL to, vi has its own "sh" parameter, and you can't just tell the users to type :set sh=/bin/rsh. A solution for a restricted vi was devised by Fred Buck, and can be found in the LIBraries of the TANGENT Forum on Compuserve. If there is a feeling that it should be posted here, I will ask Fred for permission to do so. -- Time is nature's way of Jean-Pierre Radley making sure that everything ..!cmcl2!phri!dasys1!jpr doesn't happen all at once. CIS: 76120,1341