Path: utzoo!attcan!uunet!dasys1!jpr
From: jpr@dasys1.UUCP (Jean-Pierre Radley)
Newsgroups: comp.unix.xenix
Subject: Re: Security
Message-ID: <6609@dasys1.UUCP>
Date: 23 Sep 88 19:47:00 GMT
References: <4@raider.UUCP> <6800030@cpe>
Reply-To: jpr@dasys1.UUCP (Jean-Pierre Radley)
Organization: TANGENT
Lines: 29

In article <6800030@cpe> tif@cpe.UUCP writes:
>Written 10:24 am  Aug 14, 1988 by raider.UUCP!root in cpe:comp.unix.xenix
>>I have ... set up a 'restricted' bin directory containing just a few     
>>commands ... I set all restricted users PATH to this directory only.
>>Here's the rub:
>>
>>They can use shell commands from within either vnews or vi...
>
>Experiment with the environment variable, SHELL.  I have a limited
>login which sets SHELL="".  It effectively prevents shell escapes from
>most programs.  You might be satisfied with setting SHELL=rsh.
>
>			Paul Chamberlain

The rub in that last answer is the "most". The desire would seem to be
to prevent shell escapes from ALL programs, and 'vi' is a particularly
nasty culprit properly in that regard: Whatever you set SHELL to, vi
has its own "sh" parameter, and you can't just tell the users to
type :set sh=/bin/rsh.

A solution for a restricted vi was devised by Fred Buck, and can be
found in the LIBraries of the TANGENT Forum on Compuserve. If there is
a feeling that it should be posted here, I will ask Fred for permission
to do so.
-- 

Time is nature's way of				Jean-Pierre Radley
making sure that everything			..!cmcl2!phri!dasys1!jpr
doesn't happen all at once.			CIS: 76120,1341