merlyn@ernie.Rosemount.COM (Brian Westley) (12/15/88)
>>>If you insist on sticking "+set nomodeline" here, rather than in the >>>user's ".exrc" where it belongs... >> >>No, it belongs in any code that puts uncontrolled text into a file >>and executes a "vi"-like editor. A number of vi's have "modeline" >>on by default, and many people don't know about it. If Pnews can be >>made more robust, it should be. > >And just how does this protect the superuser who edits /etc/passwd when >someone's username ends with "ex", etc.? It doesn't. What does making Pnews more Trojan-proof have to do with editing /etc/passwd with embedded vi commands?? Nothing. Besides, your example doesn't fit my description of the basic flaw. (any code that puts uncontrolled text into a file and executes a "vi"-like [can execute external commands] editor; /etc/passwd is not uncontrolled text - I can't write to it. I *can* write news articles with trojan horses in them, which Pnews will run for me.) >Pnews is not the only culprit, and you can't catch *all* programs that might >do it. The proper place to put it is $HOME/.exrc... This does not fix the problem. This can never fix the problem. There are many sites that CANNOT put ANYTHING into $HOME/.exrc to turn this trojan-horse mechanism off. There are probably some people who use 'set modeline[s]' in their .exrc because they actually USE this feature, and requiring them to change this, instead of fixing dangerously naive software, is shortsighted. New sites come on-line all the time. Some of these will undoubtedly be vunerable from day one. Instead of requiring thousands of sites to "fix" their .exrcs so Pnews can't be used as a vehicle for destructive code, fix Pnews, dammit! Requiring this hole to be patched by everyone will only guarantee its existence for as long as this "solution" exists. >(P.S. And just how does your Pnews fix change what /usr/bin/postnews does?) It doesn't. Feel free to post corrections to postnews, too. Just how does *your* Pnews fix, fix Pnews? Merlyn LeRoy
guy@auspex.UUCP (Guy Harris) (12/17/88)
>There are many sites that CANNOT put ANYTHING into $HOME/.exrc to turn > this trojan-horse mechanism off. Those sites don't support "+set nomodelines" on the command line, either, so the "fix" to Pnews doesn't help. >There are probably some people who use 'set modeline[s]' in their .exrc because > they actually USE this feature, and requiring them to change this, instead > of fixing dangerously naive software, is shortsighted. Err, umm, requiring them to change this prevents them from getting screwed when running *other* utilities; care to track down *every single utility* that runs "vi" - including the Bourne, C, and Korn shells - and fix them? Furthermore, if Arthur Olson's analysis is correct, the "+set modeline" gets interpreted after the file's been read and checked for mode lines, so it doesn't help anyway....
merlyn@ernie.Rosemount.COM (Brian Westley) (12/19/88)
>>There are many sites that CANNOT put ANYTHING into $HOME/.exrc to turn >> this trojan-horse mechanism off. >Those sites don't support "+set nomodelines" on the command line, >either, so the "fix" to Pnews doesn't help. Yes, I found out about such vi's after I posted my fix. For these, either the files have to be munged to remove trojan horses before giving them to vi, or use rvi. Your "fix" doesn't do anything to fix this, either. >>[some people might USE modelines] >Err, umm, requiring them to change this prevents them from getting >screwed when running *other* utilities; care to track down *every single >utility* that runs "vi" - including the Bourne, C, and Korn shells - and >fix them? No, if people actually USE modelines, they presumably know the danger; telling them they can't use modelines because Pnews is too stupid to not run trojan horses is.. well, stupid. Pnews and Rnmail are much more vunerable since they routinely edit files written by total strangers thousands of miles away. >Furthermore, if Arthur Olson's analysis is correct, the "+set modeline" >gets interpreted after the file's been read and checked for mode lines, >so it doesn't help anyway.... It works on at least some machines. This is why it's a configuration issue, since no single method is both simple and guaranteed to work. (the file munging method will work all the time, but it adds overhead). To reiterate: there are many editors where trojan horses are impossible to turn off (some vi's), or on by default (many vi's, GNU emacs). Given this, Pnews (& Rnmail, etc) has to be fixed. For example, to test vi, the config program should: 1) Try to get vi to run a trojan horse, using .exrc and EXINIT with 'set modeline' or 'set modelines', whichever works. 2) Try to invoke vi with '+set nomodeline[s]' to see if this stops the trojan horse. 3) Use the '+set nomodeline[s]' if it works, otherwise munge the file with e.g. "sed 's/\([ev][xi]\):\([^:]*\):/\1;\2;/g'" 4) The configuror must inform the config file about oddly-named versions of vi, so they can be included in the case statement. It would probably be easiest if this were incorporated into a self contained editor-invoking script, so it could be called by scripts or C programs as needed, and not patched in place. Merlyn LeRoy