[news.sysadmin] Trojan horse newsreader FIX

news@rosevax.Rosemount.COM (News administrator) (12/06/88)

Here is a fix for the newsreader trojan horse I posted last week.
Change your newsreader to do:

/full/path/vi '+set nomodeline' filename

...whenever it will invoke vi (or ex)

The '+set nomodeline' happens after the .exrc and EXINIT stuff,
and will prevent vi commands from executing.  However, a strange
side-effect seems to lock up vi iff:

1) modeline is normally on (default or in .exrc or EXINIT)
2) '+set nomodeline' overrides it, and
3) there are commands that would've been interpreted

An interrupt (^C or whatever) at this point will kick vi and go
into edit mode, without executing the commands.

This fix should go into any newsreaders that include text and enter vi.

I report 'em AND fix 'em.

------
Merlyn LeRoy
If you have the bug, you won't be able to (R)eply ex:q:

ado@elsie.UUCP (Arthur David Olson) (12/10/88)

> Here is a fix for the newsreader trojan horse I posted last week.
> Change your newsreader to do:
> 
> /full/path/vi '+set nomodeline' filename
> 
> ...whenever it will invoke vi (or ex)
> 
> The '+set nomodeline' happens after the .exrc and EXINIT stuff,
> and will prevent vi commands from executing.  However, a strange
> side-effect seems to lock up vi iff:

At least on our MORE/bsd 4.3 system, the order of operations in vi is to
	1)  do the commands in the environment variable EXINIT if EXINIT is
	    set and non-empty (it's "empty" if you've used a command such as
		EXINIT=""
	    to set the EXINIT environment variable);
	2)  do the commands in the file "~/.exrc" if EXINIT is not set
	    (or is empty), and if "~/.exrc" is present;
	3)  do the commands in ".exrc" if ".exrc" is present;
	4)  do the "modeline" commands in the file being edited (if the
	    editor "modeline" variable is set);
	5)  do the commands given by the "+..." command line argument.
So, at least on our system, the fix suggested above fails to cure the problem
since "modeline" is only turned off after the commands in the file being edited
have been performed.

On *any* system, handling things in the news reading software seems less
than best since it addresses the symptom rather than the underlying problem.
To do the latter, and to have "modeline" set when you run "vi":
	1)  take the "set modeline" command out of your "~.exrc" file; and
	2)  establish a "vi" alias along these lines (ksh form is given here):
		alias vi='EXINIT="so ~/.exrc|set modeline" vi'
This way, when you yourself explicitly run vi under the auspices of your shell,
"modeline" will be turned on; when a program starts vi for you, "modeline"
will be turned off* (since the program will be executing vi directly, rather
than using the alias).  And you can avoid putting vi-specific code in news
readers (and other software) that might not work for folks using other editors.
-- 
*Modulo a ".exrc" file in the current directory that sets "modeline".
-- 
Vi is a trademark of Patrick McGoohan.
-- 
	Arthur David Olson    ado@ncifcrf.gov    ADO is a trademark of Ampex.