brnstnd@kramden.acf.nyu.edu (Dan Bernstein) (09/21/90)
In article <1990Sep20.153105.28394@naitc.naitc.com> karl@bbs.naitc.com (Karl Denninger) writes: > Without source code to "vi" there is NO WAY to prevent this. Believe me. How fatalistic. It's easy to prevent shell escapes from vi. All you have to do is make sure that the : and ! characters aren't accessible from command mode. This takes one command: % pty -0 tr \:\! \?\? | pty vi Of course, you should have keyboard signal characters turned off. And you need to pick up a copy of pty, which hasn't yet been ported to System V. Under BSD, though, you don't need to do any coding work. A more polite solution is to convert : into <esc>a:, and convert ! into <esc>a!. In any case you should provide macros to exercise a limited subset of the functions of : and !---to let the user :set nu or nonu, for example. Can we stop discussing this problem now? It's solved. ---Dan
brad@looking.on.ca (Brad Templeton) (09/21/90)
Pretty drastic to forbid certain characters like :! in vi. I once set up my system with a special subdirectory that had a mini root filesystem on it. I then created a login shell that chroot'd the users into that directory and started up their shell there. They can play there all they want, and it is safe. As long as you keep permissions clean on the main subdirectories (ie. don't leave /etc and /dev and its important files unprotected) you are fine. You link in the files and binaries you want to give them. There are a few problems, of course: a) Unless you have symlinks, you can't link in files that are on a different filesystem. In general, you either want to create this mini system on the root FS (so you can link in stuff from /bin and /usr) or you have to waste a lot of disk space copying those binaries. b) Users can't change their passwords, unless you make some special program that looks at their fake password file and copies up passwords, which is risky. c) Unless the news spool happens to be inside the protected subtree, as well as the news library, users can't read news. *but*, you can run NNTP on the machine, the server running in the real world and the client in the protected world. Chroot plus symlinks would create the perfect secure mini-environment. You are fully protected unless the pesky users can figure out how to become root. Most tricks for doing this involve greek horses or fiddling with files used by suid programs. But this rarely works if all you have access to is the subdir. -- Brad Templeton, ClariNet Communications Corp. -- Waterloo, Ontario 519/884-7473
vtcqa@shamash.cdc.com (Jeff Comstock) (09/23/90)
In article <11285:Sep2022:15:2090@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: >X-Original-Subject: Protecting against downloads > >In article <1990Sep20.153105.28394@naitc.naitc.com> karl@bbs.naitc.com (Karl Denninger) writes: >> Without source code to "vi" there is NO WAY to prevent this. Believe me. > >How fatalistic. > >It's easy to prevent shell escapes from vi. All you have to do is make >sure that the : and ! characters aren't accessible from command mode. You gotta be kidding . What good is vi without : ? Might as well not even use it. It's like giving your son your car, but not letting him put gas in it. Whoop de doo.
brnstnd@kramden.acf.nyu.edu (Dan Bernstein) (09/24/90)
In article <26116@shamash.cdc.com> jrc%brainiac.uucp@shamash.cdc.com writes: > You gotta be kidding . What good is vi without : ? Might as well not > even use it. It's like giving your son your car, but not letting > him put gas in it. Whoop de doo. I said in another article that you should provide macros (not using the disabled characters) to give the user whatever functions he really needs. The only fundamental problem is that vi doesn't let you remap the colon---and pty tr \: \? | pty vi takes care of that. A more appropriate answer might be: ``You gotta be kidding . What good is UNIX without sh ? Might as well not even use it. It's like giving your son your car, but not letting him put gas in it. Whoop de doo.'' ---Dan
brnstnd@kramden.acf.nyu.edu (Dan Bernstein) (09/24/90)
In article <1990Sep24.040745.10454@chinet.chi.il.us> les@chinet.chi.il.us (Leslie Mikesell) writes: > In article <27387:Sep2320:07:3890@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: > > [ trash the colon with pty -0 tr \: \? | pty vi ] > >I did mention that you have to set up appropriate macros as well, and > >turn off keyboard interrupts. The only thing that you can't completely > >control from within vi is the mapping of the colon---and my solution > >handles that. > Umm... Well, there's 'Q' to go to ex mode and stay there while you > type sh, [ blah blah blah ] Read my lips: ``The only thing that you can't completely control from within vi is the mapping of the colon---and my solution handles that.'' You can map Q. You can map @. You can even map !---I didn't realize this at first. You can map every single f-ing character the user can type. Except the colon. > Leaves something to > be desired as a form of security.... RTFABYFU. ---Dan