\"special\" shells a security hole?
neil at sunybcs.UUCP
neil at sunybcs.UUCP
Sun Feb 8 16:21:18 AEST 1987
In article <3037 at gitpyr.gatech.EDU> robert at gitpyr.UUCP (Robert Viduya) writes:
->Actually, you can "disable" shell escapes from more(1) or ex(1) or any
->other program that follows conventions by simply setting the SHELL
->environment variable to a null program before executing the program.
-> ......
->Watch out for programs that allow shell escapes but ignore SHELL, though.
->I don't know of any that do, but that doesn't mean they don't exists.
->They're anti-social anyway.
You also have to worry about the EDITOR envariable as well.
Restricting someones shell but allowing them to choose their editor is
just as dangerous as allowing them to run the shell of their choice.
I don't know, but perhaps some programs use the VISUAL envariable for
a visual editor as well.
Neil
Neil Smithline
csnet: neil at buffalo.CSNET
uucp: ..!{allegra,ames,decvax,watmath}!sunybcs!neil
bitnet: neil at sunybcs.BITNET
More information about the Comp.unix.wizards
mailing list