HPE Community
Operating System - HP-UX
1753460 Members
4631 Online
108794 Solutions
New Discussion юеВ

Re: How can I restrict the use of the shell from vi

 
SOLVED
Go to solution
sebastien_7
Occasional Advisor

тАО09-08-2005 04:29 AM

тАО09-08-2005 04:29 AM

How can I restrict the use of the shell from vi

Hello all,

We have a security issue. We have allowed certain users to execute /usr/bin/vi through sudo, therefore they have the right to edit/modify any files on the system.

For security reasons we have to prevent the possibility to start a shell within vi. Is there anyway to do that?

Or

How can I substitute /usr/bin/vi for certain users with /usr/bin/rvi (restricted vi). This without the user noticing it, and allowing the user to still use the word "vi" to execute rvi.

cat /usr/bin/rvi:
#/bin/sh
export SHELL=
OLDSHELL=${SHELL}
/bin/vi $1
SHELL=${OLDSHELL}
exit 0
#.end

Thanks
0 Kudos
Reply
7 REPLIES 7
Torsten.
Acclaimed Contributor

тАО09-08-2005 04:50 AM

тАО09-08-2005 04:50 AM

Solution

Re: How can I restrict the use of the shell from vi

Please have a look at this:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=951675

This will help!

T.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
Reply
Raj D.
Honored Contributor

тАО09-08-2005 05:12 AM

тАО09-08-2005 05:12 AM

Re: How can I restrict the use of the shell from vi

Hi Sebastien ,

Though you have given vi permission through sudo , again its need unix permission to open any file , even if it is through vi.

If the user is not having read permission , from vi window he can not read the file , it will give "Permission denied" error.

So it depends on unix permissions too.

Cheers,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Reply
Mel Burslan
Honored Contributor

тАО09-08-2005 08:45 AM

тАО09-08-2005 08:45 AM

Re: How can I restrict the use of the shell from vi

I don't think setting the SHELL variable to nothing will work as expected but help is not too far, set the variable to /usr/bin/false and make sure this is listed as a valid shell in /etc/shells.

then examine the search paths of the users and find all references to vi executable and rename this to something obscure like MySecretFile, or anything your heart desires, preferably in a directory in nobody's direct search path, like /var/adm

then put your script above in the place of original vi with execute only permissions for everyone but not read, i.e. permissions should be 111. Although I must admit there might be some fallouts due to this permission mode.

The other way to implement this is:

in /etc/profile, where all users can and must read and can not modify, at the login time:

export EXINIT='set shell=/usr/bin/false'

this will prevent them from running a shell command out of vi.

If you are only concerned about root user doing this as you mentioned vi thru sudo, you can put the same statement into roots .profile for the same effect.

or in root's home directory, you can create a file called .exrc or edit one if it exists and put this line in it:

shell=/usr/bin/false

hope one of these help.
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Rodney Hills
Honored Contributor

тАО09-08-2005 09:26 AM

тАО09-08-2005 09:26 AM

Re: How can I restrict the use of the shell from vi

You could download "nvi" from the software porting and archive center.

http://hpux.cs.utah.edu/hppd/hpux/Editors/nvi-1.79/

You call "nvi -s" and it will not allow access to external programs while editting.

HTH

-- Rod Hills
There be dragons...
0 Kudos
Reply
Micky_1
Advisor

тАО09-08-2005 06:29 PM

тАО09-08-2005 06:29 PM

Re: How can I restrict the use of the shell from vi

hi sebastien,

first: the oldshell/shell-thing is not useful. when rvi exits, shell is set to the value, it had before. in fact, shell is only changed in the context of rvi, but *NOT* in the context of the calling programm (sudo in this case).

second: what kind of security is this? if a user can modify *ANY* file, the shell is the last thing you have to worry about. imagine, that someone edits /etc/passwd,/etc/shadow,/etc/profile,.... this will not grant him root-privileges at once, but surely in the second step....

third: think about a script, that does the following:
1. let the user choose the file to edit from a list, that your script controls.
2. copy the file to /tmp or the users HOME, using sudo
3. change the owner of the file to the calling user, using sudo
4. let the user edit the file with his own permissions, not using sudo/root!
5. when the user exits vi, copy the file back to it's original location using sudo and root-permission
6. don't forget to do a backup of the file between steps 4 and 5
7. for security reasons, don't let the user edit scripts, that will be executed in root-context afterwards. For example editing roots crontab let the user execute a script in root-context, which deletes all your files. changing /etc/profile gives the user a chance to delete all your file, if root logs in...etc....

last: think about using acl's

Reply
sebastien_7
Occasional Advisor

тАО09-09-2005 12:49 AM

тАО09-09-2005 12:49 AM

Re: How can I restrict the use of the shell from vi

Micky: to your second point: I know it is a serious breach in security, and believe me were still investigating if we paid a price! It has left us in a difficult position. The sad things is; I should have seen that one coming!

So far I have looked at many different suggestions from u all, and thanks a lot for them.

We have decided to prevent the use of /usr/bin/vi as well /usr/bin/more which as the same security risk when executed with sudo.

ie: while in more do bang sh (!sh) this will give you a prompt as well.

Our new approuch will be to grant modification to specific files or group of files at a time.

ie:
Cmnd_Alias VI = /usr/bin/vi /oracle/bla/bla.conf

Any other suggestions would be appreciated.

Best regards
0 Kudos
Reply
TwoProc
Honored Contributor

тАО09-09-2005 01:56 AM

тАО09-09-2005 01:56 AM

Re: How can I restrict the use of the shell from vi

I know this may sound like a lot of work (cause it might be, but it might not), but you could download the source code version of "vim" from the HPUX Porting archive and edit the code to disallow the shell escapes. Just a thought, if it gets to more desperate measures.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.