Re: .exrc file security risks

From: Benjamin A. Okopnik (ben_at_callahans.org)
Date: 05/01/03

  • Next message: Darren J Moffat: "Re: .exrc file security risks"
    Date: Thu, 1 May 2003 11:58:53 -0400
    To: focus-sun@securityfocus.com
    
    

    On Wed, Apr 30, 2003 at 08:09:49AM -0400, Reg Quinton wrote:
    > > external commands. So you have the situation where if a .exrc file is
    > > compromised, a key could be maped to perform any command as the user
    > running
    > > vi...
    >
    > By the same token. If .login, .cshrc, .profile, etc. are compromised then
    > you have similar issues -- you've lost control of your environment.
    >
    > Does anyone recommend one not use these files?

    There's a cautionary note in the Vim help files that has to do with
    ".exrc" files in directories other than $HOME; those get read as default
    behavior unless "secure" is set in EXINIT or "~/.exrc" (note that this
    is standard for "vim"; I _believe_ it's also standard for "vi" but have
    no way to test at the moment.) A user opening up an untrusted tarball is
    all it would take.

    Ben Okopnik
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Linux: The OS people choose without $200,000,000 of persuasion.
     -- Mike Coleman


  • Next message: Darren J Moffat: "Re: .exrc file security risks"

    Relevant Pages

    • Re: OWA still hanging at logon
      ... Thanks for your kindly responding. ... user account and also by administrator account) ... would like to strongly recommend you the following action plan: ... Open a command ...
      (microsoft.public.windows.server.sbs)
    • RE: Novice: How to modify rows (not add) using a script component
      ... I recommend that you use a select command to ... query the data source and fill the data into a dataset or datatable and ... You can also loop update the rows by the query result set. ...
      (microsoft.public.sqlserver.dts)
    • RE: MOSS No longer sends E-mail Alerts...
      ... I would like to recommend you check the following article to see if you have run into the same issue: ... On the WSS Server, At the command line, type following command: ... type "iisreset" at command line to restart Information Internet Service and restart Windows SharePoint Services Timer Services ... Because you can get the notification, this means outgoing SMTP Server is good. ...
      (microsoft.public.sharepoint.portalserver)
    • Re: Text editor recommendations
      ... I was wondering which is the text editor you'd recommend for me, ... migrating to linux, and none have found it ... As far as gui editors are concerned, ... There are three modes - Insert, Replace and Command. ...
      (Ubuntu)
    • Re: Join a PC to a specific OU?
      ... Netdom.exe (part of the support tools on the CD) can do this from the ... command line. ... I would recommend that you create a dedicated user for this ...
      (microsoft.public.win2000.setup_deployment)