Re: .exrc file security risks

From: Darren J Moffat (Darren.Moffat_at_Sun.COM)
Date: 05/01/03

  • Next message: Benjamin A. Okopnik: "Re: .exrc file security risks"
    Date: Thu, 1 May 2003 10:46:59 -0700 (PDT)
    To: "Benjamin A. Okopnik" <ben@callahans.org>
    
    

    On Tue, 29 Apr 2003, Benjamin A. Okopnik wrote:

    > tar xvzf evil.tgz
    > fun_game/foo
    > fun_game/bar # This is a fun game - really!
    > fun_game/gzot
    > html/.exrc # WHOOPS...
    >
    > Now, whenever Joe runs "vi" in the "html" subdirectory, he will be
    > sourcing all the macros, etc. specified in "html/.exrc". I won't show
    > any specific examples, but macros in "vi" can execute shell commands -
    > and any keystroke can be tied to a macro.
    >
    > The autoloading of the per-directory .exrc files (and shell escape/write
    > commands in them) can be disabled by invoking the "secure" command in
    > "/etc/exrc". However, it can be cancelled with a "nosecure" line in a
    > user's "~/.exrc" or even per-invocation:

    There is no such option in in /usr/bin/vi on Solaris, and no support for
    such a file.

    The way to "lock this down" for the root user is to create a ~root/.exrc
    file with the line "set noexrc" in it. Also remember to do /bin/su -
    rather than just /bin/su (so that $EXINIT isn't passed alone).

    -- 
    Darren J Moffat
    

  • Next message: Benjamin A. Okopnik: "Re: .exrc file security risks"