Re: .exrc file security risks
From: Darren J Moffat (Darren.Moffat_at_Sun.COM)
Date: Thu, 1 May 2003 10:46:59 -0700 (PDT) To: "Benjamin A. Okopnik" <email@example.com>
On Tue, 29 Apr 2003, Benjamin A. Okopnik wrote:
> tar xvzf evil.tgz
> fun_game/bar # This is a fun game - really!
> html/.exrc # WHOOPS...
> Now, whenever Joe runs "vi" in the "html" subdirectory, he will be
> sourcing all the macros, etc. specified in "html/.exrc". I won't show
> any specific examples, but macros in "vi" can execute shell commands -
> and any keystroke can be tied to a macro.
> The autoloading of the per-directory .exrc files (and shell escape/write
> commands in them) can be disabled by invoking the "secure" command in
> "/etc/exrc". However, it can be cancelled with a "nosecure" line in a
> user's "~/.exrc" or even per-invocation:
There is no such option in in /usr/bin/vi on Solaris, and no support for
such a file.
The way to "lock this down" for the root user is to create a ~root/.exrc
file with the line "set noexrc" in it. Also remember to do /bin/su -
rather than just /bin/su (so that $EXINIT isn't passed alone).
-- Darren J Moffat