[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV Securing lynx 2.6 for use as a shell
|
From: |
Drazen Kacar |
|
Subject: |
Re: LYNX-DEV Securing lynx 2.6 for use as a shell |
|
Date: |
Thu, 21 Nov 1996 23:07:28 +0100 (MET) |
Sean Harp wrote:
> Can you point me to a document that describes how to secure lynx so that
> users absolutely CANNOT run /bin/sh from within lynx? We've secured our
> lynx 2.6 copy as best as we know how, but users are still able to fork a
> shell from within lynx and then arbitrarily telnet anywhere they want
> to. We've disabled the editor, jump, "!", and every other option that
> we feel could possibly let a user get out of lynx, but it still doesn't
> work.
>
> Now, this may be a stupid question and it could be possible that lynx
> simply cannot be secured.
I didn't look at the sources, but Lynx should fork off the program whose
name is in SHELL environment variable (on Unix, at least).
If it doesn't do this, it's a bug. If it does, you can put there whatever
you want.
If SHELL variable does not exist, it should then look up the passwd file
for a shell.
--
Life is a sexually transmitted disease.
address@hidden
address@hidden
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;