Re: LYNX-DEV securing Lynx for boxed-in environments.

[Foteos Macrides]

William Yang <address@hidden> wrote:
>Foteos Macrides wrote something like:
>
>>      I'm not sure I follow all the jargon in this thread, but
>> it sounds as though you want to allow certain programs/scripts
>> in captive/no-shell accounts via Lynx.  The intent in such cases
>> it to build it with EXEC_LINKS defined, but set TRUSTED_EXEC to
>> "none", and leave ALWAYS_TRUSTED_EXEC set to "none", so that
>> lynxexec and lynxprog URLs are permitted only in jumps files,
>> which you control via the global lynx.cfg.  The jump shortcuts
>> can have the security-related switches for those programs/scripts
>> set, and only programs/scripts you consider safe, or have made
>> safe via forced inclusion of switches, can be invoked.  Read the
>> extensive comments about this in lynx.cfg.
>
>If I'm understanding what you're recommending, your recommended
>solution will not allow me to set up an arrow-key-navigable menu which
>will directly invoke a mail client (or any other program).  
>
>That means that, for the end-user, the transition between the "menu
>system" (Lynx) and the various other client programs that might be
>used (PINE, telnet, what have you) will be visible and obvious (which
>is somewhat problematic).

        I'm recommending that your read and understand the "self
documentation" (comments) in userdefs.h and lynx.cfg, before going
much further on setting up a secure freenet.

        The jumps file scheme initially was developed by David Trueman
for the Chebucto freenet.  You can set up a number of jumps files,
mapped to different keystroke commands (beyond the 'j' default), which
allow you to access menus of shortcut names and definitions/links.
Once the user knows the shortcut names (e.g., "pine", if you've included
that as a shortcut name, for a lynxprog URL with appropriate switches
included) the user can simply enter that name, rather than navigating
via arrow and other navigation keys through the menu, or navigating
tediously through a local file system to arbitrary files with lynxprog
and/or lynxexec URLs.

>I'm not only after setting switches and flags on programs.  I'm after
>being sure that only those programs which are EXPLICITLY and
>CONSCIOUSLY specified can be run (which would include the programs
>which are run in unexpected places from Lynx, such as /bin/mv being
>part of the bookmark deletion process).  This dramatically reduces the
>risk of administrator error/laziness from threatening system security.

        If you want switches in your MV_PATH and/or other foo_PATH
definitions, add them in userdef.h (or lynx_cfg.h for the devel code)
before actually compiling lynx.

                                Fote

=========================================================================
 Foteos Macrides            Worcester Foundation for Biomedical Research
 address@hidden         222 Maple Avenue, Shrewsbury, MA 01545
=========================================================================
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;