next message in archive
no next message in thread
previous message in archive
previous message in thread
Index of Subjects
Index of Subjects
A fix for lynx as distributed with the last few versions of csuite
follows immediately. Some other ocmments follow later in this message.
The following patch should be applied to
.../csuite/src/bin/lynx/src/LYGetfile.c
Having done that, in .../csuite/src/bin/lynx do "make sun4" or "make linux"
to build a fresh lynx and then "install -c lynx .../csuite/bin"
*** 1.1 1996/12/15 20:41:51
--- LYGetFile.c 1996/12/15 20:45:54
***************
*** 683,688 ****
--- 683,690 ----
} else {
tp = trusted_cgi;
}
+ if (LYstrstr(link, "../") != NULL)
+ return FALSE;
#ifndef VMS
/* security: reject on strange character */
for (cp = link; *cp != '\0'; cp++) {
On Sun, 15 Dec 1996, Neale Partington wrote:
> Yes, that is the same command I used to get into the shell. My original
> thought was that he didn't actually get into the shell but just used to
> same lynxexec commands to activate talk and other unix calls, but now
> with that link in his pages we are now sure he has been going into the shell.
>
> > In addition to making the restriction tha Michael suggests we should 1)
> > review our policies and 2) talk with this user. If the discussion with the
> > user develops well, then perhaps the interest, energy and knowledge of
> > this person could be channeled into more constructive avenues, Bob
>
> I'm sure speaking to this individual should be done soon. I do believe
> he is breaking a policy as it is, but I don't which one specifically as I
> don't have the policies on file.
I stongly advocate trying to get individuals like this on your side.
They can prove to be very useful -- I speak from experience.
> Another suggestion for now could be to not let csuite users see beyond
> their home directories. What I mean is when you go files, the first
> highlight is a ../ link on your page. Get the lynxdired to not have that
> link at all unless they are withing a subdirectory in their own
> directories. SFN used to have a ../, and one can then go back and view
> all the directories a system has, yesterday I went to my files and
> noticed that they no longer have a ../ (back directory) in my home files
> directory.
>
> Now, this won't be of much help to unix pros since they are pretty much
> aware of the dir structure (ie. /usr/bin). But for someone who doesn't
> know, not letting them know the directory structures of our system is a
> great help - afterall I did have to consult my unix shell account for
> some help when I tried "breaking the system".
I have modified an up-to-date lynx to not allow browsing on any directory
that is not writeable by the user. This preserves their ability to
browse their own files and IP areas for which they are responsible. They
can also browse /var/tmp, /tmp and on some systems, /var/spool/mail but I am
working on ensuring that no private files in those directories are readable
by others.
They can also still read /etc/passwd, but no one should be running Unix
without shadow passwords so that is a minor problem.
It is certainly possible to turn off much more access, but I have been
reluctant to do this since several of our good volunteers have learned by
looking around the system and have subsequently become interested in
helping out.
David Trueman,
Systems Manager, Dalhousie Math, Stats and Computing Science
Technical Chair, Chebucto Community Net
next message in archive
no next message in thread
previous message in archive
previous message in thread
Index of Subjects