vi secure

Frank Shute frank at shute.org.uk
Thu May 22 14:39:18 UTC 2008 

On Thu, May 22, 2008 at 07:26:20AM -0700, William O. Yates wrote:
>
> On 21/May/2008 19:26 Frank Shute wrote ..
> > On Wed, May 21, 2008 at 01:51:03PM -0700, William O. Yates wrote:
> > >
> > > [sent the below message thru the freebsd-security list with no
> > > answers, hope for more from freebsd-questions]
> > > 
> > > Recently started using vi macros.
> > 
> > Show us the macro.
> > 
> > > 
> > > When attempting to use one which accessed the external shell, got
> > > the following message:
> > > 
> > > "The ! command is not supported when the secure edit option is set."
> > 
> > What does:
> > 
> > :set
> > 
> > show you?
> > 
> > External commands work for me. Sure your vi isn't aliased? When
> > doesn't it work? As root or ordinary user or both?
> > 
> > What's your secure level?:
> > 
> > $ sysctl -a | grep secure
> > 
> > What does:
> > 
> > $ whereis vi
> > 
> > give you?
> > 
> > and:
> > 
> > $ uname -a
> > 
> > > 
> > > When attempting to ":set nosecure" got:
> > > 
> > > "set: the secure option may not be turned off."
> > > 
> > > When attempting to "set nosecure" in my .exrc file, got:
> > > 
> > > set nonumber .exrc, 44: set: the secure option may not be turned off
> > > .exrc, 44: Ex command failed: pending commands discarded
> > > 
> > > Looking through all the man pages, vi references, tutorials, and the
> > > the oreilly vi "bible", can't find anything...
> > > 
> > > Is "set secure" a compiled in setting?
> > 
> > No.
> > 
> > > 
> > > >From FreeBSD vi man page:
> > > 
> > >        -S     Run  with  the secure edit option set, disallowing all
> > >        access to external programs.  and secure [off] Turns off all
> > >        access to external programs.
> > > 
> > > ..william.o.yates...hackware.at.tru2life.net...tru2life.info...
> > 
> > -- 
> > 
> >  Frank 
> > 
> > 	
> >  Contact info: http://www.shute.org.uk/misc/contact.html 
> ..william.o.yates...hackware.at.tru2life.net...tru2life.info...
> 
> I usually run as root when updating systems (toor actually)...
> 
> But symptoms are same for root and user level in vi, FreeBSD-[5.4,6.1,6.2,6.3].
> 
> NO nfs mounts, aliases, or any other funny stuff I can think of.
> 
> Virgin vi setup from FreeBSD install.
> 
> "inside_vi :!" --> (ANY ! command, not just macro)
> The ! command is not supported when the secure edit option is set.
> 
> "inside_vi :set all" --> (same as 4 other FreeBSD machines...)
> +=+=+=+=+=+=+=+
> noaltwerase     noextended      matchtime=7     report=5        term="xterm"
> autoindent      filec=""        nomesg          ruler           noterse
> autoprint       flash           nomodeline      scroll=27       notildeop
> noautowrite     nogtagsmode     noprint=""      nosearchincr    timeout
> backup=""       hardtabs=0      nonumber        secure          nottywerase
> nobeautify      noiclower       nooctal         shiftwidth=8    noverbose
> cdpath=":"      ignorecase      open            noshowmatch     warn
> cedit=""        keytime=6       optimize        showmode        window=29
> columns=80      noleftright     path=""         sidescroll=16   nowindowname
> nocomment       lines=30        print=""        noslowopen      wraplen=0
> noedcompatible  nolisp          prompt          nosourceany     wrapmargin=0
> escapetime=6    nolist          noreadonly      tabstop=8       wrapscan
> noerrorbells    lock            noredraw        taglength=0     nowriteany
> noexrc          magic           remap           tags="tags"
> directory="/tmp/"
> msgcat="/usr/share/vi/catalog/"
> paragraphs="IPLPPPQPP LIpplpipbp"
> recdir="/var/tmp/vi.recover"
> sections="NHSHH HUnhsh"
> shell="/bin/sh"
> shellmeta="~{[*?$`'"^V"
> Press any key to continue [: to enter more ex commands]:
> 
> "inside_vi :set nosecure" -->
> set: the secure option may not be turned off.
> 
> ns1:/usr/local/www/info/docs> uname -a
> FreeBSD ns1.tru2life.net 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 UTC 2007     root at dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
> 
> ns1:/usr/local/www/info/docs> sysctl -a | grep secure
> kern.securelevel: -1
> net.inet.tcp.insecure_rst: 0
> 
> ns1:/usr/local/www/info/docs> whereis vi
> vi: /usr/bin/vi /usr/share/man/man1/vi.1.gz /usr/ports/editors/openoffice.org-2/work/OOE680_m6/helpcontent2/source/auxiliary/vi
> 
> toor at lazy:/.../...> uname -a
> FreeBSD lazy.tru2life.net 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May  8 10:21:06 UTC 2005     root at harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
> 
> toor at lazy:/.../...> sysctl -a | grep secure
> kern.securelevel: -1
> net.inet.tcp.insecure_rst: 0
> 
> ns3:/usr/home/master> uname -a
> FreeBSD ns3.tru2life.net 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May  7 04:32:43 UTC 2006     root at opus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
> 
> ns3:/home/master> sysctl -a | grep secure
> kern.securelevel: -1
> net.inet.tcp.insecure_rst: 0

I guess you've looked at the obvious: ~/.exrc & ~/.nexrc although :set
all does say noexrc.

Have you checked:

$ file /usr/bin/vi

& compared output with uname?

Compared /usr/bin/nvi with /usr/bin/vi? They should be the same.

E.g:

$ ls -l /usr/bin/vi
-r-xr-xr-x  6 root  wheel  309336 Apr 28 14:15 /usr/bin/vi

$ ls -l /usr/bin/nvi
-r-xr-xr-x  6 root  wheel  309336 Apr 28 14:15 /usr/bin/nvi

Failing that, I'm mystified :(

-- 

 Frank 

	
 Contact info: http://www.shute.org.uk/misc/contact.html

More information about the freebsd-questions mailing list