vi secure

Christian Zachariasen chrizach at gmail.com
Thu May 22 14:49:10 UTC 2008 

On Thu, May 22, 2008 at 4:39 PM, Frank Shute <frank at shute.org.uk> wrote:

> On Thu, May 22, 2008 at 07:26:20AM -0700, William O. Yates wrote:
> >
> > On 21/May/2008 19:26 Frank Shute wrote ..
> > > On Wed, May 21, 2008 at 01:51:03PM -0700, William O. Yates wrote:
> > > >
> > > > [sent the below message thru the freebsd-security list with no
> > > > answers, hope for more from freebsd-questions]
> > > >
> > > > Recently started using vi macros.
> > >
> > > Show us the macro.
> > >
> > > >
> > > > When attempting to use one which accessed the external shell, got
> > > > the following message:
> > > >
> > > > "The ! command is not supported when the secure edit option is set."
> > >
> > > What does:
> > >
> > > :set
> > >
> > > show you?
> > >
> > > External commands work for me. Sure your vi isn't aliased? When
> > > doesn't it work? As root or ordinary user or both?
> > >
> > > What's your secure level?:
> > >
> > > $ sysctl -a | grep secure
> > >
> > > What does:
> > >
> > > $ whereis vi
> > >
> > > give you?
> > >
> > > and:
> > >
> > > $ uname -a
> > >
> > > >
> > > > When attempting to ":set nosecure" got:
> > > >
> > > > "set: the secure option may not be turned off."
> > > >
> > > > When attempting to "set nosecure" in my .exrc file, got:
> > > >
> > > > set nonumber .exrc, 44: set: the secure option may not be turned off
> > > > .exrc, 44: Ex command failed: pending commands discarded
> > > >
> > > > Looking through all the man pages, vi references, tutorials, and the
> > > > the oreilly vi "bible", can't find anything...
> > > >
> > > > Is "set secure" a compiled in setting?
> > >
> > > No.
> > >
> > > >
> > > > >From FreeBSD vi man page:
> > > >
> > > >        -S     Run  with  the secure edit option set, disallowing all
> > > >        access to external programs.  and secure [off] Turns off all
> > > >        access to external programs.
> > > >
> > > > ..william.o.yates...hackware.at.tru2life.net...tru2life.info...
> > >
> > > --
> > >
> > >  Frank
> > >
> > >
> > >  Contact info: http://www.shute.org.uk/misc/contact.html
> > ..william.o.yates...hackware.at.tru2life.net...tru2life.info...
> >
> > I usually run as root when updating systems (toor actually)...
> >
> > But symptoms are same for root and user level in vi,
> FreeBSD-[5.4,6.1,6.2,6.3].
> >
> > NO nfs mounts, aliases, or any other funny stuff I can think of.
> >
> > Virgin vi setup from FreeBSD install.
> >
> > "inside_vi :!" --> (ANY ! command, not just macro)
> > The ! command is not supported when the secure edit option is set.
> >
> > "inside_vi :set all" --> (same as 4 other FreeBSD machines...)
> > +=+=+=+=+=+=+=+
> > noaltwerase     noextended      matchtime=7     report=5
>  term="xterm"
> > autoindent      filec=""        nomesg          ruler           noterse
> > autoprint       flash           nomodeline      scroll=27       notildeop
> > noautowrite     nogtagsmode     noprint=""      nosearchincr    timeout
> > backup=""       hardtabs=0      nonumber        secure
>  nottywerase
> > nobeautify      noiclower       nooctal         shiftwidth=8    noverbose
> > cdpath=":"      ignorecase      open            noshowmatch     warn
> > cedit=""        keytime=6       optimize        showmode        window=29
> > columns=80      noleftright     path=""         sidescroll=16
> nowindowname
> > nocomment       lines=30        print=""        noslowopen      wraplen=0
> > noedcompatible  nolisp          prompt          nosourceany
> wrapmargin=0
> > escapetime=6    nolist          noreadonly      tabstop=8       wrapscan
> > noerrorbells    lock            noredraw        taglength=0
> nowriteany
> > noexrc          magic           remap           tags="tags"
> > directory="/tmp/"
> > msgcat="/usr/share/vi/catalog/"
> > paragraphs="IPLPPPQPP LIpplpipbp"
> > recdir="/var/tmp/vi.recover"
> > sections="NHSHH HUnhsh"
> > shell="/bin/sh"
> > shellmeta="~{[*?$`'"^V"
> > Press any key to continue [: to enter more ex commands]:
> >
> > "inside_vi :set nosecure" -->
> > set: the secure option may not be turned off.
> >
> > ns1:/usr/local/www/info/docs> uname -a
> > FreeBSD ns1.tru2life.net 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12
> 10:40:27 UTC 2007     root at dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
>  i386
> >
> > ns1:/usr/local/www/info/docs> sysctl -a | grep secure
> > kern.securelevel: -1
> > net.inet.tcp.insecure_rst: 0
> >
> > ns1:/usr/local/www/info/docs> whereis vi
> > vi: /usr/bin/vi /usr/share/man/man1/vi.1.gz
> /usr/ports/editors/openoffice.org-2/work/OOE680_m6/helpcontent2/source/auxiliary/vi
> >
> > toor at lazy:/.../...> uname -a
> > FreeBSD lazy.tru2life.net 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May  8
> 10:21:06 UTC 2005     root at harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
>  i386
> >
> > toor at lazy:/.../...> sysctl -a | grep secure
> > kern.securelevel: -1
> > net.inet.tcp.insecure_rst: 0
> >
> > ns3:/usr/home/master> uname -a
> > FreeBSD ns3.tru2life.net 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May  7
> 04:32:43 UTC 2006     root at opus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
>  i386
> >
> > ns3:/home/master> sysctl -a | grep secure
> > kern.securelevel: -1
> > net.inet.tcp.insecure_rst: 0
>
> I guess you've looked at the obvious: ~/.exrc & ~/.nexrc although :set
> all does say noexrc.
>
> Have you checked:
>
> $ file /usr/bin/vi
>
> & compared output with uname?
>
> Compared /usr/bin/nvi with /usr/bin/vi? They should be the same.
>
> E.g:
>
> $ ls -l /usr/bin/vi
> -r-xr-xr-x  6 root  wheel  309336 Apr 28 14:15 /usr/bin/vi
>
> $ ls -l /usr/bin/nvi
> -r-xr-xr-x  6 root  wheel  309336 Apr 28 14:15 /usr/bin/nvi
>
> Failing that, I'm mystified :(
>
> --
>
>  Frank
>
>
>  Contact info: http://www.shute.org.uk/misc/contact.html
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>

Your behaviour is reproducible when I run vi -S, but in normal vi I have
full access to external commands with !, both running as root and toor. I
googled your error message and couldn't find it anywhere except for
newsgroups where you've been posting, so it's a very rare issue indeed. I
don't have any suggestions as to how you'd fix it though, except look for
any aliases and the stuff people have said before.

Christian Zachariasen

More information about the freebsd-questions mailing list