From: Marten Terpstra <Marten.Terpstra@ripe.net> Date: Tue, 01 Sep 92 15:46:22 +0200 Mark Kosters from GSI notified us of the problem. Using swais you can pipe the output of a search into any command. You can do this by typing 'c' or '|' on the output of a search. We've known about this. The solution is to run swais under a chroot, with a very limited bin directory. This is how swais is run on Quake, and we've had no evidence of any tampering. Since we are running swais as a public service for people without their own wais client this can be quite harmful. Mark demonstrated that he could start a shell, list /etc/passwd and so on. We are running swais under userID nobody, so too much harm cannot be done, but still, we decided to disable the 'c' and '|' keys as commands. We are running the thing without a chroot though. The offending parts can be found in screen_ui.c. This is however with wais-8-b4, don't know about b5. Commenting out: case '|' : ; case 'c' : pipe_command(question); state=UNKNOWN; return(SHOWRESULTS); in screen_ui.c does the trick, as far as we can see. It would be nice if there was a compile time option to switch to swais in "safe" mode, like some pagers have. I believe Jim Fulton's version allows this, but I'll check to make sure. Also if you are offering this as a public service, make sure that the pipe commands and shell escapes in the pager swais uses are disabled ... I've done this by using a special .cshrc, but I just thought of a way that could be defeated. Hmmm, I want users to be able to use a limited set of commands. Perhaps swais needs a "secure" command list. - Jonny G