Jump to content


Photo
- - - - -

How to prevent users from shelling out using '!'


9 replies to this topic

#1 Joseph Bryan

Joseph Bryan

    Newbie

  • Members
  • Pip
  • 4 posts
  • Gender:Male
  • Location:Girraween, Australia

Posted 12 December 2002 - 05:25 AM

Hi everyone

I just entered this question as a reply to a post, but I realise that could get missed, so I hope you don't mind me entering it again in its 'own right'.

Is there a way of (preferably selectively) preventing users from shelling out to Unix using '!' ?

Thanks
JB

#2 Richard Bassett

Richard Bassett

    ProIV Guru

  • Members
  • PipPipPipPipPip
  • 696 posts
  • Location:Rural France

Posted 12 December 2002 - 10:29 AM

Prevent them getting to the '?' prompt by preventing interrupts (ie. Ctrl+C).

Or set a default function in @DFUNCT - it gets executed instead of the '?' prompt.

Or both.

I don't know a way to allow use of the '?' prompt but not the '!' escape to the shell.
Nothing's as simple as you think

#3 Dan Shannon

Dan Shannon

    ProIV Guru

  • Members
  • PipPipPipPipPip
  • 374 posts
  • Gender:Male
  • Location:Australia

Posted 13 December 2002 - 09:54 AM

Richard is of course right

Use DISABLE(&#@INTERRUPT) to stop them using Ctrl-C / Ctrl-Break

Set @DFUNCT to some trap function which logs the users off (and logs the problem - usually it's a function exiting to an undefined function)

That should stop the blighters!

Cheers

Dan Shannon

#4 Chris Pepper

Chris Pepper

    ProIV Guru

  • Members
  • PipPipPipPipPip
  • 369 posts
  • Gender:Male
  • Location:United Kingdom

Posted 13 December 2002 - 11:47 AM

Now if you wanted them to run functions from the ? prompt but not to shell out you could link @DFUNCT to a Function that lets them select a function to run. You could even make this diplay ? on the first line.

You'd need to make sure that you check the No Command Call on the function being called too.

#5 Joseph Bryan

Joseph Bryan

    Newbie

  • Members
  • Pip
  • 4 posts
  • Gender:Male
  • Location:Girraween, Australia

Posted 16 December 2002 - 12:55 AM

Thank you all very much for trying to help. Unfortunately, I suspect that my (early) version of PRO-IV doesn't have a @DFUNCT (it's not mentioned in the manual). More importantly, it's not the '?' prompt that I want to disable.
I should have mentioned that we are running ChESS, or at least that users have access to menus.
From the 'Enter Selection:' prompt on a menu, they can type '!sh' etc.

Can THIS be prevented?

Thanks again
Jo

#6 Richard Bassett

Richard Bassett

    ProIV Guru

  • Members
  • PipPipPipPipPip
  • 696 posts
  • Location:Rural France

Posted 16 December 2002 - 10:20 AM

Joseph,

I think that must be a CHESS-specific feature - so you'll need somebody who knows CHESS to help you... which isn't me I'm afraid.
Nothing's as simple as you think

#7 Larry Siemer

Larry Siemer

    Member

  • Members
  • PipPip
  • 17 posts
  • Gender:Male
  • Location:Cincinnati, United States

Posted 16 December 2002 - 01:42 PM

Joseph,

You can set @DFUNCT (Default Function) using the function SLOPRS. This is as of Chess v3.20, I seem to remember this field was also available in v1.10.

#8 Clarence Owens

Clarence Owens

    Member

  • Members
  • PipPip
  • 10 posts
  • Gender:Male
  • Location:Apex, NC USA

Posted 16 December 2002 - 05:42 PM

I see that your version of Pro-IV is pretty old, but in our Glovia 5.4 system, Pro-IV v4.6 there is a function called 'OP_SYS Execute Operating System Command' that controls the shelling out. In our system its source is there. If your version uses it it'd be easy to restrict access to OP_SYS by setting its security category or by adding coding to it to qualify the operator.

#9 Joseph Bryan

Joseph Bryan

    Newbie

  • Members
  • Pip
  • 4 posts
  • Gender:Male
  • Location:Girraween, Australia

Posted 18 December 2002 - 05:31 AM

That's exactly what I was looking for!

Thank you so much. You've made everyone in this IT department very happy!

And thank you all for your contributions.

Till next time
Best regards,
JB

#10 Tim Leach

Tim Leach

    Newbie

  • Members
  • Pip
  • 4 posts
  • Gender:Male
  • Location:United States

Posted 20 December 2002 - 09:21 PM

Within Chess/Glovia, you can go the main SuperLayer Menu, select the option for Installation & Standards, then go to the Maintain System Standards screen. Open the Other Options window. At the OS Command Accepted field, blank out the Y. This will globally disable the capability to use ! at a command prompt to shell out.

However, the function EIFSHELL can still be run to get out to a shell. Properly set the security on it, and this should give you the selective functionality that you are looking for.

Tim



Reply to this topic



  


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users