Hi everyone
I just entered this question as a reply to a post, but I realise that could get missed, so I hope you don't mind me entering it again in its 'own right'.
Is there a way of (preferably selectively) preventing users from shelling out to Unix using '!' ?
Thanks
JB
How to prevent users from shelling out using '!'
Started by Joseph Bryan, Dec 12 2002 05:25 AM
9 replies to this topic
#2
Posted 12 December 2002 - 10:29 AM
Prevent them getting to the '?' prompt by preventing interrupts (ie. Ctrl+C).
Or set a default function in @DFUNCT - it gets executed instead of the '?' prompt.
Or both.
I don't know a way to allow use of the '?' prompt but not the '!' escape to the shell.
Or set a default function in @DFUNCT - it gets executed instead of the '?' prompt.
Or both.
I don't know a way to allow use of the '?' prompt but not the '!' escape to the shell.
Nothing's as simple as you think
#3
Posted 13 December 2002 - 09:54 AM
Richard is of course right
Use DISABLE(@INTERRUPT) to stop them using Ctrl-C / Ctrl-Break
Set @DFUNCT to some trap function which logs the users off (and logs the problem - usually it's a function exiting to an undefined function)
That should stop the blighters!
Cheers
Dan Shannon
Use DISABLE(@INTERRUPT) to stop them using Ctrl-C / Ctrl-Break
Set @DFUNCT to some trap function which logs the users off (and logs the problem - usually it's a function exiting to an undefined function)
That should stop the blighters!
Cheers
Dan Shannon
#4
Posted 13 December 2002 - 11:47 AM
Now if you wanted them to run functions from the ? prompt but not to shell out you could link @DFUNCT to a Function that lets them select a function to run. You could even make this diplay ? on the first line.
You'd need to make sure that you check the No Command Call on the function being called too.
You'd need to make sure that you check the No Command Call on the function being called too.
#5
Posted 16 December 2002 - 12:55 AM
Thank you all very much for trying to help. Unfortunately, I suspect that my (early) version of PRO-IV doesn't have a @DFUNCT (it's not mentioned in the manual). More importantly, it's not the '?' prompt that I want to disable.
I should have mentioned that we are running ChESS, or at least that users have access to menus.
From the 'Enter Selection:' prompt on a menu, they can type '!sh' etc.
Can THIS be prevented?
Thanks again
Jo
I should have mentioned that we are running ChESS, or at least that users have access to menus.
From the 'Enter Selection:' prompt on a menu, they can type '!sh' etc.
Can THIS be prevented?
Thanks again
Jo
#8
Posted 16 December 2002 - 05:42 PM
I see that your version of Pro-IV is pretty old, but in our Glovia 5.4 system, Pro-IV v4.6 there is a function called 'OP_SYS Execute Operating System Command' that controls the shelling out. In our system its source is there. If your version uses it it'd be easy to restrict access to OP_SYS by setting its security category or by adding coding to it to qualify the operator.
#10
Posted 20 December 2002 - 09:21 PM
Within Chess/Glovia, you can go the main SuperLayer Menu, select the option for Installation & Standards, then go to the Maintain System Standards screen. Open the Other Options window. At the OS Command Accepted field, blank out the Y. This will globally disable the capability to use ! at a command prompt to shell out.
However, the function EIFSHELL can still be run to get out to a shell. Properly set the security on it, and this should give you the selective functionality that you are looking for.
Tim
However, the function EIFSHELL can still be run to get out to a shell. Properly set the security on it, and this should give you the selective functionality that you are looking for.
Tim
Reply to this topic
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users