Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable shell escapes? #13

Open
Wastrel-zz opened this issue Aug 1, 2020 · 6 comments
Open

Disable shell escapes? #13

Wastrel-zz opened this issue Aug 1, 2020 · 6 comments

Comments

@Wastrel-zz
Copy link

Wastrel-zz commented Aug 1, 2020

I am adding this to my ssh server, but I don't want players to be able to execute arbitrary commands. I've got it mostly solved by a script that sets a very limited path and sets the shell to /bin/false, EXCEPT the !echo command can still be executed. It is possible to echo text to either of the .dat files, or create new files. I don't like that. I doubt if echo can be used to create an executable virus file etc. but I still don't like it. Do you have any ideas? I don't understand the code well enough to look for this feature and change it.

@LydiaMarieWilliamson
Copy link

LydiaMarieWilliamson commented Oct 10, 2021

"I don't understand the code well enough to look for this feature and change it."

I do. The function protct() - which is mostly disabled in this repository's version of fork (as well as in the C code of the other "zork" repositories on GitHub, including mine), as well as in the "PROTCT" function contained in the Fortran versions of Zork in the various "zork-fortran" archives on GitHub (including mine) - is the function meant for use in this way. The comments adjoining the function definition say so.

To check for protection levels, if could be turned into a system-dependent function to obtain or check against the current user / protection level, which could then be used at various points where you wish to limit accessibility. In both the Fortran version and the 1991 C translation (as well as in the version 3.2 Fortran version), it is only used once in the initialization routine as a stub, with the original programmers' recommendation having been to use it as an "office hours" check. The issue of accessibility to your SSH is essentially equivalent to the issue of accessibibility to business systems on business time, so it should be treated in an analogous way.

@Wastrel-zz
Copy link
Author

Wastrel-zz commented Oct 10, 2021 via email

@Wastrel-zz
Copy link
Author

Wastrel-zz commented Oct 10, 2021 via email

@Wastrel-zz
Copy link
Author

Wastrel-zz commented Oct 10, 2021 via email

@LydiaMarieWilliamson
Copy link

LydiaMarieWilliamson commented Dec 24, 2021 via email

@Wastrel-zz
Copy link
Author

Wastrel-zz commented Dec 24, 2021 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants