Preventing users from using shell escapes

Certain programs, especially text editors and pagers, have a handy shell escape feature. This allows a user to run a shell command without having to exit the program first. For example, from the command mode of the Vi and Vim editors, someone could run the ls command by running :!ls. Executing the command would look like this:

# useradd defaults fileGROUP=100HOME=/homeINACTIVE=-1EXPIRE=SHELL=/bin/bashSKEL=/etc/skelCREATE_MAIL_SPOOL=yes~~:!ls

The output would look like this:

[donnie@localhost default]$ sudo vim useradd [sudo] password for donnie: grub nss useradd Press ENTER or type command to continue grub nss useradd Press ENTER or type command to continue

Now, imagine that you want Frank to be able ...

Get Mastering Linux Security and Hardening - Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.