From owner-freebsd-questions@FreeBSD.ORG Thu May 22 14:49:10 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94C37106564A for ; Thu, 22 May 2008 14:49:10 +0000 (UTC) (envelope-from chrizach@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.239]) by mx1.freebsd.org (Postfix) with ESMTP id 3EC728FC2C for ; Thu, 22 May 2008 14:49:09 +0000 (UTC) (envelope-from chrizach@gmail.com) Received: by wx-out-0506.google.com with SMTP id h27so65505wxd.7 for ; Thu, 22 May 2008 07:49:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; bh=ju39WDokNQXPsVLH7DEO2MZ9Z53BsX0XWdwS5PnuGAs=; b=b82BlTEGgDMQZJ1ok50aIeudnS4+Kts95t5k90seuVAgXjXNDvxd0TuB/zK1OaCmj2unb8TUP26yjNtEHm+Fufu8fpOzrWmC14aaOjPaEayRxmfeKCAgR0dPslPOyBzPvkxhB/VB5frzqmbwDlT8ahg+ObelfCnYgXYpVQTV7kY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=tfVEFZZhGDPuj8C4kjXZ1BkuNezdjoXM/JZ5ddPELWGiu4ZGWsTcFrIL9Tl+6Xn8zk+sfs17BN50WulSb5WvHixzYy9/mypPI8rQ1ejM85j81mg9CLXud0NtZSf0mMn/Jsd9MBp+1FH1DLJoN6bZlUZU8paXs9ghQF5efbmsx3I= Received: by 10.140.203.15 with SMTP id a15mr58893rvg.212.1211467748554; Thu, 22 May 2008 07:49:08 -0700 (PDT) Received: by 10.141.97.10 with HTTP; Thu, 22 May 2008 07:49:08 -0700 (PDT) Message-ID: <4a89d1190805220749rb7702e1m9ddf3b15f3de8cd1@mail.gmail.com> Date: Thu, 22 May 2008 16:49:08 +0200 From: "Christian Zachariasen" To: "Frank Shute" , "William O. Yates" , freebsd-questions@freebsd.org In-Reply-To: <20080522143907.GA6487@melon.esperance-linux.co.uk> MIME-Version: 1.0 References: <20080522022653.GB3334@melon.esperance-linux.co.uk> <1211466380.47050@ns3.tru2life.net> <20080522143907.GA6487@melon.esperance-linux.co.uk> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: vi secure X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2008 14:49:10 -0000 On Thu, May 22, 2008 at 4:39 PM, Frank Shute wrote: > On Thu, May 22, 2008 at 07:26:20AM -0700, William O. Yates wrote: > > > > On 21/May/2008 19:26 Frank Shute wrote .. > > > On Wed, May 21, 2008 at 01:51:03PM -0700, William O. Yates wrote: > > > > > > > > [sent the below message thru the freebsd-security list with no > > > > answers, hope for more from freebsd-questions] > > > > > > > > Recently started using vi macros. > > > > > > Show us the macro. > > > > > > > > > > > When attempting to use one which accessed the external shell, got > > > > the following message: > > > > > > > > "The ! command is not supported when the secure edit option is set." > > > > > > What does: > > > > > > :set > > > > > > show you? > > > > > > External commands work for me. Sure your vi isn't aliased? When > > > doesn't it work? As root or ordinary user or both? > > > > > > What's your secure level?: > > > > > > $ sysctl -a | grep secure > > > > > > What does: > > > > > > $ whereis vi > > > > > > give you? > > > > > > and: > > > > > > $ uname -a > > > > > > > > > > > When attempting to ":set nosecure" got: > > > > > > > > "set: the secure option may not be turned off." > > > > > > > > When attempting to "set nosecure" in my .exrc file, got: > > > > > > > > set nonumber .exrc, 44: set: the secure option may not be turned off > > > > .exrc, 44: Ex command failed: pending commands discarded > > > > > > > > Looking through all the man pages, vi references, tutorials, and the > > > > the oreilly vi "bible", can't find anything... > > > > > > > > Is "set secure" a compiled in setting? > > > > > > No. > > > > > > > > > > > >From FreeBSD vi man page: > > > > > > > > -S Run with the secure edit option set, disallowing all > > > > access to external programs. and secure [off] Turns off all > > > > access to external programs. > > > > > > > > ..william.o.yates...hackware.at.tru2life.net...tru2life.info... > > > > > > -- > > > > > > Frank > > > > > > > > > Contact info: http://www.shute.org.uk/misc/contact.html > > ..william.o.yates...hackware.at.tru2life.net...tru2life.info... > > > > I usually run as root when updating systems (toor actually)... > > > > But symptoms are same for root and user level in vi, > FreeBSD-[5.4,6.1,6.2,6.3]. > > > > NO nfs mounts, aliases, or any other funny stuff I can think of. > > > > Virgin vi setup from FreeBSD install. > > > > "inside_vi :!" --> (ANY ! command, not just macro) > > The ! command is not supported when the secure edit option is set. > > > > "inside_vi :set all" --> (same as 4 other FreeBSD machines...) > > +=+=+=+=+=+=+=+ > > noaltwerase noextended matchtime=7 report=5 > term="xterm" > > autoindent filec="" nomesg ruler noterse > > autoprint flash nomodeline scroll=27 notildeop > > noautowrite nogtagsmode noprint="" nosearchincr timeout > > backup="" hardtabs=0 nonumber secure > nottywerase > > nobeautify noiclower nooctal shiftwidth=8 noverbose > > cdpath=":" ignorecase open noshowmatch warn > > cedit="" keytime=6 optimize showmode window=29 > > columns=80 noleftright path="" sidescroll=16 > nowindowname > > nocomment lines=30 print="" noslowopen wraplen=0 > > noedcompatible nolisp prompt nosourceany > wrapmargin=0 > > escapetime=6 nolist noreadonly tabstop=8 wrapscan > > noerrorbells lock noredraw taglength=0 > nowriteany > > noexrc magic remap tags="tags" > > directory="/tmp/" > > msgcat="/usr/share/vi/catalog/" > > paragraphs="IPLPPPQPP LIpplpipbp" > > recdir="/var/tmp/vi.recover" > > sections="NHSHH HUnhsh" > > shell="/bin/sh" > > shellmeta="~{[*?$`'"^V" > > Press any key to continue [: to enter more ex commands]: > > > > "inside_vi :set nosecure" --> > > set: the secure option may not be turned off. > > > > ns1:/usr/local/www/info/docs> uname -a > > FreeBSD ns1.tru2life.net 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 > 10:40:27 UTC 2007 root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC > i386 > > > > ns1:/usr/local/www/info/docs> sysctl -a | grep secure > > kern.securelevel: -1 > > net.inet.tcp.insecure_rst: 0 > > > > ns1:/usr/local/www/info/docs> whereis vi > > vi: /usr/bin/vi /usr/share/man/man1/vi.1.gz > /usr/ports/editors/openoffice.org-2/work/OOE680_m6/helpcontent2/source/auxiliary/vi > > > > toor@lazy:/.../...> uname -a > > FreeBSD lazy.tru2life.net 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 > 10:21:06 UTC 2005 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC > i386 > > > > toor@lazy:/.../...> sysctl -a | grep secure > > kern.securelevel: -1 > > net.inet.tcp.insecure_rst: 0 > > > > ns3:/usr/home/master> uname -a > > FreeBSD ns3.tru2life.net 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May 7 > 04:32:43 UTC 2006 root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC > i386 > > > > ns3:/home/master> sysctl -a | grep secure > > kern.securelevel: -1 > > net.inet.tcp.insecure_rst: 0 > > I guess you've looked at the obvious: ~/.exrc & ~/.nexrc although :set > all does say noexrc. > > Have you checked: > > $ file /usr/bin/vi > > & compared output with uname? > > Compared /usr/bin/nvi with /usr/bin/vi? They should be the same. > > E.g: > > $ ls -l /usr/bin/vi > -r-xr-xr-x 6 root wheel 309336 Apr 28 14:15 /usr/bin/vi > > $ ls -l /usr/bin/nvi > -r-xr-xr-x 6 root wheel 309336 Apr 28 14:15 /usr/bin/nvi > > Failing that, I'm mystified :( > > -- > > Frank > > > Contact info: http://www.shute.org.uk/misc/contact.html > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > Your behaviour is reproducible when I run vi -S, but in normal vi I have full access to external commands with !, both running as root and toor. I googled your error message and couldn't find it anywhere except for newsgroups where you've been posting, so it's a very rare issue indeed. I don't have any suggestions as to how you'd fix it though, except look for any aliases and the stuff people have said before. Christian Zachariasen