From d2fce960f9cac7407efdf0b08224effdaf0da78f Mon Sep 17 00:00:00 2001 From: Christian Goeschel Ndjomouo Date: Thu, 3 Apr 2025 00:38:29 -0400 Subject: [PATCH] more: Add MORESECURE and PAGERSECURE environment variables #3503 Add MORESECURE and PAGERSECURE environment variables to run 'more' in secure mode, which will effectively disable the _!_ and _v_ commands. This helps to prevent unprivileged users from running arbitrary shell commands or file manipulations. Addresses: #3503 Signed-off-by: Christian Goeschel Ndjomouo --- text-utils/more.1.adoc | 18 ++++++++++++++++++ text-utils/more.c | 21 ++++++++++++++++++--- 2 files changed, 36 insertions(+), 3 deletions(-) diff --git a/text-utils/more.1.adoc b/text-utils/more.1.adoc index b2f68427d2..aad95e0087 100644 --- a/text-utils/more.1.adoc +++ b/text-utils/more.1.adoc @@ -161,6 +161,16 @@ Display current file name and line number. *.*:: Repeat previous command. +== SECURITY + +When either MORESECURE or PAGERSECURE is set, *more* will run in "secure" mode and effectively disable the following commands: + +*!command* or *:!command*:: +Execute _command_ in a subshell. + +*v*:: +Start up an editor. + == ENVIRONMENT The *more* command respects the following environment variables, if they exist: @@ -183,6 +193,12 @@ The editor of choice when *VISUAL* is not specified. *POSIXLY_CORRECT*:: Disable exit-on-eof (see option *-e* for more details). +*MORESECURE*:: +Run *more* in "secure" mode. See SECURITY for details. + +*PAGERSECURE*:: +Equivalent to MORESECURE. + == HISTORY The *more* command appeared in 3.0BSD. This man page documents *more* version 5.19 (Berkeley 6/29/88), which is currently in use in the Linux community. Documentation was produced using several other versions of the man page, and extensive inspection of the source code. @@ -195,6 +211,8 @@ Modified by Geoff Peck, UCB to add underlining, single spacing. Modified by John Foderaro, UCB to add -c and MORE environment variable. +Modified by Christian Goeschel Ndjomouo to add MORESECURE and PAGERSECURE environment variables, and a SECURITY section + == SEE ALSO *less*(1), diff --git a/text-utils/more.c b/text-utils/more.c index 92b257046b..54c5672247 100644 --- a/text-utils/more.c +++ b/text-utils/more.c @@ -41,6 +41,8 @@ * present curses can still be used. * 2010-10-21 Davidlohr Bueso * modified mem allocation handling for util-linux + * 2025-04-03 Christian Goeschel Ndjomouo + * modified to add MORESECURE and PAGERSECURE environment variables */ #include @@ -218,6 +220,7 @@ struct more_control { leading_colon, /* key command has leading ':' character */ is_eof, /* EOF detected */ is_paused, /* is output paused */ + is_secure, /* is running in secure mode */ no_quit_dialog, /* suppress quit dialog */ no_scroll, /* do not scroll, clear the screen and then display text */ no_tty_in, /* is input in interactive mode */ @@ -1801,8 +1804,13 @@ static int more_key_command(struct more_control *ctl, char *filename) done = 1; break; case more_kc_run_shell: - run_shell(ctl, filename); - break; + if (ctl->is_secure == 1) { + more_error(ctl, _("Command not available in secure mode")); + break; + } else { + run_shell(ctl, filename); + break; + } case more_kc_help: if (ctl->no_scroll) more_clear_screen(ctl); @@ -1833,7 +1841,11 @@ static int more_key_command(struct more_control *ctl, char *filename) done = 1; break; case more_kc_run_editor: /* This case should go right before default */ - if (!ctl->no_tty_in) { + if (ctl->is_secure == 1) { + more_error(ctl, _("Command not available in secure mode")); + break; + } + if (!ctl->no_tty_in) { execute_editor(ctl, cmdbuf, sizeof(cmdbuf), filename); break; } @@ -2105,6 +2117,9 @@ int main(int argc, char **argv) ctl.exit_on_eof = getenv("POSIXLY_CORRECT") ? 0 : 1; + if (getenv("MORESECURE") || getenv("PAGERSECURE")) + ctl.is_secure = 1; + if ((s = getenv("MORE")) != NULL) env_argscan(&ctl, s); -- 2.47.2