Re: LYNX-DEV Alleged Lynx security emergency

[H E Nelson]

>       In other words a user who was supposed to be "restricted"
>       to lynx only access might trick lynx into running a shell

This was not my exact interpretation of the so-called bug so I'd
like some clarification from others on the list.

I assumed that the bug if there is one is in the cp program.
All Lynx was doing was letting people exploit the bug in cp,
i.e., when cp crashed, the user was left with a shell (sh).

What I'd like to know, is why this happens.  Why and how is a
shell created in the first place?  On the anonymous account I
was (yes, still past tense) running, a script is executed by
csh, but that shell is killed when lynx is executed.  What I'm
saying is, a shell is not created out of the blue.  So in my
eyes, granted those of a novice, the creation of the shell is
the real problem.  The reason I haven't started the captive
Lynx here yet, is that to me, granted again who am I, Fote's
mods to LYDownload.c seem stopgap if it is Lynx that is
creating the shell which keeps the captive session alive.
(This is not criticism.  It is my own ignorance, and lack of
time to educate myself.  I highly admire Fote's swift and
decisive response.) 

I would like to keep the download option to at least view the
file with Most.  I also would like to keep a few printing
options available, too.  Can I be assured that if someone finds
an exploitable bug in one of the helper applications, that upon
crashing that application they are not left with a shell called
by Lynx?  If it can't be done, that's no problem.  I'd just
like to know.

Something else which was never really clear to me was that some
people alleged that they were getting a root privileged shell.
I didn't see how this could be done unless the owner of the
lynx process was root.  Is that all they were saying, or was
there some way to get a shell running by root?  No root shell
was created from a captive Lynx (non-root user) by either of
the two methods of getting out of the captive account mentioned
in the advisory (on Solaris 2.5).  You were only left with a shell
owned by the user of the Lynx process.  Is this confirmed on other
systems, too?

>       may want to simply configure it to run in a chroot "jail" 
[...]
>       their copy of Lynx I might be willing to do it 'gratis'
>       -- if it's for a "good cause."

It's for a good cause.  Could you write up a short Howto/Tips
doc on how to set up a chroot jail (inclusive of download URLs)
for a captive Lynx account and post it to the list?  Slowly we're
putting together a step-by-step guide for setting one up.  It would
make a nice addition.  Thanks either way.

__Henry
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;