security hole in swais, FYI

Mark Kosters from GSI notified us of the problem. Using swais you can pipe
   the output of a search into any command. You can do this by typing 'c' or '|'
   on the output of a search.

We've known about this. The solution is to run swais under a chroot, with a
very limited bin directory. This is how swais is run on Quake, and we've
had no evidence of any tampering.

   Since we are running swais as a public service for people without their own
   wais client this can be quite harmful. Mark demonstrated that he could start
   a shell, list /etc/passwd and so on.

   We are running swais under userID nobody, so too much harm cannot be done,
   but still, we decided to disable the 'c' and '|' keys as commands.
   We are running the thing without a chroot though.

   The offending parts can be found in screen_ui.c. This is however with
   wais-8-b4, don't know about b5.

   Commenting out:

         case '|' : ;
         case 'c' : pipe_command(question);

   in screen_ui.c does the trick, as far as we can see.
   It would be nice if there was a compile time option to switch to swais in
   "safe" mode, like some pagers have.

I believe Jim Fulton's version allows this, but I'll check to make sure.

   Also if you are offering this as a public service, make sure that the pipe
   commands and shell escapes in the pager swais uses are disabled ...

I've done this by using a special .cshrc, but I just thought of a way that
could be defeated. Hmmm, I want users to be able to use a limited set of
commands. Perhaps swais needs a "secure" command list.

- Jonny G