On Fri, May 09, 2014 at 03:14:03PM -0700, Shawn Zaidermann wrote:
> Is there a way to completely disable the shell-escape feature?

In short, no.  If you're trying to prevent mutt users from gaining any
access to the shell, you also have to concern yourself with things
like:

  my_var=`run arbitrary shell command here` 

in the user's .muttrc.  The bottom line is Mutt was not designed for
restricted access... but then neither was any other e-mail client
AFAIK.

But also, as the author of rssh, I can tell you that this turns out to
be an extremely hard problem (though exactly how hard is somewhat OS
dependent), and is probably not worth your time.  The best you can
hope for is to restrict unsophisticated users; if you have savvy users
on your system and they REALLY want to get shell access, they probably
will.  

You have to trust your users, and if you can't you've basically
already lost the battle.  If you do, then there's no point in
confining them to your idea of what's safe.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.

Attachment: pgprPL0o4JFw8.pgp
Description: PGP signature

Reply via email to