On Fri, May 09, 2014 at 03:14:03PM -0700, Shawn Zaidermann wrote: > Is there a way to completely disable the shell-escape feature?
In short, no. If you're trying to prevent mutt users from gaining any access to the shell, you also have to concern yourself with things like: my_var=`run arbitrary shell command here` in the user's .muttrc. The bottom line is Mutt was not designed for restricted access... but then neither was any other e-mail client AFAIK. But also, as the author of rssh, I can tell you that this turns out to be an extremely hard problem (though exactly how hard is somewhat OS dependent), and is probably not worth your time. The best you can hope for is to restrict unsophisticated users; if you have savvy users on your system and they REALLY want to get shell access, they probably will. You have to trust your users, and if you can't you've basically already lost the battle. If you do, then there's no point in confining them to your idea of what's safe. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
pgprPL0o4JFw8.pgp
Description: PGP signature