The hazards of "e" 6

[RodKnowlton]

I wrote this up for work, and thought it might be helpful to post it here as well.

- ​

Problem
Entering "e" at the AIX command line can lead to destructive renaming of files and directories.

Root Cause
The bos.INed (INed Editor) package contains a file manager that is easily launched accidentally and can rename files without confirmation.

Description
The INTERACTIVE TEN/PLUS File Manager (IT/PFM), part of the INed Editor package, is launched by the command "e". Because of this overly simplistic name, it can easily be launched, either by an accidental return or space after an initial "e" on the command line or by an excess "e<return>" input to an exiting program, which is then buffered until the shell executes it.

Once launched, the IT/PFM presents a two paned text window, with the narrower pane on the left containing a listing of the current directory (by default). The cursor is positioned at the beginning of the first filename in the listing. At this point, any typing followed by a carriage return will result in the immediate renaming of the file at the cursor and advancement of the cursor to the next filename in the list. IT/PFM does not ask for confirmation before renaming the file, nor does it provide any feedback that the renaming has occurred.

A user typing ahead in anticipation of the prompts of the program they intended to launch will, instead, rename a file for each input they had typed. Users suddenly finding themselves in the IT/PFM could also cause damage while trying to find a way to exit the program.

Risk
High, especially if working as root.

Solutions
[ul]
[li]Remove the execute permission from the IT/PFM binary ([tt]chmod -x /usr/bin/e[/tt]). This is recommended, as the execute permission can be restored any time the file manager is required.[/li]
[li]Remove the bos.INed package (this is probably not practical, as there is no way of knowing what applications may depend on its presence).[/li]
[/ul]

Mitigations
If it is determined that the IT/PFM binary must remain executable, the following precautions can help reduce the risk of accidental damage.

[ul]
[li]Only work as root when absolutely necessary[/li]
[li]Never "type blind" when working as root. Wait to see all prompts before answering them.[/li]
[li]Install sudo, and restrict root execution privileges to the minimum necessary for job function. (Highly Recommended, regardless of this issue)[/li]
[/ul]

- ​

Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

 

[KenCunningham]

Ouch. Nice one Rod.

 

[p5wizard]

Well, then just uninstall the package. I've never installed it on RS6K. On PCRT (AIX V2) it was the "preferred" editor (was always installed with the system, and so-called more user-friendly than vi).

The fileset is called bos.INed btw. And it's a pain to maintain, because it has (or perhaps used to have?) its own terminal type database.

You can rename the executable /usr/bin/e to /usr/bin/ined or sth. or hide it with an alias e=pwd to prevent accidental launching - need /usr/bin/e to start it then - if you really want to keep it installed.

But text editor in CDE is just as user-friendly and less dangerous imho.



HTH,

p5wizard

 

[RodKnowlton]

p5wizard,

I listed removing the bos.INed package in the "Solutions" list. My concern with this is that a non-lpp application may have a dependence on some part of it. This concern is heightened hearing from you that it hasn't been a default install since V2. The machines in my environment have never been at a level lower than V3, yet INed is installed and has been migrated forward with each upgrade. This means that at some point in the past it was installed manually, which I can't imagine anyone doing unless something required it.

As far as an alias, this only provides partial protection. There are plenty of ways to get a command line without aliases defined, "M-x shell" in emacs is one.


Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

 

[fjw999]

Good post Rob - I got caught out with this a few years ago and corrupted one of our application files. Definitely one to watch out for, I always do a `chmod -x /usr/bin/e` on any new installs

 

[p5wizard]

Rod,

perhaps one of your predecessors liked the INed editor better than vi and decided to install it. I've never come across any application that is dependent on INed being there, but that doesn't mean such one doesn't exist...

Sorry for not reading your post through (and over) before jumping in with my reply...

Anyway, here's a quick exit out of e/file manager: just hit your quit-character (ctrl-\) before entering anything else.

Quitting without saving on a dtterm/vt/... is:

ctrl-A
enter /* a pop-up box appears */
q
ctrl-A
d

How's that for user friendliness huh... ;-) actually on an hft screen, it was a bit easier:

action-key /* pop-up box */
q
alt-d

But it doesn't undo any renames/deletes in file manager I believe...



HTH,

p5wizard

 

[RodKnowlton]

perhaps one of your predecessors liked the INed editor better than vi and decided to install it.

<Shudder> Could such a person exist? I prefer "cat > myfile" to INed.

You're right about it not undoing any deletes or renames. All changes are immediate, unconfirmed, and can only be manually undone.

Nasty piece of work, that INed.

Not since running into a platinum dragon in a Nethack clone have I found such a fearsome lower case letter.

"What's in this room?"
"It's a 'p'! Run away! Run away!"

Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

 

[p5wizard]

Rod,

INed remembers where it was last (position in textfile or .index file if dir). This may also help in limiting the amount of damage you can do involuntarily...

I.e.

mkdir /tmp/use-quit-to-get-out-of-this
e /tmp/use-quit-to-get-out-of-this
ctrl-\
rmdir /tmp/use-quit-to-get-out-of-this

whenever you get into INed with just e<enter>, e will prompt you on creation of this pathname and you get the hint on how to escape out of it.

Of course it is not 100% safe - "e /" might still get you in a lot of trouble...



HTH,

p5wizard