[sudo-users] Re: [sudo-workers] NOEXEC: /usr/bin/vi using ldap
Aaron Spangler
as at insight.rr.com
Wed Jul 7 19:59:49 EDT 2004
Jacob,
Try
# First entry
sudoUser: ......
sudoHost: .....
description: Allow all commands except vi
sudoCommand: ALL
sudoCommand: !/usr/bin/vi
# entry two
sudoUser: <same as above>
sudoHost: <same as above>
description: Allow vi to modify most files but no subshells
sudoOption: noexec
sudoCommand: /usr/bin/vi
sudoCommand: !/usr/bin/vi /etc/passwd
or better yet, this combines all into one role
# better example
sudoUser: <same as above>
sudoHost: <same as above>
description: allow most commands except vi, allow safe editing except
/etc/passwd
sudoCommand: ALL
sudoCommand: !/usr/bin/vi
sudoCommand: sudoedit
sudoCommand: !sudoedit /etc/passwd
Since above prevents vi and requires the user to use 'sudoedit' instead
to modify files, then vi runs as the normal user, so even if they
subshelled, they would not gain additional privileges.
The only trick is that since you have taught your users to use sudo
before commands, ask them to use 'sudoedit' to modify files.
On a different matter, make sure you notify your users they are not
supposed to modify /etc/passwd because they could always do the
following because the ! statements really do not protect the clever
person. Example:
ln -s /etc/passwd /tmp/myfile
ln -s /usr/bin/vi /tmp/myedit
sudo /tmp/myedit /tmp/myfile
As a side note, for some reason the example above does not currently
allow sudoedit. I will findout why and get back to you.
-Aaron
Jacob Pszonowsky wrote:
> Question: Does the NOEXEC: /usr/bin/vi syntax work with ldap? Also, is
> it possible to use this in conjuction with:
>
> sudoCommand: !/usr/bin/vi /etc/passwd
> sudoCommand: NOEXEC: /usr/bin/vi
> sudoCommand: ALL
>
> such that
> "/usr/bin/vi /etc/passwd" is NOT allowed,
> executing a shell from vi is NOT allowed,
> all other commands are allowed
>
> It doesn't seem to work, but I could have the syntax wrong.
>
> Thanks,
> Jake
>
> Jacob Pszonowsky
>
> jdp16 at mac.com
> (c) 415.225.2647
> (f) 415.358.5918
>
> ____________________________________________________________
> sudo-workers mailing list <sudo-workers at gratisoft.us>
> For list information, options, or to unsubscribe, visit:
> http://www.gratisoft.us/mailman/listinfo/sudo-workers
More information about the sudo-users
mailing list