Fwd: Access to vi a file?

Thu Apr 6 09:07:43 EDT 2000

You should NEVER enable access to vi with sudo in ANY way,
because you can easily start a shell from within vi, which will be
a root shell!  (:!sh --- colon, bang, sh).

This should be in some sort of guide or FAQ for sudo.  Unfortunately
the list of "don'ts" with sudo would be large enough to fill a book.
(hmm maybe I can do one for O'Reilly :-)

Here's an alternative.  Have them edit an ordinary file.  Allow them
via sudo to copy this file to the destination (and that destination only).

The safe implementation of this idea is left up to the reader.  It is
wrought with difficulties associated with preventing race attacks
and subterfuge with symlinks.  (hint .. the source must be a real file
not a symlink, the destination directory must not be writable by the
user.  but even that is not enough)

-Matt

gmeharry at yahoo.com on 06/04/2000 14:33:22

Please respond to gmeharry at yahoo.com

To:   sudo-users at courtesan.com
cc:    (bcc: Matthew Hannigan/NL/ABNAMRO/NL)
Subject:  Fwd: Access to vi a file?

Hey there Ryan ...

Assuming that you want to give access to a specific
file, there are a couple of ways to go about this ...

one is a straight command:
/usr/bin/vi path_to_file/file_name

Another is a variation:
/usr/bin/vi path_to_file/?*

This one will let the user edit any file located in a
specific directory ...

Another version could look like:
/usr/bin/vi path_to_subdirectory_tree/*/?*

This last version could be "dangerous" since it would
allow a user to edit any file in a specific
subdirectory tree.

On the down side to all three examples, the user must
provide the full path to the file.

As a final thought, you could simply allow the user
to:
/usr/bin/vi file_name

This could be an acceptable version since the user
wouldn't need to provide the patht to the file. YOU
SHOULD KEEP IN MIND that "file name" shouldn't be a
special UNIX file (ex. passwd, shadow, system,
defaults, .rhosts, sudoers :-], ect.). You wouldn't
even want to think what could happen :-)

Best,
George

Note: forwarded message attached.

__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

X-Apparently-To: gmeharry at yahoo.com via web202.mail.yahoo.com
Return-Path: <owner-sudo-users at courtesan.com>
X-Track2: 2
X-Track: 1: 40
Received: from courtesan.cs.colorado.edu (128.138.192.82)  by
mta223.mail.yahoo.com with SMTP; 5 Apr 2000 13:09:48 -0000
Received: from localhost (daemon at localhost)   by courtesan.cs.colorado.edu
(8.9.3/8.9.3) with SMTP id HAA12415;     Wed, 5 Apr 2000 07:03:05 -0600 (MDT)
Received: by courtesan.cs.colorado.edu (bulk_mailer v1.9); Wed, 5 Apr 2000
07:02:40 -0600
Received: (from domo at localhost)    by courtesan.cs.colorado.edu (8.9.3/8.9.3) id
HAA07309  for sudo-users-list; Wed, 5 Apr 2000 07:02:39 -0600 (MDT)
Received: from xerxes.courtesan.com ([64.6.178.150])    by
courtesan.cs.colorado.edu (8.9.3/8.9.3) with ESMTP id HAA10980    for
<sudo-users at courtesan.cs.colorado.edu>; Wed, 5 Apr 2000 07:02:36 -0600 (MDT)
Received: from hqmsex01.nas-corp.com ([208.219.197.50])      by
xerxes.courtesan.com (8.10.0/8.10.0) with ESMTP id e35D2Y429905   for
<sudo-users at courtesan.com>; Wed, 5 Apr 2000 07:02:35 -0600 (MDT)
Received: by HQMSEX01 with Internet Mail Service (5.5.2650.21)    id <FVBA56QD>;
Wed, 5 Apr 2000 09:02:24 -0400
Message-ID: <74341A23F7BBD311A0E200062950B01CCE13A3 at HQMSEX01>
From: Ryan Washington <RWashington at nas-corp.com>
To: "'sudo-users at courtesan.com'" <sudo-users at courtesan.com>
Subject: Access to vi a file?
Date: Wed, 5 Apr 2000 09:02:20 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;     charset="iso-8859-1"
Sender: owner-sudo-users at courtesan.com
X-Loop: sudo-users at courtesan.com
Content-Length: 244

anyone know how to annotate this in the sudoers file? i need to give someone
access only to vi a file....

Ryan R. Washington
UNIX Systems Administrator
Network Access Solutions
Phone: 703-481-7587
Cell: 703-969-7997
rwashington at nas-corp.com