stopping shell execution from with vi editor as root

Thomas Robinson tom.robinson at ehbas.com
Tue Apr 23 04:44:17 EDT 2002


> 
> I see two approaches to this.
> 
> One is to have the files belong to a limited group, with write access
> granted to the group, and with the specific users belonging 
> to the group.
> If you include some sort of source control, such as SCCS or RCS, or
> something more modern, this makes things pretty clean.  Oh, 
> the containing
> directory should have the group sticky bit set and belong to the group
> so the files continue to be owned by that group.
> 
> An alternative is to grant the users the ability to copy on top of the
> files in question, perhaps through the use of an appropriate script to
> control access.  They edit a private copy and then replace the public
> copy with the private copy.
> 
> Rich

Sounds ok but we found another way. Linux has a /bin/rvi and /bin/rview
which restrict the use of the shell from within editing sessions.

Thanks

Tom

> 
> At 12:49 PM 04/12/2002 +0100, Thomas Robinson wrote:
> >Hi,
> >
> >I'd like to give permissions to some users so that they can edit
> >specific files as root. Unfortunately in my simple set up 
> they can also
> >execute the :! command and gain root shell access. Is there 
> any way to
> >defeat this or should I implement a different method to 
> enable users to
> >edit files as root?
> >
> >My config looks roughly like the following:
> >
> >Cmnd_Alias         ICANEDIT            /bin/vi /etc/some.conf
> >
> >auser               myhost             = (root) ICANEDIT
> >
> >Regards
> >
> >Tom
> >
> >Thomas Robinson
> >Ehbas Ltd
> >T: 01273 234 665
> >F: 01273 704 499
> >
> >
> >This e-mail message is meant solely for the person or 
> organisation to whom it is adressed. The message may contain 
> personal or confidential information, or information that is 
> not public in nature. Ehbas Ltd accepts no responsibility for 
> message content and possible attachments that are unlawful or 
> of questionable decency. Further dissemination, publication 
> or duplication of this message is strictly prohibited if the 
> person or organisation receiving this message is not the 
> intended recipient. In the event that you are not the 
> intended recipient, we request you to refrain from using the 
> content and to immediately inform the sender of the error by 
> returning the message. Thank you for your co-operation. 
> >____________________________________________________________ 
> >sudo-users mailing list <sudo-users at sudo.ws>
> >For list information, options, or to unsubscribe, visit:
> >http://www.sudo.ws/mailman/listinfo/sudo-users
> 
> --
> 
> Richard C. Dempsey              email: dempsey at kodak.com
> Kodak.com                       pager: 585-975-3539
> 3rd Floor, Bldg 16, KO          phone: 585-781-5232
> Eastman Kodak Company
> Rochester, NY 14650-0706
> 
> ____________________________________________________________ 
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
> 


This e-mail message is meant solely for the person or organisation to whom it is adressed. The message may contain personal or confidential information, or information that is not public in nature. Ehbas Ltd accepts no responsibility for message content and possible attachments that are unlawful or of questionable decency. Further dissemination, publication or duplication of this message is strictly prohibited if the person or organisation receiving this message is not the intended recipient. In the event that you are not the intended recipient, we request you to refrain from using the content and to immediately inform the sender of the error by returning the message. Thank you for your co-operation. 



More information about the sudo-users mailing list