rvim

[Yocom, Ray]

I just can't resist throwing my two cents.  If rvim will allow a user to
open, edit and write a file as root, they can eventually gain full root
access.  The wrapper is a good idea, but I assume that once they are in rvim
they can open another file.  If that is the case all they would need to do
is edit any script file that runs as root and they could do anything from
setting up a new user to moving in a home grown login file.  If what you are
after is the ability to edit /etc/hosts and the like, I would recommend you
script the various edit functions (add, delete, change) and run those
scripts via sudo.  

Ray

-----Original Message-----
From: Jeff Kennedy [mailto:jlkennedy at amcc.com]
Sent: Tuesday, June 25, 2002 6:34 AM
To: sudo-users at sudo.ws
Subject: Re: rvim


Overwriting a file is less of a concern (I have backups and they would
be fired).  The real issue is getting a root shell, with all the
priveledge it provides.  As long as they can *only* edit files and not
break out into an open root environment then I'm ok with that.

Thanks for the idea though.  I think I might write a wrapper that they
use for rvim; something like 'jumpstart_edit' where jumpstart_edit is
just a script where they can choose which file to edit with rvim.  They
run the script as themselves and once a file is chosen it runs 'sudo
rvim <file>'.  Think that would work?

~JK

"King, Daniel" wrote:
> 
> rvim, and even rview will allow writing out files - any file on the system
if they are executed as root.  Are you more concerned about malice or
stupidity?
> 
> malice == :w!/dev/dsk/xxxx
> 
> A. Daniel King, System Analyst
> Fiserv - Atlanta Center
> 1475 Peachtree Street, NE - Suite 700
> Atlanta, GA 30309
> 404-873-2851 x2034
> 
> -----
> Date: Mon, 24 Jun 2002 07:41:22 -0700
> From: "Jeff Kennedy" <jlkennedy at amcc.com>
> Organization: AMCC
> To: Sudo List <sudo-users at courtesan.com>
> Subject: rvim
> 
> I wanted to get some confirmation that I'm not missing anything.  We
> want interns to be able to edit certain files like hosts and ethers but
> obviously do not want them to have any root capability.  With 'sudo vi'
> they have the ability to execute shell commands as root or simply break
> out into a root shell.
> 
> Using rvim I was unable to do the above-mentioned things but wanted to
> make sure I'm not missing a gotcha.  No ':!' commands were allowed nor
> was a shell escape.
> 
> Anything else I might be missing?  Not counting root shell scripts that
> -----
> 
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

-- 
=====================
Jeff Kennedy
Unix Administrator
AMCC
jlkennedy at amcc.com
____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users