[sudo-users] Re: [sudo-workers] NOEXEC: /usr/bin/vi using ldap

Aaron Spangler as at insight.rr.com
Wed Jul 7 19:59:49 EDT 2004



# First entry
sudoUser: ......
sudoHost: .....
description: Allow all commands except vi
sudoCommand: ALL
sudoCommand: !/usr/bin/vi

# entry two
sudoUser: <same as above>
sudoHost: <same as above>
description: Allow vi to modify most files but no subshells
sudoOption: noexec
sudoCommand: /usr/bin/vi
sudoCommand: !/usr/bin/vi /etc/passwd

or better yet, this combines all into one role

# better example
sudoUser: <same as above>
sudoHost: <same as above>
description: allow most commands except vi, allow safe editing except 
sudoCommand: ALL
sudoCommand: !/usr/bin/vi
sudoCommand: sudoedit
sudoCommand: !sudoedit /etc/passwd

Since above prevents vi and requires the user to use 'sudoedit' instead 
to modify files, then vi runs as the normal user, so even if they 
subshelled, they would not gain additional privileges.
The only trick is that since you have taught your users to use sudo 
before commands, ask them to use 'sudoedit' to modify files.

On a different matter, make sure you notify your users they are not 
supposed to modify /etc/passwd because they could always do the 
following because the ! statements really do not protect the clever 
person.  Example:

ln -s /etc/passwd /tmp/myfile
ln -s /usr/bin/vi /tmp/myedit
sudo /tmp/myedit /tmp/myfile

As a side note, for some reason the example above does not currently 
allow sudoedit.  I will findout why and get back to you.


Jacob Pszonowsky wrote:

> Question: Does the NOEXEC: /usr/bin/vi syntax work with ldap? Also, is 
> it possible to use this in conjuction with:
> sudoCommand: !/usr/bin/vi /etc/passwd
> sudoCommand: NOEXEC: /usr/bin/vi
> sudoCommand: ALL
> such that
> "/usr/bin/vi /etc/passwd" is NOT allowed,
> executing a shell from vi is NOT allowed,
> all other commands are allowed
> It doesn't seem to work, but I could have the syntax wrong.
> Thanks,
> Jake
> Jacob Pszonowsky
> jdp16 at mac.com
> (c) 415.225.2647
> (f) 415.358.5918
> ____________________________________________________________ 
> sudo-workers mailing list <sudo-workers at gratisoft.us>
> For list information, options, or to unsubscribe, visit:
> http://www.gratisoft.us/mailman/listinfo/sudo-workers

More information about the sudo-users mailing list