[sudo-users] regarding shell escape

Ran Li Ran.Li at rti.rogers.com
Thu Dec 29 11:49:36 EST 2005

Hello all,

I m using ldap for sudoer entries, yet I cannot prevent shell escape
properly, my platforms are SunOS5.9, 5.10, HPUX11.11, Linux 2.6.9-11,
sudo version 1.6.8p12

after compiling, do `sudo -V | grep "dummy exec"` I got
# ./sudo -V | grep "dummy exec"
File containing dummy exec functions: /opt/sudo/libexec/sudo_noexec.so

and sudo_noexec.so is on place.

I tried to create a role called noexec ... does not forbid the vi shell

LDAP Role: Noexec

I also tried to add noexec as a prefix of a sudocommand, does not work
either ..

LDAP Role: Admin
    NOEXEC: /usr/bin/less
    NOEXEC: /bin/vi
    NOEXEC: /usr/bin/vi

other than completely block the vi command, anybody has the experience
to prevent shell escape properly using ldap sudoer entries? Thanks.



More information about the sudo-users mailing list