[sudo-users] execute blocked command from a script

Ran Li Ran.Li at rci.rogers.com
Thu May 25 09:15:53 EDT 2006

Shell escape can be blocked by NOEXEC option, so I would not worry about
that, unless there are other ways ... what I meant was even you can
block vi, user still can insert a line using any other editor, so the
question is ... if there is another way to block the command from being
executed which already been blocked by "!/command" entry.

Thanks and regards,


-----Original Message-----
From: Matthew Stier [mailto:Matthew.Stier at us.fujitsu.com] 
Sent: Thursday, May 25, 2006 8:56 AM
To: Ran Li
Subject: Re: [sudo-users] execute blocked command from a script

Worse than that.

You can use the stock 'vi' to spawn an interactive subshell, with the 
same priviledges as the user running 'vi'.

So if you give someone permissions to run 'vi' (and any command that 
permits opening an interactive subshell) as root, you've given them full

root access.

Ran Li wrote:
> hello all,
> I m using ldap based sudo, basically it allows users to do anything 
> except some commands like "shutdown" (sudoCommand 
> !/usr/sbin/shutdown).
> As I did a test, when user execute "shutdown" command directly it will

> give the proper output and will prevent user from doing so, "Sorry, 
> user is not allowed to execute '/usr/sbin/shutdown' as root on host"
> however, if user uses vi to edit a file/script, insert line "shutdown"

> and grant the execute permission to that script then it will be out of

> control.
> My question is, other than grant the user specific commands they need,

> is there a way to resolve this kind of issue?  Thanks.
> Regards,
> Ran
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list