[sudo-users] sudo and friends

Huibert.Kivits at mail.ing.nl Huibert.Kivits at mail.ing.nl
Thu Jan 18 11:01:21 EST 2007

Hi Jan,

This is extremely dangerous. Never ever authorize "vi" via sudo. "vi" offers the possibility of shell escapes. So from within "vi", users can issue any command they want. And since "vi" would run under root, you would give people unlimited root access!

Why not authorize these users for sudoedit?

The only thing you may want to prevent, when authorizing the use of sudoedit, is the possibility of editing files outside the /etc/samba directory. Consider the following line:
user ALL=/usr/bin/sudoedit /etc/samba/*
This would not prevent your colleagues from issuing the following command:
sudoedit /etc/samba/something /etc/passwd

We're exclusively authorizing sudo via LDAP over here (something I highly recommend), so I'm not very familiar with local sudo syntax, and I'm not really sure the following works. But you may try something like the following:
user ALL=/usr/bin/sudoedit /etc/samba/*
user ALL=!/usr/bin/sudoedit /etc/samba/* *

The sudoedit command may be located in a different directory than /usr/bin and you may have to change this directory in your local /etc/sudoers file. Always mention the full path to the binary, otherwise users could place a copy of "vi" (or any other command) in their homedirectory, rename this copy into sudoedit, and abuse their sudo rights.

Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / Nuosirdziausi linkejimai,

Huibert Kivits

-----Oorspronkelijk bericht-----
Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens jan kalcic
Verzonden: donderdag 18 januari 2007 15:50
Aan: sudo-users at sudo.ws
Onderwerp: [sudo-users] sudo and friends

Hi people,

I need to give access to all files under /etc/samba/* to a user using sudo. I want him to be able to modify to all those files using vi and I also want him to use the script /etc/init.d/smbd and nmbd with option "status" only.

user ALL=/usr/bin/vi /etc/samba/*
user ALL=/etc/init.d/smbd status
user ALL=/etc/init.d/nmbd status

Is this configuration right or I've not understood nothing about sudo?


sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.

More information about the sudo-users mailing list