[sudo-users] sudo and friends

[jan kalcic]

Huibert.Kivits at mail.ing.nl wrote:
> Hi Jan,
>
> This is extremely dangerous. Never ever authorize "vi" via sudo. "vi" offers the possibility of shell escapes. So from within "vi", users can issue any command they want. And since "vi" would run under root, you would give people unlimited root access!
>
> Why not authorize these users for sudoedit?
>
> The only thing you may want to prevent, when authorizing the use of sudoedit, is the possibility of editing files outside the /etc/samba directory. Consider the following line:
> user ALL=/usr/bin/sudoedit /etc/samba/*
> This would not prevent your colleagues from issuing the following command:
> sudoedit /etc/samba/something /etc/passwd
>
> We're exclusively authorizing sudo via LDAP over here (something I highly recommend), so I'm not very familiar with local sudo syntax, and I'm not really sure the following works. But you may try something like the following:
> user ALL=/usr/bin/sudoedit /etc/samba/*
> user ALL=!/usr/bin/sudoedit /etc/samba/* *
>
> The sudoedit command may be located in a different directory than /usr/bin and you may have to change this directory in your local /etc/sudoers file. Always mention the full path to the binary, otherwise users could place a copy of "vi" (or any other command) in their homedirectory, rename this copy into sudoedit, and abuse their sudo rights.
>
> Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / Nuosirdziausi linkejimai,
>
> Huibert Kivits
> ING
Thanks for your detailed explanation. Actually it seems much better using sudoedit instead of vi. But a question, sudoedit uses the editor set in the variable, if this is vi I'd have the same problem at the end, right? 

Unfortunately the command you posted didn't work for me. I've already written the error I get in the previous message. 


You could add italian regards as well. "Gentili Saluti" :)