[sudo-users] sudo and friends

Michael Potter pottmi at gmail.com
Fri Jan 19 00:31:37 EST 2007 

Jan,

sudoedit does not have the same problem as vi because it makes a temporary
copy of the file with the privilege of the user and then runs vi as the user
to edit the file.  then it restores the privilege of the file as it copies
it back to the original location.

simple and secure.

-- 
potter


On 1/18/07, jan kalcic <jandot at googlemail.com> wrote:
>
> Huibert.Kivits at mail.ing.nl wrote:
> > Hi Jan,
> >
> > This is extremely dangerous. Never ever authorize "vi" via sudo. "vi"
> offers the possibility of shell escapes. So from within "vi", users can
> issue any command they want. And since "vi" would run under root, you would
> give people unlimited root access!
> >
> > Why not authorize these users for sudoedit?
> >
> > The only thing you may want to prevent, when authorizing the use of
> sudoedit, is the possibility of editing files outside the /etc/samba
> directory. Consider the following line:
> > user ALL=/usr/bin/sudoedit /etc/samba/*
> > This would not prevent your colleagues from issuing the following
> command:
> > sudoedit /etc/samba/something /etc/passwd
> >
> > We're exclusively authorizing sudo via LDAP over here (something I
> highly recommend), so I'm not very familiar with local sudo syntax, and I'm
> not really sure the following works. But you may try something like the
> following:
> > user ALL=/usr/bin/sudoedit /etc/samba/*
> > user ALL=!/usr/bin/sudoedit /etc/samba/* *
> >
> > The sudoedit command may be located in a different directory than
> /usr/bin and you may have to change this directory in your local
> /etc/sudoers file. Always mention the full path to the binary, otherwise
> users could place a copy of "vi" (or any other command) in their
> homedirectory, rename this copy into sudoedit, and abuse their sudo rights.
> >
> > Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen /
> Med vänliga hälsningar / Nuosirdziausi linkejimai,
> >
> > Huibert Kivits
> > ING
> Thanks for your detailed explanation. Actually it seems much better using
> sudoedit instead of vi. But a question, sudoedit uses the editor set in the
> variable, if this is vi I'd have the same problem at the end, right?
>
> Unfortunately the command you posted didn't work for me. I've already
> written the error I get in the previous message.
>
>
> You could add italian regards as well. "Gentili Saluti" :)
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>

More information about the sudo-users mailing list