[sudo-users] --with-noexec option

Todd C. Miller Todd.Miller at courtesan.com
Tue Feb 19 15:24:10 EST 2008

In message <E93353F53D5DD84896EA16EAD053FE2F014CE461 at CGIEXCMSG01.lacaisse.com>
	so spake "Boulerice, Nancy" (Nancy.Boulerice):

> We want to prevent sudo users to be able to escape to a shell when
> they are in programs like vi.  We compiled the code using the
> --with-noexec option.  Is there something that needs to be added
> to the sudoers file in order for this to work properly or just using
> the compile option will prevent such occurences.

Commands that should have noexec applied to them need to be prefixed
with the NOEXEC tag.  E.g.

bob	ALL = /bin/ls, NOEXEC:/usr/bin/vi

Alternately, you can enable noexec more broadly using a Defaults
line, but be aware that lots of programs need to execute others to

If editors are what you are worried about, you may want to look
into using sudoedit, which runs that actual editor as the invoking
user instead of the privileged user.

 - todd

More information about the sudo-users mailing list