[sudo-users] Disabling root to execute vi
dave.parson at daimler.com
dave.parson at daimler.com
Mon Nov 24 18:45:59 EST 2008
Replace your line with this:
Cmnd_Alias ADMCMD = (ALL) ALL,
!/usr/bin/vi,!/usr/xpg4/bin/vi,!/usr/ucb/vi,!/bin/vi
or
Cmnd_Alias ADMCMD = (someuseror aliaes) ALL,
!/usr/bin/vi,!/usr/xpg4/bin/vi,!/usr/ucb/vi,!/bin/vi
Or what I like to do is list the common "can't do the following" into a
CMD alias and to xxx = ALL, !NOROOTSUFF
mlh at zip.com.au
Sent by: sudo-users-bounces at courtesan.com
11/24/2008 03:36 PM
To
valdemirs at gmail.com
cc
sudo-users at sudo.ws
Subject
Re: [sudo-users] Disabling root to execute vi
On Mon, Nov 24, 2008 at 09:01:58AM -0200, Valdemir Santos wrote:
> Hi:
> Can you tell me how disable root to execute vi ?
> I put this line with no success...
>
>
> Cmnd_Alias ADMCMD =
!/usr/bin/vi,!/usr/xpg4/bin/vi,!/usr/ucb/vi,!/bin/vi, ALL
Two points.
1. There should be a big sign on the front of sudo saying:
DO NOT USE THE EXCLUDE FEATURE (ie. !)
It's just too hairy and prone to misconfiguration and
misunderstanding.
Relatedly:
2. sudo is for ALLOWING extra access not restricting.
Just don't give access to vi in the first place,
i.e. DO NOT USE 'ALL' unless you mean ALL
Apart from that, what do you mean 'disable root'?
Do you mean disable normal uses to run vi as root?
Or do you really mean disable root?
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
If you are not the intended addressee, please inform us immediately that you have received this e-mail in error, and delete it. We thank you for your cooperation.
More information about the sudo-users
mailing list