[sudo-workers] Possible to assign NOEXEC for all users for certain commands ...

Todd C. Miller Todd.Miller at courtesan.com
Sat Sep 25 17:26:17 EDT 2004

In message <200409221724.LAA00653 at hulk.ast.lmco.com>
	so spake "Alek O. Komarnitsky (N-CSC)" (alek):

> The issue is more over-zealous admins that have sudo=ALL allready;
> would like them to issue commands on the CLI rather than in vi.
> Yes, I know there are other ways for them to workaround it,
> but it would be a nice tidy way to close this up.

Actually, it is possible to do this.  The following will allow
"poweruser" access to all commands but disable shell escapes in vi.

    poweruser	ALL = ALL, NOEXEC:/usr/bin/vi

This works because sudo will use the last match, which has the

The next version of sudo will support tracing of sub-commands on
certain OSes (currently OpenBSD and NetBSD or Linux with a kernel
patch) which allows you to enforce sudoers policy (and logging)
even with shell escapes enabled.  Unfortunately, this kind of thing
is inherantly OS-dependent but I have working code in the cvs tree
that uses systrace, see http://www.systrace.org/ (I use the kernel
interface, not the userland program since sudo does its own policy

 - todd

More information about the sudo-workers mailing list