[sudo-workers] Possible to assign NOEXEC for all users for certain commands ...
Alek O. Komarnitsky (N-CSC)
alek at ast.lmco.com
Sat Sep 25 17:30:59 EDT 2004
> From Todd.Miller at courtesan.com Sat Sep 25 15:28 MDT 2004
>
> > The issue is more over-zealous admins that have sudo=ALL allready;
> > would like them to issue commands on the CLI rather than in vi.
> > Yes, I know there are other ways for them to workaround it,
> > but it would be a nice tidy way to close this up.
>
> Actually, it is possible to do this. The following will allow
> "poweruser" access to all commands but disable shell escapes in vi.
>
> poweruser ALL = ALL, NOEXEC:/usr/bin/vi
>
> This works because sudo will use the last match, which has the
> NOEXEC tag.
>
> The next version of sudo will support tracing of sub-commands on
> certain OSes (currently OpenBSD and NetBSD or Linux with a kernel
> patch) which allows you to enforce sudoers policy (and logging)
> even with shell escapes enabled. Unfortunately, this kind of thing
> is inherantly OS-dependent but I have working code in the cvs tree
> that uses systrace, see http://www.systrace.org/ (I use the kernel
> interface, not the userland program since sudo does its own policy
> stuff).
>
> - todd
Yea, but we have a couple of dozen admins listed in our sudoers file;
so I was hoping to just do a one-line change and NOEXEC vi not only
for them, but for everyone.
Hope I'm not sounding too picky,
alek
More information about the sudo-workers
mailing list