[sudo-workers] Possible to assign NOEXEC for all users for certain commands ...

Alek O. Komarnitsky (N-CSC) alek at ast.lmco.com
Sat Sep 25 17:30:59 EDT 2004

> From Todd.Miller at courtesan.com Sat Sep 25 15:28 MDT 2004
> > The issue is more over-zealous admins that have sudo=ALL allready;
> > would like them to issue commands on the CLI rather than in vi.
> > Yes, I know there are other ways for them to workaround it,
> > but it would be a nice tidy way to close this up.
> Actually, it is possible to do this.  The following will allow
> "poweruser" access to all commands but disable shell escapes in vi.
>     poweruser	ALL = ALL, NOEXEC:/usr/bin/vi
> This works because sudo will use the last match, which has the
> NOEXEC tag.
> The next version of sudo will support tracing of sub-commands on
> certain OSes (currently OpenBSD and NetBSD or Linux with a kernel
> patch) which allows you to enforce sudoers policy (and logging)
> even with shell escapes enabled.  Unfortunately, this kind of thing
> is inherantly OS-dependent but I have working code in the cvs tree
> that uses systrace, see http://www.systrace.org/ (I use the kernel
> interface, not the userland program since sudo does its own policy
> stuff).
>  - todd

Yea, but we have a couple of dozen admins listed in our sudoers file;
so I was hoping to just do a one-line change and NOEXEC vi not only
for them, but for everyone.

Hope I'm not sounding too picky,

More information about the sudo-workers mailing list