help with sudoers
Hi,
I am configuring sudoers so that some users can do "vi" and "nano" against any file except shadow and sudoers files. I have the following contents in /etc/sudoers file. PHP Code:
|
Do NOT give sudo access to vi!!!
vi has an escape to shell (:!/bin/bash). When the user does that they are root and can issue any command they want from the shell they just opened. (I don't use nano but my guess is that it has similar capabilities.) |
Quote:
Code:
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi I'm not saying I condone the 'sudo vi', however I felt the OP deserved a little bit more information than just don't do it. nomb |
Quote:
|
Quote:
My prohibition was based on the fact that I used to work at a place where they blindly gave "sudo vi" without thinking of the consequences. Trying to undo that once given was like trying to get Congress to pass a law. |
Quote:
I really like the idea behind sudoedit. |
Also, keep in mind, even if they can't escape to a shell in vi:
Code:
:edit /etc/shadow |
Isn't this the perfect scenario to use rvim? Or would that not work well either?
|
Just out of curiosity, there's nothing permissions-wise you could do to grant your users the access they need?
What *NIX distribution does this pertain to, maybe filesystem-based Access Control Logs are the way to go? Another angle to consider, are your users "appending" the files in question? Maybe you could just have them pound out things into a file, then run a script that appends the text to a given file? P.S: I wonder why we haven't heard back from the Original Poster in almost 5 days... |
Quote:
|
Quote:
|
Funny that - At the same place where they were doing the "sudo vi" a developer once reported to our management that there were several security holes in our UNIX setup. They sent me to discuss it with him. After discussing everything he'd found with him I went back and told my management that they needed to either:
A) Force him to transfer to our department so he'd be with us or B) Fire him so he didn't have access to the servers on our LAN as we'd never be able to block anyone as smart as him. :jawa: |
All times are GMT -5. The time now is 05:26 PM. |