Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I need to configure on S2 the user jsmith as a sudoer to use vi to edit files in /etc/apache2, jsmith should require no password to edit files.
Also, on S1 i need to configure the lsmith user as a sudoer to shutdown the computer, lsmith requires a password shutdown.
You never let a user run Vi or similar texteditors as root, even if you try to limit it to a few files only. Once Vi runs as root it can launch as many shells as root as the user want, in fact becoming root on the system without limitations.
As mentioned below: (2 issues)
your Cmnd_Alias should have the filename specified, or *
eg:
/usr/sbin/vi /etc/apache2/httpd.conf
or
/usr/sbin/vi /etc/apache2/*
HOWEVER, (as mentioned as well) giving people access to vi via sudo is giving away a root shell.
you need to use
rvim or rvi instead, which will prevent users from exiting into a shell.
Here the point is not to give root access to an user, but to allow the user to edit a specific file. Using file-permissions for this is a much better approach here. Create a new group, change the group ownership of the files the user has to edit to that group, allow write-access for that group, than add the user to that group.
As mentioned below: (2 issues)
your Cmnd_Alias should have the filename specified, or *
eg:
/usr/sbin/vi /etc/apache2/httpd.conf
or
/usr/sbin/vi /etc/apache2/*
HOWEVER, (as mentioned as well) giving people access to vi via sudo is giving away a root shell.
you need to use
rvim or rvi instead, which will prevent users from exiting into a shell.
Ok, so I guess I can just edit my Cmnd alias to be: Cmnd_Alias VI2APACHE = /usr/bin/rvim /etc/apache2/*? I will test it tomorrow, but a question, is it not going to cause any security breach just by changing vi to rvim?
Regardless of what editor is used (and whether it allows shell escape or writing files other than the one originally opened) you've probably got a security problem arising from potential changes to apache config.
Ok, so I guess I can just edit my Cmnd alias to be: Cmnd_Alias VI2APACHE = /usr/bin/rvim /etc/apache2/*? I will test it tomorrow, but a question, is it not going to cause any security breach just by changing vi to rvim?
Thanks for your help.
You are welcome. I cannot comment on the security of the apache config file and what the user configures, but at least you can be sure that your user will not be able to break out into a shell.
I need to configure on S2 the user jsmith as a sudoer to use vi to edit files in /etc/apache2, jsmith should require no password to edit files.
Also, on S1 i need to configure the lsmith user as a sudoer to shutdown the computer, lsmith requires a password shutdown.
In addition to rvim, there is also the NOEXEC option in sudoers. With NOEXEC, it is possible to prevent vi from running shells. The sudoers(5) manual page has a whole section on preventing shell escapes. So use both NOEXEC and rvim.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.