Hi,

I need to configure on S2 the user jsmith as a sudoer to use vi to edit files in /etc/apache2, jsmith should require no password to edit files.
Also, on S1 i need to configure the lsmith user as a sudoer to shutdown the computer, lsmith requires a password shutdown.

What I did:

-- visudo
-- added the following lines:
User_Alias VIAPACHE = jsmith
Cmnd_Alias VI2APACHE = /usr/bin/vi /etc/apache2/
Host_Alias S2 = S2
VIAPACHE S2 = (root) NOPASSWD: VI2APACHE

I then save and close visudo, su jsmith, and try the command:

sudo vi /etc/apache2/httpd.conf

But after entering jsmith's password (which should not be asked) I get the error:

"Sorry, user jsmith is not allowed to execute '/usr/sbin/vi /etc/apache2/httpd.conf' as a root on S2"


Of course I am doing something wrong, could you please tell me what it is?

Thanks in advance,

Diego

Your Cmnd_Alias doesn't match the command you're running

Your Cmnd_Alias doesn't match the command you're running

You never let a user run Vi or similar texteditors as root, even if you try to limit it to a few files only. Once Vi runs as root it can launch as many shells as root as the user want, in fact becoming root on the system without limitations.

2 members found this post helpful.

Thank you guys,

But, in this case, how would I allow jsmith to edit any config file in the /etc/apache2/ directory? What would you recommend?

As mentioned below: (2 issues)
your Cmnd_Alias should have the filename specified, or *
eg:
/usr/sbin/vi /etc/apache2/httpd.conf
or
/usr/sbin/vi /etc/apache2/*

HOWEVER, (as mentioned as well) giving people access to vi via sudo is giving away a root shell.
you need to use
rvim or rvi instead, which will prevent users from exiting into a shell.

Here the point is not to give root access to an user, but to allow the user to edit a specific file. Using file-permissions for this is a much better approach here. Create a new group, change the group ownership of the files the user has to edit to that group, allow write-access for that group, than add the user to that group.

2 members found this post helpful.

Ok, so I guess I can just edit my Cmnd alias to be: Cmnd_Alias VI2APACHE = /usr/bin/rvim /etc/apache2/*? I will test it tomorrow, but a question, is it not going to cause any security breach just by changing vi to rvim?

Thanks for your help.

Regardless of what editor is used (and whether it allows shell escape or writing files other than the one originally opened) you've probably got a security problem arising from potential changes to apache config.

http://httpd.apache.org/docs/2.4/mis...tml#serverroot

That can be avoided if the service is _started_ by the non-root account apache is to run as (a relatively uncommon configuration).

You are welcome. I cannot comment on the security of the apache config file and what the user configures, but at least you can be sure that your user will not be able to break out into a shell.

You might want to try ACLs instead ...

What OS are you running?

--C

Im running SUSE Linux Enterprise Server 11

Run this command and the output

where /path/to/disk is the volume where /etc/apache2/httpd.conf lives

--C

In addition to rvim, there is also the NOEXEC option in sudoers. With NOEXEC, it is possible to prevent vi from running shells. The sudoers(5) manual page has a whole section on preventing shell escapes. So use both NOEXEC and rvim.