On Sat, Apr 28, 2012 at 08:04:31PM +0200, Kurt Jaeger wrote: > Hi! > > > > > Please do study sudo real power :-) > > > > It can give selective privileges per-command, > [...] > > > Just make sure none of the permitted commands has got the > > > feature of starting a shell ;-)) > > > > Right, think of vi(1), less(1), et al. > > Even this aspect is taken care of with sudo (at least to a certain limit): > > NOEXEC and EXEC > > If sudo has been compiled with noexec support and the underlying > operating system supports it, the NOEXEC tag can be used to prevent a > dynamically-linked executable from running further commands itself. > > In the following example, user aaron may run /usr/bin/more and > /usr/bin/vi but shell escapes will be disabled. > > aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi > > See the "PREVENTING SHELL ESCAPES" section below for more details on > how NOEXEC works and whether or not it will work on your system. >
cp /usr/bin/vi ~/ or upload your own... sudo $HOME/vi You need to be very careful with this NOEXEC thinking as it will not always get you what you originally intended. -- - (2^(N-1)) _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"