On Mon, Sep 17, 2007 at 10:49:04AM -0400, Woodchuck wrote: > On Mon, 17 Sep 2007, Chris wrote: > > > On 9/17/07, Darrin Chandler <[EMAIL PROTECTED]> wrote: > > > problem is. This is why people keep asking you to explain the problem > > > more. > > > > Sorry for being vague. Ok, I have these in /etc/sudoers for joeuser. > > joeuser is also in the wheel group. > > > > joeuser server = NOPASSWD: /sbin/mount, /usr/libexec/locate.updatedb > > mount can be leveraged to full root. > > > joeuser server = NOPASSWD: /usr/local/bin/vim /var/www/conf/httpd.conf > > joeuser server = NOPASSWD: /usr/local/bin/vim /etc/rc.local > > Both of these commands, if done with vi, probably allow joe to > launch a root shell, ex command :!sh I don't think vim has any > better protections. >
I just want to remind about for editing files you can use 'sudoedit' entries. That way you can run any editor, and it runs on a temporary copy of the target file, and the result is copied to the target with the right permissions afterwords. Executing shells from e.g vim is no longer a security hole. It is all in the man pages sudo(8) and sudoers(5). <snip> -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
