Re: What bad things could happen if we don't use sudoedit?

[whynot sudo]

"In the bad thing category, you could break your sudo config."


What do you mean by that? 


 Original Message 
From: ludovic coues 
To: whynot sudo 
Subject: Re: What bad things could happen if we don't use sudoedit?
Date: Mon, 27 Apr 2015 18:52:56 +0200

> 2015-04-27 18:46 GMT+02:00 whynot sudo :
> > Hello list,
> >
> > We know it's safer* to use sudoedit, but what bad things can happen if we 
> > have the following in sudoers?
> >
> > Cmnd_Alias FOO = /bin/ed, /usr/bin/ed, /usr/bin/vi
> > foouser LOCALHOST = NOPASSWD: NOEXEC: FOO
> >
> > Can the "foouser" escape to root prompt? - of course besides that he could 
> > now edit the /etc/shadow file to put a custom pwd hash to the root user to 
> > become root in about 3 seconds..
> >
> > Maybe some magic in .vimrc?
> >
> > *=sudo vi would run as root. but sudoedit would run as the given user, the 
> > edited file will be copied before/after editing it.
> >
> > Thanks.
> >
> 
> 
> 
> In the bad thing category, you could break your sudo config.

What bad things could happen if we don't use sudoedit?

[whynot sudo]

Hello list, 

We know it's safer* to use sudoedit, but what bad things can happen if we have 
the following in sudoers?

Cmnd_Alias FOO = /bin/ed, /usr/bin/ed, /usr/bin/vi
foouser LOCALHOST = NOPASSWD: NOEXEC: FOO

Can the "foouser" escape to root prompt? - of course besides that he could now 
edit the /etc/shadow file to put a custom pwd hash to the root user to become 
root in about 3 seconds..

Maybe some magic in .vimrc?

*=sudo vi would run as root. but sudoedit would run as the given user, the 
edited file will be copied before/after editing it.

Thanks.