Saturday, August 22, 2009

Do not grant sudo to execute vi as root

If you grant sudo for a user to execute vi as root, it simply means you give that user a root shell. This is because user can use vi to invoke a shell by using ":!" vi command. Moreover, user can also use vi to open any abritary file as vi does not restrict the files to be read/written to its file list parameters upon invokation.

The best ways to grant sudo to user to edit a file are:

#1 find a text editor that cannot invoke a shell and can open files that are provided as command line arguments upon invokation only

Or #2 chgrp that file to be group editable and add that user into that group


Jeremy Tan said...

If you're using vim instead of vi (and I assume you are since you're using something silly like sudo), you can give it the -Z argument to make it restricted.

Post a Comment