Hello,

We've been asked to allow a user to update (add/modify/delete)
lines in the /etc/inet/hosts file. That file is currently has
permission 644. Could we use
sudo to only allow that user to "vi" and modify that file ? If yes,
how do we set
that up in the /etc/sudoers file ?

Thanks,

Humphrey

On 13 Jul 2006 14:40:57 -0700, underh20.scubadiving@gmail.com <underh20.scubadiving@gmail.com> wrote:
It depends on what your sudoers file looks like already - do you have
user aliases, and cmnd aliases set up or is it just user can do thing in
its configuration?

If you can send a few lines of it showing the format you're using (it's
very flexible and therefore unpredictable) that'd help us help you.

Dave Hinz

Dave Hinz wrote:
You should be careful with this. Unless you block it somehow the user
could use :sh to escape to a shell from vi and have root access to the
system. I beleive there are versions of vi or vim that can be
recompiled to prevent this.

John

In comp.unix.admin Dave Hinz <DaveHinz@gmail.com>:
Very, very dangerous! PLEASE DON'T! You can shell escape from vi
so you made the person root.

Simply change permissions to 664 and assign some group to the file
and make the user member of this group. Check for cron jobs or
alike running regular checking and possibly reseting permissions.


--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 39: terrorist activities

Couldn't someone configure the sudoers file to implement the NOEXEC
directive? This is specifically provided to prevent shell escapes from
editors such as vi. This might call for a recompile of sudo binaries.

http://sudo.rtin.bz/sudo/man/sudoers...oexec_and_exec
http://sudo.rtin.bz/sudo/man/sudoers..._shell_escapes

In comp.unix.admin implicate_order <dwai.lahiri@gmail.com>:
And how exactly would prevent that someone from just opening
/etc/sudoers from vi which is running as root?

It seems highly questionable why to use sudo at all when standard
unix permissions will allow to do that easily?

Extra points for writing a 5-10 line shell script you can run
from sudo deleting or adding one entry to /etc/hosts.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 380: Operators killed when huge stack of backup
tapes fell over.

That is true -- one could easily open the sudoers file and change it.
Unless of course you didn't allow "shell escapes" through sudo vi and
prevented "vi /etc/suoders" in the sudoers file.

While that may be true, it was an "academic" exercise to see whether
sudo can be used to prevent shell escapes (which is what someone had
said cannot be done).


imho if sudo can be locked down properly it's a very decent tool to
enforce limited/restricted privileged functionality.

In comp.unix.admin implicate_order <dwai.lahiri@gmail.com>:


This is AFAIK not a shell escape in vi but a regular feature of
most editors to open another file for editing.

I'm not here for academic questions, but to help people getting
their stuff running.

You confuse shell escapes with opening a file for editing.

But not for editing files, you can use standard *nix permissions
or even ACL, there's zero need to use sudo for something like
this. You just don't seem to want to get? Or perhaps need to
learn more how unix works, this ain't no doze!

Good luck

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 103: operators on strike due to broken coffee
machine

[[[But not for editing files, you can use standard *nix permissions
or even ACL, there's zero need to use sudo for something like
this. You just don't seem to want to get? Or perhaps need to
learn more how unix works, this ain't no doze! ]]]

I do see what you mean by 'vi edits' and you make a valid point. I
take back what I posted earlier about "shell escapes and sudo
permissions". I'll ignore that "barb" about learning *nix -- I've been
doing nix for well over 12 years now.

Also you might want to double-check your ability to put a point across
in an amicable manner...