Bug 267

Summary: Shell Execution
Product: Sudo Reporter: Debasisha Padhi <debasisha>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: security CC: debasisha
Priority: high    
Version: 1.6.5   
Hardware: IBM   
OS: AIX   

Description Debasisha Padhi 2007-10-30 14:56:55 MDT 
Hello Sir,

We have created a standard sudoers file for all our Servers. (AIX, HP, SUN & Linux). We have created User_Alias, Host_Alias & Cmnd_Alias. In the USER Alias Specification we have given the " ID --- Server --- Command. (For e.g., AIX   ALL  = /usr/bin/more.). We found a problem in that. The problem is that when the user is login as AIX and doing sudo more /etc/passwd file and then pressing the "V" then he is in the vi editor and then he is able to edit the /etc/passwd file and then he is able to save the file and then coming out of the file. Please let us know how to prevent that in the IBM - AIX. As we faced couple of problems regarding the same. If you can provide the solution then I will be really grateful to you.

Similarly the other problem is with /usr/bin/chmod & /usr/bin/chown command. 

I kindly request you to provide the solution at the earliest possible so that we can implement the same in our environment.

With Kind Regards,

Debasisha
Comment 1 Todd C. Miller 2007-10-30 16:39:15 MDT 
You can use the NOEXEC tag for this purpose.  See the section on NOEXEC in the sudoers man page.  In short, if you do things like:

junioradm   ALL = NOEXEC:/usr/bin/more

The user junioradm will be able to run the more command on any file but more will not be able to execute shell escapes or run the editor.