Bug 33 – Possible Bug on sudo + vi

Bug 33 - Possible Bug on sudo + vi


Summary:	Possible Bug on sudo + vi

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.6.3
Hardware:	PC Linux

Importance:	normal normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2001-04-11 15:03 MDT by fabio
Modified:	2001-04-11 19:16 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description fabio 2001-04-11 15:03:33 MDT

When I make sudo vi, then you type :sh to go to shell you gain root access.

Comment 1 Todd C. Miller 2001-04-11 15:16:59 MDT

This is not a bug in sudo, it is a problem with giving a user access to programs
that allow shell escapes (vi is just one of many).  If you need to give access
to an editor you should use one that has a "secure" mode that disallows running
external commands.  Both nvi and vim have ways to do this.  To quote from the
sudo(8) man page "There is no easy way to prevent a user from gaining a root
shell if that user has access to commands allowing shell escapes."