0

I have the following problem:

I configured sudo with permissions for everything except for a few commands, remove, reboot, shutdown, block from sudo to shell, preventing a user from elevating the privileges with the sudo -i command or change the password for example.

If someone runs the command sudo vim and opens a shell from within the editor, it manages to elevate the privilege to root.

Does anyone know of any way to block this command, from within the editor?

Improve this question
6
  • 2
    Well, you have rvim (restricted vim) which doesn't allow shell commands; but using sudo with permissions to everything is the same as giving everybody root. (and using sudo at all is a horrible idea in the 1st place no matter how, where or when). Commented Jan 30, 2019 at 20:15
  • Yes I agree. But their service involves oracle database with specific commands that require elevation and that would have to put them in the whitelist one by one. The big problem is that passing this way rvim does not work. I've tried this. Commented Jan 30, 2019 at 20:20
  • @AnthonyGeoghegan No worries, it happens. Commented Jan 30, 2019 at 20:57
  • Related unix.stackexchange.com/q/429374/117549 Commented Jan 30, 2019 at 21:11
  • I haven't used Oracle for a few years, but nothing needed root access except a couple shell scripts during installation that had to write in /etc and /usr/local/bin. What commands must run a root vim? Maybe we can give you an alternative that doesn't need root but can use groups or ACLs. Commented Jan 31, 2019 at 0:41

1 Answer 1

Reset to default
2

Blacklisting commands from sudo and allowing everything else is a bad idea. One could simply copy /bin/bash to another location and start it using sudo. Use whitelisting for commands that are really needed for users.

Improve this answer
2
  • This server is used by third party company. And was granted sudo access. Here's an example: User_Alias PARTNER = %partner Cmnd_Alias SHELL = /bin/sh,/bin/bash... Cmnd_Alias DENIED = /bin/su, /usr/sbin/visudo, /usr/bin/passwd root, /usr/bin PARTNER ALL=(ALL) NOPASSWD: ALL, !DENIED, !SHELL Commented Jan 30, 2019 at 20:13
  • @GiulianoDomingues You should edit your question to include all relevant details, including what you've already tried. Questions should be self-contained as many potential answerers won't have time to read all the comments. See How to Ask for more useful tips. Commented Jan 30, 2019 at 20:27

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.