HPE Community
Operating System - HP-UX
1753666 Members
6398 Online
108799 Solutions
New Discussion юеВ

security on vi

 
SOLVED
Go to solution
dongming
Frequent Advisor

тАО08-26-2005 02:44 AM

тАО08-26-2005 02:44 AM

security on vi

Hello everyone:
a simple question, i set up sudo on all servers. and let user to run sudo to get some root's permission. however, i find if i run
#sudo vi then escape to command line by !sh.
it go into root prompt. then can hide all operation here. in the syslog.log , you cann't trace , just find sudo vi .
is there any configuration to deny user escape to command line from vi.

thanks.
0 Kudos
Reply
11 REPLIES 11
Simon Hargrave
Honored Contributor

тАО08-26-2005 02:49 AM

тАО08-26-2005 02:49 AM

Re: security on vi

I don't think it really matters.

If you are granting your users access to run vi via sudo, then they can use that to edit the sudoers file and do what they like!

Don't let your users do this!
0 Kudos
Reply
RAC_1
Honored Contributor

тАО08-26-2005 02:52 AM

тАО08-26-2005 02:52 AM

Re: security on vi

What version of sudo??
in sudoers file, update vi command to run it as follows.

root (root) command1, command2, !SHELL
There is no substitute to HARDWORK
0 Kudos
Reply
Raj D.
Honored Contributor

тАО08-26-2005 02:52 AM

тАО08-26-2005 02:52 AM

Re: security on vi

Hi Dongminq ,

You have to specify for the users , to use vi for their files only , in sudoers file

YOu can do following :
1. # visudo

2. And put the entires like this on the user alias :

Cmnd_Alias BACKUP_C = /opt/omni/*, \
/opt/omni/utilns/*, \
/var/opt/omni/*, \
/usr/bin/vi /etc/opt/omni/datalists/*, \

-------------------------------------------

To trace who are using sudo , you can check in /var/log/sudo.log file.

Hope this will help ,

Cheers ,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
Reply
dongming
Frequent Advisor

тАО08-26-2005 02:56 AM

тАО08-26-2005 02:56 AM

Re: security on vi

Hi thanks for response.
my sudo version is
what /usr/bin/sudo
$Sudo A.03.00-1.6.7p5 $

do you mean disable sudo to run vi. but maybe some user to edit some file other then their own.
i have ever seen this, let user sudo vi , but deny to escape to shell, i don't remember how to configure it.
0 Kudos
Reply
RAC_1
Honored Contributor

тАО08-26-2005 03:03 AM

тАО08-26-2005 03:03 AM

Solution

Re: security on vi

You can do one more thing.
For root prepeare following wrapper.

#!/usr/bin/ksh
export SHELL=/usr/bin/false
/usr/bin/vi $1

Call this vi1, now root entry for root will look as follows.

root root, command1, vi1

This should help.

OR

In root's .profile file, put following.
export EXINIT='set shell=/usr/bin/false'
You can put set shell=/usr/bin/false in .exrc file of root's home dir.
There is no substitute to HARDWORK
Reply
dongming
Frequent Advisor

тАО08-26-2005 03:50 AM

тАО08-26-2005 03:50 AM

Re: security on vi

Hi RAC:
i test the configuraiton you told me.
1. .profile: because the normal user didn't run this script when they run sudo vi. so the SHELL was not set.
2. add vi1 to sudoers.
i configure root ALL=(ALL) ALL , so root can run anything.

i test wraperred vi1, it works. so i think the better way to rename vi and link vi to vi1 for all servers, is it ok?
0 Kudos
Reply
RAC_1
Honored Contributor

тАО08-26-2005 03:53 AM

тАО08-26-2005 03:53 AM

Re: security on vi

In root's .profile file, put following.
export EXINIT='set shell=/usr/bin/false'

You can also put set shell=/usr/bin/false in .exrc file in root's home directory.
There is no substitute to HARDWORK
Reply
dongming
Frequent Advisor

тАО08-26-2005 03:59 AM

тАО08-26-2005 03:59 AM

Re: security on vi

HI RAC:
i test it, it doesn't work.
0 Kudos
Reply
Rick Garland
Honored Contributor

тАО08-26-2005 05:05 AM

тАО08-26-2005 05:05 AM

Re: security on vi

As you are allowing the use of vi, a wrapper around the vi executable can do the trick.

Here is an attachment that will allow you to specify which files are governed by RCS. When users vi a file (a special file as dictate by the wrapper) then RCS will be invoked for the file.

Modify to your needs
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.