Restricting users from certain privileges
Jason Hellenthal
jhellenthal at dataix.net
Sat Apr 28 23:02:25 UTC 2012
On Sat, Apr 28, 2012 at 08:04:31PM +0200, Kurt Jaeger wrote:
> Hi!
>
> > > > Please do study sudo real power :-)
> > > > It can give selective privileges per-command,
> [...]
> > > Just make sure none of the permitted commands has got the
> > > feature of starting a shell ;-))
> >
> > Right, think of vi(1), less(1), et al.
>
> Even this aspect is taken care of with sudo (at least to a certain limit):
>
> NOEXEC and EXEC
>
> If sudo has been compiled with noexec support and the underlying
> operating system supports it, the NOEXEC tag can be used to prevent a
> dynamically-linked executable from running further commands itself.
>
> In the following example, user aaron may run /usr/bin/more and
> /usr/bin/vi but shell escapes will be disabled.
>
> aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
>
> See the "PREVENTING SHELL ESCAPES" section below for more details on
> how NOEXEC works and whether or not it will work on your system.
>
cp /usr/bin/vi ~/
or upload your own...
sudo $HOME/vi
You need to be very careful with this NOEXEC thinking as it will not
always get you what you originally intended.
--
- (2^(N-1))
More information about the freebsd-stable
mailing list