-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-Type: text/plain; charset=us-ascii
In message <[EMAIL PROTECTED]>, Wichert Akkerman writes: >Previously Ted Cabeen wrote: >> However, thinking about it, this doesn't work. If you're editing as root, >> you >> can use :e to switch to editing a SUID root file (any one you can write to >> will work), delete the entire contents, and then use :r to bring in the >> /bin/sh executable. > >But you can restrict the file to edit in your sudoers file anyway so >that trick won't work. You can restrict the command line arguments with sudo, but you can't actually restrict vi to only allow one specific file to be edited. Even basic vi allows you to use the :e command to change which file you're editing. When it comes down to it, allowing someone to edit a file as root allows them to edit any file as root. I think the edit as the user and then copy into place strategy is the only one that really works, and even it is restricted to files in directories the user doesn't have write access to. - -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] "I have taken all knowledge to be my province." -F. Bacon [EMAIL PROTECTED] "Human kind cannot bear very much reality."-T.S.Eliot [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (OpenBSD) Comment: Exmh version 2.5 07/13/2001 iD8DBQE8C7T2oayJfLoDSdIRAv7TAKCobE8bFTKPzECikPTvIP45Cdjd0QCfQf6f pPEuPhF+BkwDx3YzZYYb0FA= =8nH4 -----END PGP SIGNATURE-----
