"In the bad thing category, you could break your sudo config."
What do you mean by that? -------- Original Message -------- From: ludovic coues <cou...@gmail.com> To: whynot sudo <whynots...@safe-mail.net> Subject: Re: What bad things could happen if we don't use sudoedit? Date: Mon, 27 Apr 2015 18:52:56 +0200 > 2015-04-27 18:46 GMT+02:00 whynot sudo <whynots...@safe-mail.net>: > > Hello list, > > > > We know it's safer* to use sudoedit, but what bad things can happen if we > > have the following in sudoers? > > > > Cmnd_Alias FOO = /bin/ed, /usr/bin/ed, /usr/bin/vi > > foouser LOCALHOST = NOPASSWD: NOEXEC: FOO > > > > Can the "foouser" escape to root prompt? - of course besides that he could > > now edit the /etc/shadow file to put a custom pwd hash to the root user to > > become root in about 3 seconds.. > > > > Maybe some magic in .vimrc? > > > > *=sudo vi would run as root. but sudoedit would run as the given user, the > > edited file will be copied before/after editing it. > > > > Thanks. > > > > > > In the bad thing category, you could break your sudo config.
