sudoedit
My flunky sbaxter
needs to edit the named configuration file, /etc/named.conf. Consider this sudo
configuration:
sbaxter dns1=/etc/rc.d/named,/sbin/mount_nfs,/usr/bin/vi /etc/named.conf
Looks good, right?
Uh, no.
The first problem is that I’m requiring sbaxter
to use a specific editor. Minimal competence in vi is required for system administrators, but I don’t want to force him to use a specific editor to do his day-to-day job. Also, many editors offer shell escapes. While most people are aware of escaping to a shell in vi, emacs has a shell escape as well. If my flunky can escape to a shell while running an editor as root, he gains root access. This is exactly what I want to avoid.
The sudoedit
feature lets users edit specific files ...
Get Absolute OpenBSD, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.