Sudoedit will allow the user to escape to a root shell

Latest response

Hi all,
i'm new to this forum. I'm running RedHat 6.6 (Santiago) , kernel 2.6.32-504.8.1.el6.x86_64, selinux disabled, i have always used sudo to delegate privileged command to simple user. Now and i'm running sudo (sudo-1.8.6p3-15.el6.x86_64) and this is my sudoers file:

Host_Alias SVILUPPO = abbey,wildfire
Defaults requiretty
Defaults !visiblepw
Defaults always_set_home
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
%linuxusers SVILUPPO=(root) PASSWD: /bin/su - rpmbuild, /usr/bin/sudoedit -e /etc/yum.repos.d/Kion.repo

That happens when a unprivileged user runs into the box and executes sudoedit:

%%%
[loris@wildfire ~]$ id
uid=10501(loris) gid=10501(linuxusers) groups=10501(linuxusers),10510(MGT-Sviluppo),10516(svn_didanet)
[loris@wildfire ~]$ sudo -l
[sudo] password for loris:
Matching Defaults entries for loris on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User loris may run the following commands on this host:

(root) PASSWD: /bin/su - rpmbuild, (root) /usr/bin/sudoedit -e /etc/yum.repos.d/Kion.repo

[loris@wildfire ~]$ sudo /usr/bin/sudoedit -e /etc/yum.repos.d/Kion.repo

(Vi environment appear)
~
[...]
~
~
"/var/tmp/KionXXBL2CxL.repo" 44L, 1621C

(user press "esc" than ":sh" ... and it drop a root shell!)

[root@wildfire loris]#
%%%

What's wrong? I'm sure that one year ago sudoedit was working well and does not drops user to a root shell.
( cfr: https://access.redhat.com/solutions/57331 , ).

Googling this issue takes me into same same solution, to use sudoedit.
Have i missed something? Can you help me to solve this very strange issue?
This is beyond my experienc and RTFM doesn't work.
thank you in advance. Loris

ki

Responses