Why is sudo not able to spawn "vi" command when NOEXEC is used to prevent escaping to shell ?

Solution Verified - Updated -

Issue

sudo can be used with NOEXEC parameter to prevent shell escaping, especially for command like vi and vim editors which can spawn shell session.

Cmnd_Alias VIM = /usr/bin/vim,/bin/vi,/usr/libexec/vi,/usr/bin/vi
admin   ALL = NOPASSWD:NOEXEC:VIM

With this above configuration the user admin can see that they can execute the following vi binaries

User admin may run the following commands on rhel9.test.local:
    (root) NOEXEC: NOPASSWD: /usr/bin/vim, /bin/vi, /usr/libexec/vi, /usr/bin/vi

However using this configuration on RHEL 9 generates the following error.

[admin@rhel9 / ]$ sudo vi /tmp/test
/usr/bin/vi: line 23: /usr/libexec/vi: Permission denied
/usr/bin/vi: line 23: /usr/libexec/vi: Success

How is it possible to link vi to /usr/libexec/vi in a persistent way (avoid overwrite during rpm update) in order to configure NOEXEC for vi into sudo configuration file ?

Environment

  • Red Hat Enterprise Linux 9
  • vim-minimal
  • sudo

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content