Why is sudo not able to spawn "vi" command when NOEXEC is used to prevent escaping to shell ?
Issue
sudo can be used with NOEXEC
parameter to prevent shell escaping, especially for command like vi
and vim
editors which can spawn shell session.
Cmnd_Alias VIM = /usr/bin/vim,/bin/vi,/usr/libexec/vi,/usr/bin/vi
admin ALL = NOPASSWD:NOEXEC:VIM
With this above configuration the user admin
can see that they can execute the following vi
binaries
User admin may run the following commands on rhel9.test.local:
(root) NOEXEC: NOPASSWD: /usr/bin/vim, /bin/vi, /usr/libexec/vi, /usr/bin/vi
However using this configuration on RHEL 9 generates the following error.
[admin@rhel9 / ]$ sudo vi /tmp/test
/usr/bin/vi: line 23: /usr/libexec/vi: Permission denied
/usr/bin/vi: line 23: /usr/libexec/vi: Success
How is it possible to link vi to /usr/libexec/vi
in a persistent way (avoid overwrite during rpm update) in order to configure NOEXEC
for vi
into sudo
configuration file ?
Environment
- Red Hat Enterprise Linux 9
- vim-minimal
- sudo
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.