{"id":637,"date":"2012-05-01T03:40:11","date_gmt":"2012-05-01T03:40:11","guid":{"rendered":"http:\/\/kraftek.com\/blog\/?p=637"},"modified":"2012-05-01T03:40:11","modified_gmt":"2012-05-01T03:40:11","slug":"prevent-sudo-users-to-get-shells-from-vi-or-less-with-noexec","status":"publish","type":"post","link":"\/blog\/index.php\/prevent-sudo-users-to-get-shells-from-vi-or-less-with-noexec\/","title":{"rendered":"Prevent sudo users to get shells from vi or less with NOEXEC"},"content":{"rendered":"<p>If you allow someone to \u201csudo vi\u201d they could obtain a shell prompt as root if they type \u201c:shell\u201d.<br \/>\nIf you allow someone to \u201csudo less\u201d they could also obtain a shell prompt as root if they type \u201c! &lt;enter&gt;\u201d<br \/>\nTo avoid that you can tag \u201cless\u201d and \u201cvi\u201d with the NOEXEC tag.<br \/>\nThis is an example sudoers that tags \u201cmore\u201d, \u201cless\u201d and \u201cvi\u201d as noexec, and prevents the group \u201ctheusers\u201d<br \/>\nfrom doing \u201csudo bash\u201d and \u201csudo su -\u201d<br \/>\nCmnd_Alias NOEXEC_CMDS = \/usr\/bin\/less, \/usr\/bin\/more, \/bin\/vi<br \/>\nCmnd_Alias SHELLS = \/usr\/bin\/amuFormat.sh \/usr\/bin\/avahi-publish \/usr\/bin\/avahi-publish-address \/usr\/bin\/avahi-publish-service \/usr\/bin\/banshee \/usr\/bin\/bashbug \/usr\/bin\/brushtopbm \/usr\/bin\/bsh \/usr\/bin\/btcflash \/usr\/bin\/chsh \/usr\/bin\/c_rehash \/usr\/bin\/csharp \/usr\/bin\/debconf-show \/usr\/bin\/dh_bash-completion \/usr\/bin\/dh_makeshlibs \/usr\/bin\/dh_shlibdeps \/usr\/bin\/dpkg-shlibdeps \/usr\/bin\/gdm-screenshot \/usr\/bin\/gettext.sh \/usr\/bin\/git-shell \/usr\/bin\/glib-genmarshal \/usr\/bin\/gnome-file-share-properties \/usr\/bin\/gnome-panel-screenshot \/usr\/bin\/gnome-screenshot \/usr\/bin\/groovysh \/usr\/bin\/gvfs-trash \/usr\/bin\/installdbgsymbols.sh \/usr\/bin\/instmodsh \/usr\/bin\/kcmshell4 \/usr\/bin\/kdeinit4_shutdown \/usr\/bin\/ksh \/usr\/bin\/kshell4 \/usr\/bin\/ksplashsimple \/usr\/bin\/ksplashx \/usr\/bin\/ksplashx_scale \/usr\/bin\/ktrash \/usr\/bin\/lshal \/usr\/bin\/lshw \/usr\/bin\/mailshar \/usr\/bin\/mdns-publish-vnc \/usr\/bin\/mdns-publish-xendom \/usr\/bin\/motd+shell \/usr\/bin\/mshowfat \/usr\/bin\/muinshee \/usr\/bin\/mysqlshow \/usr\/bin\/omshell \/usr\/bin\/pax11publish \/usr\/bin\/pnmshear \/usr\/bin\/ppmflash \/usr\/bin\/ppmshadow \/usr\/bin\/ppmshift \/usr\/bin\/rawshark \/usr\/bin\/rsh \/usr\/bin\/sha1pass \/usr\/bin\/sha1sum \/usr\/bin\/sha224sum \/usr\/bin\/sha256sum \/usr\/bin\/sha384sum \/usr\/bin\/sha512sum \/usr\/bin\/shar \/usr\/bin\/shares-admin \/usr\/bin\/shasum \/usr\/bin\/shcomp \/usr\/bin\/shell \/usr\/bin\/shotwell \/usr\/bin\/showconsolefont \/usr\/bin\/showfont \/usr\/bin\/showkey \/usr\/bin\/showrgb \/usr\/bin\/shpadd \/usr\/bin\/shpcreate \/usr\/bin\/shpdump \/usr\/bin\/shprewind \/usr\/bin\/shptest \/usr\/bin\/shred \/usr\/bin\/shuf \/usr\/bin\/ssh \/usr\/bin\/ssh-add \/usr\/bin\/ssh-agent \/usr\/bin\/ssh-argv0 \/usr\/bin\/ssh-askpass \/usr\/bin\/ssh-copy-id \/usr\/bin\/sshfs \/usr\/bin\/ssh-import-id \/usr\/bin\/ssh-keygen \/usr\/bin\/ssh-keyscan \/usr\/bin\/ssh-vulnkey \/usr\/bin\/tclsh \/usr\/bin\/tclsh8.4 \/usr\/bin\/tclsh8.5 \/usr\/bin\/toshset \/usr\/bin\/trash4 \/usr\/bin\/unshar \/usr\/bin\/unshare \/usr\/bin\/update-xbmc-dharma-pvr.sh \/usr\/bin\/ushare \/usr\/bin\/wireshark \/usr\/bin\/wish \/usr\/bin\/wish8.4 \/usr\/bin\/wish8.5 \/usr\/bin\/xbsh \/usr\/bin\/xpcshell-1.9.2 \/usr\/bin\/xrefresh , \/sbin\/capsh \/sbin\/shadowconfig \/sbin\/showmount \/sbin\/shutdown , \/bin\/bash \/bin\/dash \/bin\/ksh \/bin\/ksh93 \/bin\/rbash \/bin\/sh \/bin\/sh.distrib \/bin\/static-sh , \/bin\/su<br \/>\n%theusers ALL=(ALL) NOPASSWD: ALL, !SHELLS, NOEXEC: NOEXEC_CMDS<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you allow someone to \u201csudo vi\u201d they could obtain a shell prompt as root if they type \u201c:shell\u201d. If you allow someone to \u201csudo less\u201d they could also obtain a shell prompt as root if they type \u201c! &lt;enter&gt;\u201d To avoid that you can tag \u201cless\u201d and \u201cvi\u201d with the NOEXEC tag. This is [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-637","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"\/blog\/index.php\/wp-json\/wp\/v2\/posts\/637","targetHints":{"allow":["GET"]}}],"collection":[{"href":"\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=637"}],"version-history":[{"count":0,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/posts\/637\/revisions"}],"wp:attachment":[{"href":"\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=637"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=637"},{"taxonomy":"post_tag","embeddable":true,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=637"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}