|
Home > Archive > Unix Shell > April 2004 > restricting vi /etc/sudoers
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
restricting vi /etc/sudoers
|
|
| Steve Forman 2004-04-22, 2:37 pm |
| Is it possible to create a 2 word alias such that:
"vi /etc/sudo" would result in:
"visudo"
thereby making it impossible to edit the sudoers file directly...
I didn't think this would be that difficult to do, but it has turned
out to be quite a headache. Not sure if it's even possible...
Any suggestions would be greatly appreciate as amateur admin have a
tendency to kill all sudo access by syntax errors in this file...
Thanks in advance.
| |
| Barry Margolin 2004-04-22, 2:38 pm |
| In article <b4af5927.0404220958.18b9ce52@posting.google.com>,
jaredsubman@yahoo.com (Steve Forman) wrote:
> Is it possible to create a 2 word alias such that:
> "vi /etc/sudo" would result in:
> "visudo"
>
> thereby making it impossible to edit the sudoers file directly...
>
> I didn't think this would be that difficult to do, but it has turned
> out to be quite a headache. Not sure if it's even possible...
> Any suggestions would be greatly appreciate as amateur admin have a
> tendency to kill all sudo access by syntax errors in this file...
> Thanks in advance.
#!/bin/sh
if [ "$1" = "/etc/sudoers" ]
then exec visudo
else exec /bin/vi "$@"
fi
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
| |
| Chris Thompson 2004-04-24, 7:34 pm |
| In article <barmar-F66AD1.14130622042004@comcast.ash.giganews.com>,
Barry Margolin <barmar@alum.mit.edu> wrote:
>In article <b4af5927.0404220958.18b9ce52@posting.google.com>,
> jaredsubman@yahoo.com (Steve Forman) wrote:
>
>
>#!/bin/sh
>if [ "$1" = "/etc/sudoers" ]
>then exec visudo
>else exec /bin/vi "$@"
>fi
Of course, you also need to protect against "emacs /etc/sudoers",
"ex /etc/sudoers", "ed /etc/sudoers", ...
If you are giving away the right to modify /etc/sudoers to "amateur admin"
perhaps you aren't gaining much from trying to make them use sudo in the
first place.
Chris Thompson
Email: cet1 [at] cam.ac.uk
| |
| Stefan Monnier 2004-04-24, 7:34 pm |
| >> #!/bin/sh
[vbcol=seagreen]
> Of course, you also need to protect against "emacs /etc/sudoers",
> "ex /etc/sudoers", "ed /etc/sudoers", ...
I'd make the file read-only and wrap `visudo' so it temporarily makes
it writable. This might give you enough of a reminder.
Stefan
| |
| Barry Margolin 2004-04-24, 10:34 pm |
| In article <jwvvfjpaqut.fsf-monnier+comp.unix.shell@gnu.org>,
Stefan Monnier <monnier@iro.umontreal.ca> wrote:
>
>
> I'd make the file read-only and wrap `visudo' so it temporarily makes
> it writable. This might give you enough of a reminder.
It *is* read-only. I think sudo will refuse to work if the permissions
on /etc/sudoers are not set properly.
But once someone becomes root, they can write to read-only files.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
|
|
|
|
|