The dangers of sudoedit

Giving access to execute vim or any other editor as root for a unprivileged user in a Linux system using sudo policies has been heavily frowned uponbecause then the user, if using vim can simply execute “:!shell” and quickly gain a root shell.

For this reason, my coworkers have been using sudoedit, which ultimately limits the vim commands so the user can’t do things like dropping into a root shell.

But imagine their surprise when I told them, the user, having access to something like sudo sudoedit /etc/apache2/apache.conf, can then simply execute :e /etc/sudoers/ alter the the sudoers file and give themselves more privileges.

At the end, we came to the conclusion that giving user any kind of editor access under root permission is not safe.

Written on February 23, 2017 by Madushan Nishantha.

Originally published on Medium