Short tip: sudo and vi(m)

Download PDF

System administrators know requirements like this – a dedicated server needs to be deployed for a new application. In order to enable owners to maintain their application they need permissions to modify relevant configuration files. In this scenario, sudo rules are often configured in a way to enable file modifications and also utilities to reload the application configuration.

It is often missed that vi is also capable of executing commands or shells. If it is possible to start vi under a different user context it is also possible to take complete control over the account:

$ runuser -l  su-application -c vi
ESC
:!whoami
su-application

Press ENTER or type command to continue
:!bash
$ ...

If vi needs to be permitted via sudo, it is a better idea to use restricted vi. This tool is not able to execute commands or shells. It is usually part of the vim-enhanced package and serves new commands: /bin/rvi, /bin/rvim and /bin/rview:

$ rvim
ESC
:!bash
E145: Shell commands not allowed in rvim
Download PDF