Short tip: sudo and vi(m)

System administrators know requirements like this – a dedicated server needs to be deployed for a new application. In order to enable owners to maintain their application they need permissions to modify relevant configuration files. In this scenario, sudo rules are often configured in a way to enable file modifications and also utilities to reload the application configuration.

It is often missed that vi is also capable of executing commands or shells. If it is possible to start vi under a different user context it is also possible to take complete control over the account:

$ runuser -l  su-application -c vi
ESC
:!whoami
su-application

Press ENTER or type command to continue
:!bash
$ ...

If vi needs to be permitted via sudo, it is a better idea to use restricted vi. This tool is not able to execute commands or shells. It is usually part of the vim-enhanced package and serves new commands: /bin/rvi, /bin/rvim and /bin/rview:

$ rvim
ESC
:!bash
E145: Shell commands not allowed in rvim

Sharing is caring


Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedInShare on XingShare on RedditPrint this pageEmail this to someone

Leave a Reply