Preventing users from using shell escapes

Certain programs, especially text editors and pagers, have a handy shell escape feature. This allows a user to run a shell command without having to exit the program first. For example, from the command mode of the Vi and Vim editors, someone could run the ls command by doing :!ls. Executing the command would look like this:

# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

~
~
:!ls

The output would look like this:

[donnie@localhost default]$ sudo vim useradd
[sudo] password for donnie:

grub nss useradd

Press ENTER or type command to continue
grub nss useradd

Press ENTER or type command to continue

Now, imagine that you want Frank to be able to edit the sshd_config file and only that file. You might be tempted to add a line to your sudo configuration that would look like this:

frank     ALL=(ALL)     /bin/vim /etc/ssh/sshd_config

This looks like it would work, right? Well, it doesn't because once Frank has opened the sshd_config file with his sudo privilege, he can then use Vim's shell escape feature to perform other root-level commands, which would include being able to edit other configuration files. You can fix this problem by having Frank use sudoedit instead of vim:

frank     ALL=(ALL)     sudoedit /etc/ssh/sshd_config

sudoedit has no shell escape feature, so you can safely allow Frank to use it.

Other programs that have a shell escape feature include the following:

  • emacs
  • less
  • view
  • more