How to disable running commands from vi?

cjames
New Contributor II

I want to stop standard users from being able to carry out a shell escape from vi, which gives them a root shell to do as they please. Please see the example below:

computer: user$ whoami
user
computer: user$ sudo vi
Password: (In VIM Editor, call ':bash')
sh-3.2# whoami
root
sh-3.2#

Best way to do this?

2 REPLIES 2

rtrouton
Release Candidate Programs Tester

If they have access to sudo, they're going to be able to access a root shell with or without vi. All they need to do is run sudo -s and now they're in a root shell.

a866a7523b3f45bab79dad7cf90b22e0

If you want to prevent folks from running things with root privileges, you need to remove their sudo rights.

cjames
New Contributor II

Currently our users do not have the ability to run a large percentage of progams with sudo except for vi and a couple of others.

computername: user$ sudo -s
Password: Sorry, <username> is not allowed to execute '/bin/bash' as root on <computername>