Return
-
Title
NOEXEC isn't working in sudoers file -
Description
We have set up a sudoers policy that uses the NOEXEC tag, however users are still able to create a shell when executing the NOEXEC commands. Here is an example of the sudoers rule that isn't working:
%sudo_users ALL=(root) ALL, (root) NOEXEC: /usr/bin/vi, /usr/bin/vim -
Cause
On some operating systems /bin is symlinked /usr/bin, and so the path to commands in both entries needs to be specified. -
Resolution
To fix this, the entry was changed to the following:
%sudo_users ALL=(root) ALL, (root) NOEXEC: /bin/vi, /usr/bin/vi, /bin/vim, /usr/bin/vim