-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- binary emulation are not affected.
-
- To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you
- can run the following as root:
-
- sudo -V | grep "dummy exec"
-
- If the resulting output contains a line that
- begins with:
-
- File containing dummy exec functions:
-
- then s\bsu\bud\bdo\bo may be able to replace the exec family
- of functions in the standard library with its
- own that simply return an error. Unfortunately,
- there is no foolproof way to know whether or not
- _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc should
- work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
- UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt
- to work on AIX and UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected
- to work on most operating systems that support
- the LD_PRELOAD environment variable. Check your
- operating system's manual pages for the dynamic
- linker (usually ld.so, ld.so.1, dyld, dld.sl,
- rld, or loader) to see if LD_PRELOAD is sup
- ported.
-
- To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC
- tag as documented in the User Specification sec
- tion above. Here is that example again:
-
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-
- This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi with _\bn_\bo_\be_\bx_\be_\bc enabled. This will pre
- vent those two commands from executing other
- commands (such as a shell). If you are unsure
- whether or not your system is capable of sup
- porting _\bn_\bo_\be_\bx_\be_\bc you can always just try it out
- and see if it works.
-
- Note that restricting shell escapes is not a panacea.
- Programs running as root are still capable of many poten
- tially hazardous operations (such as changing or overwrit
- ing files) that could lead to unintended privilege escala
- tion. In the specific case of an editor, a safer approach
- is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
-
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(8)
-
-C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo
- command which locks the file and does grammatical
-