How to avoid giving users more access to the system than they need
Sudo allows admins to give users permissions to perform actions as other users, primarily the root user. Normally when you give a user sudo you limit the commands that they can run as to not give any user full control over your system. If you use any of the default examples for sudo that can be found all over the internet and in the sample configs, you may be giving users more access to the system than you realize. This permission creep is due to the fact that some commands allow you to execute other commands or spawn shells, and these commands and shells are spawned with the context of the root user, some common examples are text editors, more, less and find.
There are ways to prevent this kind of behavior from happening, such as using NOEXEC option in the /etc/sudoers file. The NOEXEC option prevents some binaries from executing other programs, the limitation to the NOEXEC option is that is doesn’t work on statically linked executables or executables that use binary emulation.
A cleaner way to allow users to edit files with the use of sudo is the sudoedit command. The sudoedit command allows for users to edit a file with their favorite text editor and the sudo permissions. A user sets their text editor path as the $SUDO_EDITOR variable. This allows admins to only add one new line to the sudoers file instead of one for each text editor on the system or only using one text editor that users may not be able to use which could cause accidental or unintended file modification.
Also of note if you use the sudoedit command the noexec option is not needed since when you run commands from the editor the commands are run as the original user and not the elevated user, typically root.
About The Author:
Stephen Hall is a Security Consultant at Security Compass. He has spoken at several conferences including DerbyCon, BSidesTO, and Hack3rcon. Stephen is co-author of the Yasuo tool and is @Logicalsec on Twitter.