The problem is not just that vim
can run external commands.
vim
is an editor, so if it runs as root
, you could directly modify system files like /etc/passwd
and /etc/shadow
, which would allow you to reset the password on any account you want, including the root account.
More specifically, I could start vim
with the command /usr/bin/vim /etc/httpd/confs/httpd.conf
, and then immediately type :e /etc/passwd
and now I can write to your /etc/passwd
.
If you are just trying to secure the one file /etc/httpd/confs/httpd.conf
, you could use Access Control Lists
and add the user to the ACL for that file.
You could also make that file writeable by a non-root group with chmod g+w
, and add the user to that group.