Safely granted user sudo access

Question

From my past knowledge, normally if you wanted to give a user sudo access for certain commands, you could edit the /etc/sudoers file and add the line

username ALL=(ALL) listofcommands

From my understanding, this gives the user sudo access to those commands and not anything else. However, in my computer security class, one of the questions was regarding whether it was safe to grant users sudo access in this way, to explain why it is or isn't and if there's another way to grant the user access. Specifically

larry ALL=(ALL) /usr/bin/vim /etc/httpd/confs/httpd.conf 

So vim and website configuration. I've always assumed it was safe, but the question implies that it isn't and after doing some research, most everyone seems to do it this way. All of the insecurities seem to stem from the misuse of sudo itself. In this case, the only change is modifying /etc/sudoers. The user doesn't know the password and doesn't have sudo access to anything else (like for example, invoking a shell).

The only thing I could think of was that maybe giving him sudo access to vim is a bad idea, since as far as I know, vim has the power to commands on the command line?

But the main problem is, if I want to give a specific user sudo access to only certain commands, aside from adding them to sudoers, I don't know of any other way (aside from forcing him to ask an admin every time for sudo access). And I couldn't find anything online, since I think almost everyone does it this way.

Answer 1

The problem is not just that vim can run external commands.

vim is an editor, so if it runs as root, you could directly modify system files like /etc/passwd and /etc/shadow, which would allow you to reset the password on any account you want, including the root account.

More specifically, I could start vim with the command /usr/bin/vim /etc/httpd/confs/httpd.conf, and then immediately type :e /etc/passwd and now I can write to your /etc/passwd.

If you are just trying to secure the one file /etc/httpd/confs/httpd.conf, you could use Access Control Lists and add the user to the ACL for that file.

You could also make that file writeable by a non-root group with chmod g+w, and add the user to that group.

Answer 2

As Vim is indeed capable of running external commands (:! command and :call system()), having root access to Vim is as good as having full access to the system; the sudo protections won't help.

To grant a user editing access to a protected file, you instead need to write a script that lets the user itself edit a temporary copy (so any commands launched from Vim only have the user's priviledges, another benefit is that the user's Vim settings are considered, too), and then only use an elevated copy command to move the temporary copy back to the original, protected location. sudo -e / sudoedit provide just that; check the man page for details.