Short tip: sudo and vi(m)
System administrators know requirements like this - a dedicated server needs to be deployed for a new application. In order to enable owners to maintain their application they need permissions to modify relevant configuration files. In this scenario, sudo rules are often configured in a way to enable file modifications and also utilities to reload the application configuration.
It is often missed that vi is also capable of executing commands or shells. If it is possible to start vi under a different user context it is also possible to take complete control over the account:
1$ runuser -l su-application -c vi
2ESC
3:!whoami
4su-application
5
6Press ENTER or type command to continue
7:!bash
8$ ...
If vi needs to be permitted via sudo, it is a better idea to use restricted vi. This tool is not able to execute commands or shells. It is usually part of the vim-enhanced package and serves new commands: /bin/rvi, /bin/rvim and /bin/rview:
1$ rvim
2ESC
3:!bash
4E145: Shell commands not allowed in rvim