Emphasize that wildcards in command line arguments are dangerous.

Document the failings of the passwd example on GNU systems.
Bug #691

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 1abbd9b5c8d74681792b75bfc8abdae411fe3f64..4f5dabad3ae4b60deb3bc00eaacf185f95ea9e9c 100644 (file)
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -698,7 +698,7 @@ S\bSU\bUD\bDO\bOE\bER\bRS\bS F\bFI\bIL\bLE\bE F\bFO\bOR\bRM\bMA\bAT\bT
      Would match any file name beginning with a letter.
 
      Note that a forward slash (`/') will n\bno\bot\bt be matched by wildcards used in
-     the path name.  This is to make a path like:
+     the file name portion of the command.  This is to make a path like:
 
          /usr/bin/*
 
@@ -708,10 +708,10 @@ S\bSU\bUD\bDO\bOE\bER\bRS\bS F\bFI\bIL\bLE\bE F\bFO\bOR\bRM\bMA\bAT\bT
      matched by wildcards since command line arguments may contain arbitrary
      strings and not just path names.
 
-     Wildcards in command line arguments should be used with care.  Because
-     command line arguments are matched as a single, concatenated string, a
-     wildcard such as `?' or `*' can match multiple words.  For example, while
-     a sudoers entry like:
+     W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs i\bin\bn c\bco\bom\bmm\bma\ban\bnd\bd l\bli\bin\bne\be a\bar\brg\bgu\bum\bme\ben\bnt\bts\bs s\bsh\bho\bou\bul\bld\bd b\bbe\be u\bus\bse\bed\bd w\bwi\bit\bth\bh c\bca\bar\bre\be.\b.
+     Command line arguments are matched as a single, concatenated string.
+     This mean a wildcard such as `?' or `*' will match _\bm_\bu_\bl_\bt_\bi_\bp_\bl_\be words.  For
+     example, while a sudoers entry like:
 
          %operator ALL = /bin/cat /var/log/messages*
 
@@ -2112,8 +2112,16 @@ E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
      with any group in the _\bA_\bD_\bM_\bI_\bN_\bG_\bR_\bP Runas_Alias (the a\bad\bdm\bm and o\bop\bpe\ber\br groups).
 
      The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
-     the _\bH_\bP_\bP_\bA machines.  Note that this assumes passwd(1) does not take
-     multiple user names on the command line.
+     the _\bH_\bP_\bP_\bA machines.  Because command line arguments are matched as a
+     single, concatenated string, the `*' wildcard will match _\bm_\bu_\bl_\bt_\bi_\bp_\bl_\be words.
+     This example assumes that passwd(1) does not take multiple user names on
+     the command line.  Note that on GNU systems, options to passwd(1) may be
+     specified after the user argument.  As a result, this rule will also
+     allow:
+
+         passwd username --expire
+
+     which may not be desirable.
 
      bob             SPARC = (OP) ALL : SGI = (OP) ALL
 

diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 1da7ac75cc143c3e92c19c98d8ff7478d061d5ad..74531000666e5c4b14e05c2de846c44e1e0e90f8 100644 (file)
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -1519,7 +1519,7 @@ Note that a forward slash
 will
 \fBnot\fR
 be matched by
-wildcards used in the path name.
+wildcards used in the file name portion of the command.
 This is to make a path like:
 .nf
 .sp
@@ -1538,13 +1538,16 @@ When matching the command line arguments, however, a slash
 get matched by wildcards since command line arguments may contain
 arbitrary strings and not just path names.
 .PP
-Wildcards in command line arguments should be used with care.
-Because command line arguments are matched as a single, concatenated
-string, a wildcard such as
+\fBWildcards in command line arguments should be used with care.\fR
+.br
+Command line arguments are matched as a single, concatenated string.
+This mean a wildcard such as
 \(oq\&?\(cq
 or
 \(oq*\(cq
-can match multiple words.
+will match
+\fImultiple\fR
+words.
 For example, while a sudoers entry like:
 .nf
 .sp
@@ -4304,9 +4307,27 @@ is allowed to change anyone's password except for
 root on the
 \fIHPPA\fR
 machines.
-Note that this assumes
+Because command line arguments are matched as a single,
+concatenated string, the
+\(oq*\(cq
+wildcard will match
+\fImultiple\fR
+words.
+This example assumes that
 passwd(1)
 does not take multiple user names on the command line.
+Note that on GNU systems, options to
+passwd(1)
+may be specified after the user argument.
+As a result, this rule will also allow:
+.nf
+.sp
+.RS 4n
+passwd username --expire
+.RE
+.fi
+.PP
+which may not be desirable.
 .nf
 .sp
 .RS 0n

diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index 132959d80fe59f2da40115d708f3d85d9bbf0fa8..d1f1f9e342f69d0826785ba5b3a22c3ca4bedaa1 100644 (file)
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -1418,7 +1418,7 @@ Note that a forward slash
 will
 .Sy not
 be matched by
-wildcards used in the path name.
+wildcards used in the file name portion of the command.
 This is to make a path like:
 .Bd -literal -offset 4n
 /usr/bin/*
@@ -1434,13 +1434,18 @@ When matching the command line arguments, however, a slash
 get matched by wildcards since command line arguments may contain
 arbitrary strings and not just path names.
 .Pp
+.Bf -symbolic
 Wildcards in command line arguments should be used with care.
-Because command line arguments are matched as a single, concatenated
-string, a wildcard such as
+.Ef
+.br
+Command line arguments are matched as a single, concatenated string.
+This mean a wildcard such as
 .Ql \&?
 or
 .Ql *
-can match multiple words.
+will match
+.Em multiple
+words.
 For example, while a sudoers entry like:
 .Bd -literal -offset 4n
 %operator ALL = /bin/cat /var/log/messages*
@@ -3981,9 +3986,24 @@ is allowed to change anyone's password except for
 root on the
 .Em HPPA
 machines.
-Note that this assumes
+Because command line arguments are matched as a single,
+concatenated string, the
+.Ql *
+wildcard will match
+.Em multiple
+words.
+This example assumes that
 .Xr passwd 1
 does not take multiple user names on the command line.
+Note that on GNU systems, options to
+.Xr passwd 1
+may be specified after the user argument.
+As a result, this rule will also allow:
+.Bd -literal -offset 4n
+passwd username --expire
+.Ed
+.Pp
+which may not be desirable.
 .Bd -literal
 bob            SPARC = (OP) ALL : SGI = (OP) ALL
 .Ed