Document the race condition between the digest check and command

execution.

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 55d893ae0451802f448667b143794530b2977459..0faa7cb6cb6d9495e15c4365c19d86cbd540daa3 100644 (file)
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -392,13 +392,11 @@ S\bSU\bUD\bDO\bOE\bER\bRS\bS F\bFI\bIL\bLE\bE F\bFO\bOR\bRM\bMA\bAT\bT
 
      If a command name is prefixed with a Digest_Spec, the command will only
      match successfully if it can be verified using the specified SHA-2
-     digest.  This may be useful in situations where the user invoking s\bsu\bud\bdo\bo
-     has write access to the command or its parent directory.  The following
-     digest formats are supported: sha224, sha256, sha384 and sha512.  The
-     string may be specified in either hex or base64 format (base64 is more
-     compact).  There are several utilities capable of generating SHA-2
-     digests in hex format such as openssl, shasum, sha224sum, sha256sum,
-     sha384sum, sha512sum.
+     digest.  The following digest formats are supported: sha224, sha256,
+     sha384 and sha512.  The string may be specified in either hex or base64
+     format (base64 is more compact).  There are several utilities capable of
+     generating SHA-2 digests in hex format such as openssl, shasum,
+     sha224sum, sha256sum, sha384sum, sha512sum.
 
      For example, using openssl:
 
@@ -410,6 +408,11 @@ S\bSU\bUD\bDO\bOE\bER\bRS\bS F\bFI\bIL\bLE\bE F\bFO\bOR\bRM\bMA\bAT\bT
      $ openssl dgst -binary -sha224 /bin/ls | openssl base64
      EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
 
+     If the user has write access to either the command itself or the
+     directory in which the command is located (directly or via a s\bsu\bud\bdo\bo
+     command) it may be possible for the user to replace the command after the
+     digest check has been performed but before the command is executed.
+
      Command digests are only supported by version 1.8.7 or higher.
 
    D\bDe\bef\bfa\bau\bul\blt\bts\bs

diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 69bb1cc5fb3ca7047c773998ff1db3aa4fcd7740..a4aa8c09e116cc5c6317ca7a2f147a9e06ed484f 100644 (file)
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -850,9 +850,6 @@ is prefixed with a
 \fRDigest_Spec\fR,
 the command will only match successfully if it can be verified
 using the specified SHA-2 digest.
-This may be useful in situations where the user invoking
-\fBsudo\fR
-has write access to the command or its parent directory.
 The following digest formats are supported: sha224, sha256, sha384 and sha512.
 The string may be specified in either hex or base64 format
 (base64 is more compact).
@@ -877,6 +874,13 @@ EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
 .RE
 .fi
 .PP
+If the user has write access to either the command itself or the
+directory in which the command is located (directly or via a
+\fBsudo\fR
+command) it may be possible for the user to replace the command
+after the digest check has been performed but before the command
+is executed.
+.PP
 Command digests are only supported by version 1.8.7 or higher.
 .SS "Defaults"
 Certain configuration options may be changed from their default

diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index 59d7cbed5f8773d44465248e18c3e1cbd6e35e49..a17e4b6f3f5b3e147db2f05e773c8b0676c7b784 100644 (file)
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -813,9 +813,6 @@ is prefixed with a
 .Li Digest_Spec ,
 the command will only match successfully if it can be verified
 using the specified SHA-2 digest.
-This may be useful in situations where the user invoking
-.Nm sudo
-has write access to the command or its parent directory.
 The following digest formats are supported: sha224, sha256, sha384 and sha512.
 The string may be specified in either hex or base64 format
 (base64 is more compact).
@@ -834,6 +831,13 @@ $ openssl dgst -binary -sha224 /bin/ls | openssl base64
 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
 .Ed
 .Pp
+If the user has write access to either the command itself or the
+directory in which the command is located (directly or via a
+.Nm sudo
+command) it may be possible for the user to replace the command
+after the digest check has been performed but before the command
+is executed.
+.Pp
 Command digests are only supported by version 1.8.7 or higher.
 .Ss Defaults
 Certain configuration options may be changed from their default