copied back to their original location and the
temporary versions are removed.
- Unless explicitly allowed by the security policy, symbolic
- links will not be opened. This helps prevent the editing of
- unauthorized files when the file is located in a user-
- writable directory. Versions of s\bsu\bud\bdo\bo prior to 1.8.15 do not
- have this restriction. Users are never allowed to edit
- device special files.
+ To help prevent the editing of unauthorized files, the
+ following restrictions are enforced unless explicitly allowed
+ by the security policy:
+
+ +\b+\bo\bo Symbolic links may not be edited (version 1.8.15 and
+ higher).
+
+ +\b+\bo\bo Symbolic links along the path to be edited are not
+ followed when the parent directory is writable by the
+ invoking user unless that user is root (version 1.8.16
+ and higher).
+
+ +\b+\bo\bo Files located in a directory that is writable by the
+ invoking user may not be edited unless that user is root
+ (version 1.8.16 and higher).
+
+ Users are never allowed to edit device special files.
If the specified file does not exist, it will be created.
Note that unlike most commands run by _\bs_\bu_\bd_\bo, the editor is run
Users should _\bn_\be_\bv_\be_\br be granted s\bsu\bud\bdo\bo privileges to execute files that are
writable by the user or that reside in a directory that is writable by
the user. If the user can modify or replace the command there is no way
- to limit what additional commands they can run. Likewise, users should
- _\bn_\be_\bv_\be_\br be granted s\bsu\bud\bdo\boe\bed\bdi\bit\bt permission to edit a file that resides in a
- directory the user has write access to. A user with directory write
- access could replace the legitimate file with a link to some other,
- arbitrary, file. Starting with version 1.8.15, s\bsu\bud\bdo\boe\bed\bdi\bit\bt will refuse to
- open a symbolic link unless the security policy explicitly permits it.
- However, it is still possible to create a hard link if the directory is
- writable and the link target resides on the same file system.
+ to limit what additional commands they can run.
Please note that s\bsu\bud\bdo\bo will normally only log the command it explicitly
runs. If a user runs a command such as sudo su or sudo sh, subsequent
file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.16 November 20, 2015 Sudo 1.8.16
+Sudo 1.8.16 January 19, 2016 Sudo 1.8.16
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in
.\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2015
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2016
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDO" "8" "November 20, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDO" "8" "January 19, 2016" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
.RE
.RS 12n
.sp
-Unless explicitly allowed by the security policy, symbolic links
-will not be opened.
-This helps prevent the editing of unauthorized files when the file
-is located in a user-writable directory.
-Versions of
-\fBsudo\fR
-prior to 1.8.15 do not have this restriction.
+To help prevent the editing of unauthorized files, the following
+restrictions are enforced unless explicitly allowed by the security policy:
+.RS 16n
+.TP 4n
+\fB\(bu\fR
+Symbolic links may not be edited (version 1.8.15 and higher).
+.TP 4n
+\fB\(bu\fR
+Symbolic links along the path to be edited are not followed when the
+parent directory is writable by the invoking user unless that user
+is root (version 1.8.16 and higher).
+.TP 4n
+\fB\(bu\fR
+Files located in a directory that is writable by the invoking user may
+not be edited unless that user is root (version 1.8.16 and higher).
+.RE
+.sp
Users are never allowed to edit device special files.
.sp
If the specified file does not exist, it will be created.
that reside in a directory that is writable by the user.
If the user can modify or replace the command there is no way
to limit what additional commands they can run.
-Likewise, users should
-\fInever\fR
-be granted
-\fBsudoedit\fR
-permission to edit a file that resides in a directory the user has
-write access to.
-A user with directory write access could replace the legitimate
-file with a link to some other, arbitrary, file.
-Starting with version 1.8.15,
-\fBsudoedit\fR
-will refuse to open a symbolic link unless the security policy
-explicitly permits it.
-However, it is still possible to create a hard link if the directory
-is writable and the link target resides on the same file system.
.PP
Please note that
\fBsudo\fR
.\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2015
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2016
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd November 20, 2015
+.Dd January 19, 2016
.Dt SUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
their original location and the temporary versions are removed.
.El
.Pp
-Unless explicitly allowed by the security policy, symbolic links
-will not be opened.
-This helps prevent the editing of unauthorized files when the file
-is located in a user-writable directory.
-Versions of
-.Nm
-prior to 1.8.15 do not have this restriction.
+To help prevent the editing of unauthorized files, the following
+restrictions are enforced unless explicitly allowed by the security policy:
+.Bl -bullet -offset 4
+.It
+Symbolic links may not be edited (version 1.8.15 and higher).
+.It
+Symbolic links along the path to be edited are not followed when the
+parent directory is writable by the invoking user unless that user
+is root (version 1.8.16 and higher).
+.It
+Files located in a directory that is writable by the invoking user may
+not be edited unless that user is root (version 1.8.16 and higher).
+.El
+.Pp
Users are never allowed to edit device special files.
.Pp
If the specified file does not exist, it will be created.
that reside in a directory that is writable by the user.
If the user can modify or replace the command there is no way
to limit what additional commands they can run.
-Likewise, users should
-.Em never
-be granted
-.Nm sudoedit
-permission to edit a file that resides in a directory the user has
-write access to.
-A user with directory write access could replace the legitimate
-file with a link to some other, arbitrary, file.
-Starting with version 1.8.15,
-.Nm sudoedit
-will refuse to open a symbolic link unless the security policy
-explicitly permits it.
-However, it is still possible to create a hard link if the directory
-is writable and the link target resides on the same file system.
.Pp
Please note that
.Nm
See the _\bP_\br_\be_\bv_\be_\bn_\bt_\bi_\bn_\bg _\bs_\bh_\be_\bl_\bl _\be_\bs_\bc_\ba_\bp_\be_\bs section below for more details on how
NOEXEC works and whether or not it will work on your system.
- _\bF_\bO_\bL_\bL_\bO_\bW and _\bN_\bO_\bF_\bO_\bL_\bL_\bO_\bW Starting with version 1.8.15, s\bsu\bud\bdo\boe\bed\bdi\bit\bt will not
- follow symbolic links when opening files unless the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bf_\bo_\bl_\bl_\bo_\bw
- option is enabled. The _\bF_\bO_\bL_\bL_\bO_\bW and _\bN_\bO_\bF_\bO_\bL_\bL_\bO_\bW tags override the value of
+ _\bF_\bO_\bL_\bL_\bO_\bW and _\bN_\bO_\bF_\bO_\bL_\bL_\bO_\bW Starting with version 1.8.15, s\bsu\bud\bdo\boe\bed\bdi\bit\bt will not open
+ a file that is a symbolic link unless the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bf_\bo_\bl_\bl_\bo_\bw option is
+ enabled. The _\bF_\bO_\bL_\bL_\bO_\bW and _\bN_\bO_\bF_\bO_\bL_\bL_\bO_\bW tags override the value of
_\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bf_\bo_\bl_\bl_\bo_\bw and can be used to permit (or deny) the editing of
symbolic links on a per-command basis. These tags are only effective
for the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt command and are ignored for all other commands.
system call. This flag is _\bo_\bf_\bf by default.
sudoedit_checkdir
- If set, s\bsu\bud\bdo\boe\bed\bdi\bit\bt will check directories in the path to
- be edited for writability by the invoking user.
- Symbolic links will not be followed in writable
- directories and s\bsu\bud\bdo\boe\bed\bdi\bit\bt will also refuse to edit a
- file located in a writable directory. Theses
- restrictions are not enforced when s\bsu\bud\bdo\boe\bed\bdi\bit\bt is invoked
- as root. On many systems, this option requires that
- all directories in the path to be edited be readable by
- the target user. This flag is _\bo_\bf_\bf by default.
+ If set, s\bsu\bud\bdo\boe\bed\bdi\bit\bt will check all directory components of
+ the path to be edited for writability by the invoking
+ user. Symbolic links will not be followed in writable
+ directories and s\bsu\bud\bdo\boe\bed\bdi\bit\bt will refuse to edit a file
+ located in a writable directory. These restrictions
+ are not enforced when s\bsu\bud\bdo\boe\bed\bdi\bit\bt is run by root. On some
+ systems, if all directory components of the path to be
+ edited are not readable by the target user, s\bsu\bud\bdo\boe\bed\bdi\bit\bt
+ will be unable to edit the file. This flag is _\bo_\bn by
+ default.
+
+ This setting was first introduced in version 1.8.15.
+ The check for symbolic links in writable intermediate
+ directories was added in version 1.8.16.
sudoedit_follow By default, s\bsu\bud\bdo\boe\bed\bdi\bit\bt will not follow symbolic links
when opening files. The _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bf_\bo_\bl_\bl_\bo_\bw option can be
resides in a directory the user has write access to, either directly or
via a wildcard. If the user has write access to the directory it is
possible to replace the legitimate file with a link to another file,
- allowing the editing of arbitrary files. Starting with version 1.8.15,
+ allowing the editing of arbitrary files. To prevent this, starting with
+ version 1.8.16, symbolic links will not be followed in writable
+ directories and s\bsu\bud\bdo\boe\bed\bdi\bit\bt will refuse to edit a file located in a writable
+ directory unless the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bc_\bh_\be_\bc_\bk_\bd_\bi_\br option has been disabled or the
+ invoking user is root. Additionally, in version 1.8.15 and higher,
s\bsu\bud\bdo\boe\bed\bdi\bit\bt will refuse to open a symbolic link unless either the
- _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bf_\bo_\bl_\bl_\bo_\bw Defaults option is enabled or the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt command is
- prefixed with the FOLLOW tag. However, it is still possible to create a
- hard link if the directory is writable and the link target resides on the
- same file system.
+ _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bf_\bo_\bl_\bl_\bo_\bw option is enabled or the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt command is prefixed
+ with the FOLLOW tag in the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
T\bTi\bim\bme\be s\bst\bta\bam\bmp\bp f\bfi\bil\ble\be c\bch\bhe\bec\bck\bks\bs
s\bsu\bud\bdo\boe\ber\brs\bs will check the ownership of its time stamp directory
file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.16 January 16, 2016 Sudo 1.8.16
+Sudo 1.8.16 January 19, 2016 Sudo 1.8.16
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "5" "January 16, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "January 19, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
\fIFOLLOW\fR and \fINOFOLLOW\fR
Starting with version 1.8.15,
\fBsudoedit\fR
-will not follow symbolic links when opening files unless the
+will not open a file that is a symbolic link unless the
\fIsudoedit_follow\fR
option is enabled.
The
.br
If set,
\fBsudoedit\fR
-will check directories in the path to be edited for writability
+will check all directory components of the path to be edited for writability
by the invoking user.
Symbolic links will not be followed in writable directories and
\fBsudoedit\fR
-will also refuse to edit a file located in a writable directory.
-Theses restrictions are not enforced when
+will refuse to edit a file located in a writable directory.
+These restrictions are not enforced when
\fBsudoedit\fR
-is invoked as root.
-On many systems, this option requires that all directories
-in the path to be edited be readable by the target user.
+is run by root.
+On some systems, if all directory components of the path to be edited
+are not readable by the target user,
+\fBsudoedit\fR
+will be unable to edit the file.
This flag is
-\fIoff\fR
+\fIon\fR
by default.
+.sp
+This setting was first introduced in version 1.8.15.
+The check for symbolic links in writable intermediate directories
+was added in version 1.8.16.
.TP 18n
sudoedit_follow
By default,
If the user has write access to the directory it is possible to
replace the legitimate file with a link to another file,
allowing the editing of arbitrary files.
-Starting with version 1.8.15,
+To prevent this, starting with version 1.8.16, symbolic links will
+not be followed in writable directories and
+\fBsudoedit\fR
+will refuse to edit a file located in a writable directory
+unless the
+\fIsudoedit_checkdir\fR
+option has been disabled or the invoking user is root.
+Additionally, in version 1.8.15 and higher,
\fBsudoedit\fR
will refuse to open a symbolic link unless either the
\fIsudoedit_follow\fR
-Defaults option is enabled or the
+option is enabled or the
\fIsudoedit\fR
command is prefixed with the
\fRFOLLOW\fR
-tag.
-However, it is still possible to create a hard link if the directory
-is writable and the link target resides on the same file system.
+tag in the
+\fIsudoers\fR
+file.
.SS "Time stamp file checks"
\fBsudoers\fR
will check the ownership of its time stamp directory
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd January 16, 2016
+.Dd January 19, 2016
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.It Em FOLLOW No and Em NOFOLLOW
Starting with version 1.8.15,
.Nm sudoedit
-will not follow symbolic links when opening files unless the
+will not open a file that is a symbolic link unless the
.Em sudoedit_follow
option is enabled.
The
.It sudoedit_checkdir
If set,
.Nm sudoedit
-will check directories in the path to be edited for writability
+will check all directory components of the path to be edited for writability
by the invoking user.
Symbolic links will not be followed in writable directories and
.Nm sudoedit
-will also refuse to edit a file located in a writable directory.
-Theses restrictions are not enforced when
+will refuse to edit a file located in a writable directory.
+These restrictions are not enforced when
.Nm sudoedit
-is invoked as root.
-On many systems, this option requires that all directories
-in the path to be edited be readable by the target user.
+is run by root.
+On some systems, if all directory components of the path to be edited
+are not readable by the target user,
+.Nm sudoedit
+will be unable to edit the file.
This flag is
-.Em off
+.Em on
by default.
+.Pp
+This setting was first introduced in version 1.8.15.
+The check for symbolic links in writable intermediate directories
+was added in version 1.8.16.
.It sudoedit_follow
By default,
.Nm sudoedit
If the user has write access to the directory it is possible to
replace the legitimate file with a link to another file,
allowing the editing of arbitrary files.
-Starting with version 1.8.15,
+To prevent this, starting with version 1.8.16, symbolic links will
+not be followed in writable directories and
+.Nm sudoedit
+will refuse to edit a file located in a writable directory
+unless the
+.Em sudoedit_checkdir
+option has been disabled or the invoking user is root.
+Additionally, in version 1.8.15 and higher,
.Nm sudoedit
will refuse to open a symbolic link unless either the
.Em sudoedit_follow
-Defaults option is enabled or the
+option is enabled or the
.Em sudoedit
command is prefixed with the
.Li FOLLOW
-tag.
-However, it is still possible to create a hard link if the directory
-is writable and the link target resides on the same file system.
+tag in the
+.Em sudoers
+file.
.Ss Time stamp file checks
.Nm sudoers
will check the ownership of its time stamp directory
def_use_netgroups = true;
#endif
def_netgroup_tuple = false;
+ def_sudoedit_checkdir = true;
/* Syslog options need special care since they both strings and ints */
#if (LOGGING & SLOG_SYSLOG)
memset(details, 0, sizeof(*details));
details->closefrom = -1;
details->execfd = -1;
+ details->flags = CD_SUDOEDIT_CHECKDIR;
TAILQ_INIT(&details->preserved_fds);
#define SET_STRING(s, n) \
projects / sudo / commitdiff