HP-UX where libibmldap has a hidden dependency on libCsup.
* The sudoers plugin will now ignore invalid domain names when
- checking netgroup membership. Some Linux systems use the string
+ checking netgroup membership. Most Linux systems use the string
"(none)" for the NIS-style domain name instead of an empty string.
+ * New support for specifying a SHA-2 digest along with the command
+ in the sudoers file. Supported hash types are sha224, sha256,
+ sha384 and sha512. See the description of Digest_Spec in the
+ sudoers manual for details.
+
What's new in Sudo 1.8.6p8?
* Terminal detection now works properly on 64-bit AIX kernels.
# Cmnd alias specification
##
Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
- /usr/sbin/rrestore, /usr/bin/mt
+ /usr/sbin/rrestore, /usr/bin/mt, \
+ sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
+ /home/operator/bin/start_backups
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
``localhost'' will only match if that is the actual host name, which is
usually only the case for non-networked systems.
+ digest ::= [A-Fa-f0-9]+ |
+ [[A-Za-z0-9+/=]+
+
+ Digest_Spec ::= "sha224" ':' digest |
+ "sha256" ':' digest |
+ "sha384" ':' digest |
+ "sha512" ':' digest
+
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
file name args |
file name '""'
- Cmnd ::= '!'* command name |
+ Cmnd ::= Digest_Spec? '!'* command name |
'!'* directory |
'!'* "sudoedit" |
'!'* Cmnd_Alias
``sudoedit'' is a command built into s\bsu\bud\bdo\bo itself and must be specified in
_\bs_\bu_\bd_\bo_\be_\br_\bs without a leading path.
+ If a command name is prefixed with a Digest_Spec, the command will only
+ match successfully if it can be verified using the specified SHA-2
+ digest. This may be useful in situations where the user invoking s\bsu\bud\bdo\bo
+ has write access to the command or its parent directory. The digest
+ string may be specified in either hex or base64 format (base64 is more
+ compact). There are many utilities capable of generating SHA-2 digests
+ in hex format such as openssl, shasum, sha224sum, sha256sum, sha384sum,
+ sha512sum.
+
+ For example, using openssl:
+
+ $ openssl dgst -sha224 /bin/ls
+ SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+
+ It is also possible to use openssl to generate base64 output:
+
+ $ openssl dgst -binary -sha224 /bin/ls | openssl base64
+ EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+
+ Command digests are only supported by version 1.8.7 or higher.
+
D\bDe\bef\bfa\bau\bul\blt\bts\bs
Certain configuration options may be changed from their default values at
run-time via one or more Default_Entry lines. These may affect all users
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
- /usr/sbin/restore, /usr/sbin/rrestore
+ /usr/sbin/restore, /usr/sbin/rrestore,\
+ sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
+ /home/operator/bin/start_backups
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance. Here,
those are commands related to backups, killing processes, the printing
system, shutting down the system, and any commands in the directory
- _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
+ _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/. Note that one command in the DUMPS Cmnd_Alias includes a
+ sha224 digest, _\b/_\bh_\bo_\bm_\be_\b/_\bo_\bp_\be_\br_\ba_\bt_\bo_\br_\b/_\bb_\bi_\bn_\b/_\bs_\bt_\ba_\br_\bt_\b__\bb_\ba_\bc_\bk_\bu_\bp_\bs. This is because the
+ directory containing the script is writable by the operator user. If the
+ script is modified (resulting in a digest mismatch) it will no longer be
+ possible to run it via s\bsu\bud\bdo\bo.
joe ALL = /usr/bin/su operator
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
complete details.
-Sudo 1.8.7 March 5, 2013 Sudo 1.8.7
+Sudo 1.8.7 April 17, 2013 Sudo 1.8.7
with a `+'). The special value ALL will match any host.
s\bsu\bud\bdo\boC\bCo\bom\bmm\bma\ban\bnd\bd
- A Unix command with optional command line arguments, potentially
- including globbing characters (aka wild cards). The special value
- ALL will match any command. If a command is prefixed with an
- exclamation point `!', the user will be prohibited from running
- that command.
+ A fully-qualified Unix command name with optional command line
+ arguments, potentially including globbing characters (aka wild
+ cards). If a command name is preceded by an exclamation point,
+ `!', the user will be prohibited from running that command.
+
+ The built-in command ``sudoedit'' is used to permit a user to run
+ s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may take command line
+ arguments just as a normal command does. Note that ``sudoedit'' is
+ a command built into s\bsu\bud\bdo\bo itself and must be specified in without a
+ leading path.
+
+ The special value ALL will match any command.
+
+ If a command name is prefixed with a SHA-2 digest, it will only be
+ allowed if the digest matches. This may be useful in situations
+ where the user invoking s\bsu\bud\bdo\bo has write access to the command or its
+ parent directory. The following digest formats are supported:
+ sha224, sha256, sha384 and sha512. The digest name must be
+ followed by a colon (`:') and then the actual digest, in either hex
+ or base64 format. For example, given the following value for
+ sudoCommand:
+
+ sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
+
+ The user may only run _\b/_\bb_\bi_\bn_\b/_\bl_\bs if its sha224 digest matches the
+ specified value. Command digests are only supported by version
+ 1.8.7 or higher.
s\bsu\bud\bdo\boO\bOp\bpt\bti\bio\bon\bn
Identical in function to the global options described above, but
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
complete details.
-Sudo 1.8.7 February 7, 2013 Sudo 1.8.7
+Sudo 1.8.7 April 17, 2013 Sudo 1.8.7
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.TH "SUDOERS.LDAP" "8" "February 7, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
+.TH "SUDOERS.LDAP" "8" "April 17, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
will match any host.
.TP 6n
\fBsudoCommand\fR
-A Unix command with optional command line arguments, potentially
-including globbing characters (aka wild cards).
+A fully-qualified Unix command name with optional command line arguments,
+potentially including globbing characters (aka wild cards).
+If a command name is preceded by an exclamation point,
+`\&!',
+the user will be prohibited from running that command.
+.sp
+The built-in command
+``\fRsudoedit\fR''
+is used to permit a user to run
+\fBsudo\fR
+with the
+\fB\-e\fR
+option (or as
+\fBsudoedit\fR).
+It may take command line arguments just as a normal command does.
+Note that
+``\fRsudoedit\fR''
+is a command built into
+\fBsudo\fR
+itself and must be specified in without a leading path.
+.sp
The special value
\fRALL\fR
will match any command.
-If a command is prefixed with an exclamation point
-`\&!',
-the user will be prohibited from running that command.
+.sp
+If a command name is prefixed with a SHA-2 digest, it will
+only be allowed if the digest matches.
+This may be useful in situations where the user invoking
+\fBsudo\fR
+has write access to the command or its parent directory.
+The following digest formats are supported: sha224, sha256, sha384 and sha512.
+The digest name must be followed by a colon
+(`:\&')
+and then the actual digest, in either hex or base64 format.
+For example, given the following value for sudoCommand:
+.RS
+.nf
+.sp
+.RS 4n
+sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
+.RE
+.fi
+.sp
+The user may only run
+\fI/bin/ls\fR
+if its sha224 digest matches the specified value.
+Command digests are only supported by version 1.8.7 or higher.
+.PP
+.RE
+.PD 0
.TP 6n
\fBsudoOption\fR
Identical in function to the global options described above, but
specific to the
\fRsudoRole\fR
in which it resides.
+.PD
.TP 6n
\fBsudoRunAsUser\fR
A user name or uid (prefixed with
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd February 7, 2013
+.Dd April 17, 2013
.Dt SUDOERS.LDAP @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Li ALL
will match any host.
.It Sy sudoCommand
-A Unix command with optional command line arguments, potentially
-including globbing characters (aka wild cards).
+A fully-qualified Unix command name with optional command line arguments,
+potentially including globbing characters (aka wild cards).
+If a command name is preceded by an exclamation point,
+.Ql \&! ,
+the user will be prohibited from running that command.
+.Pp
+The built-in command
+.Dq Li sudoedit
+is used to permit a user to run
+.Nm sudo
+with the
+.Fl e
+option (or as
+.Nm sudoedit ) .
+It may take command line arguments just as a normal command does.
+Note that
+.Dq Li sudoedit
+is a command built into
+.Nm sudo
+itself and must be specified in without a leading path.
+.Pp
The special value
.Li ALL
will match any command.
-If a command is prefixed with an exclamation point
-.Ql \&! ,
-the user will be prohibited from running that command.
+.Pp
+If a command name is prefixed with a SHA-2 digest, it will
+only be allowed if the digest matches.
+This may be useful in situations where the user invoking
+.Nm sudo
+has write access to the command or its parent directory.
+The following digest formats are supported: sha224, sha256, sha384 and sha512.
+The digest name must be followed by a colon
+.Pq Ql :\&
+and then the actual digest, in either hex or base64 format.
+For example, given the following value for sudoCommand:
+.Bd -literal -offset 4n
+sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
+.Ed
+.Pp
+The user may only run
+.Pa /bin/ls
+if its sha224 digest matches the specified value.
+Command digests are only supported by version 1.8.7 or higher.
.It Sy sudoOption
Identical in function to the global options described above, but
specific to the
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "@mansectsu@" "March 5, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
+.TH "SUDOERS" "@mansectsu@" "April 17, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
.nh
.if n .ad l
.SH "NAME"
.nf
.sp
.RS 0n
+digest ::= [A-Fa-f0-9]+ |
+ [[A-Za-z0-9\+/=]+
+
+Digest_Spec ::= "sha224" ':' digest |
+ "sha256" ':' digest |
+ "sha384" ':' digest |
+ "sha512" ':' digest
+
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
file name args |
file name '""'
-Cmnd ::= '!'* command name |
+Cmnd ::= Digest_Spec? '!'* command name |
'!'* directory |
'!'* "sudoedit" |
'!'* Cmnd_Alias
itself and must be specified in
\fIsudoers\fR
without a leading path.
+.PP
+If a
+\fRcommand name\fR
+is prefixed with a
+\fRDigest_Spec\fR,
+the command will only match successfully if it can be verified
+using the specified SHA-2 digest.
+This may be useful in situations where the user invoking
+\fBsudo\fR
+has write access to the command or its parent directory.
+The digest string may be specified in either hex or base64 format
+(base64 is more compact).
+There are many utilities capable of generating SHA-2 digests in hex
+format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
+.PP
+For example, using openssl:
+.nf
+.sp
+.RS 0n
+$ openssl dgst -sha224 /bin/ls
+SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+.RE
+.fi
+.PP
+It is also possible to use openssl to generate base64 output:
+.nf
+.sp
+.RS 0n
+$ openssl dgst -binary -sha224 /bin/ls | openssl base64
+EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+.RE
+.fi
+.PP
+Command digests are only supported by version 1.8.7 or higher.
.SS "Defaults"
Certain configuration options may be changed from their default
values at run-time via one or more
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
- /usr/sbin/restore, /usr/sbin/rrestore
+ /usr/sbin/restore, /usr/sbin/rrestore,\e
+ sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
+ /home/operator/bin/start_backups
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
printing system, shutting down the system, and any commands in the
directory
\fI/usr/oper/bin/\fR.
+Note that one command in the
+\fRDUMPS\fR
+Cmnd_Alias includes a sha224 digest,
+\fI/home/operator/bin/start_backups\fR.
+This is because the directory containing the script is writable by the
+operator user.
+If the script is modified (resulting in a digest mismatch) it will no longer
+be possible to run it via
+\fBsudo\fR.
.nf
.sp
.RS 0n
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd March 5, 2013
+.Dd April 17, 2013
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
will only match if that is the actual host name, which is usually
only the case for non-networked systems.
.Bd -literal
+digest ::= [A-Fa-f0-9]+ |
+ [[A-Za-z0-9\+/=]+
+
+Digest_Spec ::= "sha224" ':' digest |
+ "sha256" ':' digest |
+ "sha384" ':' digest |
+ "sha512" ':' digest
+
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
file name args |
file name '""'
-Cmnd ::= '!'* command name |
+Cmnd ::= Digest_Spec? '!'* command name |
'!'* directory |
'!'* "sudoedit" |
'!'* Cmnd_Alias
itself and must be specified in
.Em sudoers
without a leading path.
+.Pp
+If a
+.Li command name
+is prefixed with a
+.Li Digest_Spec ,
+the command will only match successfully if it can be verified
+using the specified SHA-2 digest.
+This may be useful in situations where the user invoking
+.Nm sudo
+has write access to the command or its parent directory.
+The digest string may be specified in either hex or base64 format
+(base64 is more compact).
+There are many utilities capable of generating SHA-2 digests in hex
+format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
+.Pp
+For example, using openssl:
+.Bd -literal
+$ openssl dgst -sha224 /bin/ls
+SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+.Ed
+.Pp
+It is also possible to use openssl to generate base64 output:
+.Bd -literal
+$ openssl dgst -binary -sha224 /bin/ls | openssl base64
+EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+.Ed
+.Pp
+Command digests are only supported by version 1.8.7 or higher.
.Ss Defaults
Certain configuration options may be changed from their default
values at run-time via one or more
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
- /usr/sbin/restore, /usr/sbin/rrestore
+ /usr/sbin/restore, /usr/sbin/rrestore,\e
+ sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
+ /home/operator/bin/start_backups
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
printing system, shutting down the system, and any commands in the
directory
.Pa /usr/oper/bin/ .
+Note that one command in the
+.Li DUMPS
+Cmnd_Alias includes a sha224 digest,
+.Pa /home/operator/bin/start_backups .
+This is because the directory containing the script is writable by the
+operator user.
+If the script is modified (resulting in a digest mismatch) it will no longer
+be possible to run it via
+.Nm sudo .
.Bd -literal
joe ALL = /usr/bin/su operator
.Ed
projects / sudo / commitdiff