From: Todd C. Miller Date: Fri, 18 Feb 2000 17:56:28 +0000 (+0000) Subject: Add rootpw, runaspw, and targetpw options. X-Git-Tag: SUDO_1_6_3~45 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=09b23e7b41fb2e167b101a6f562698fd2cd0a7c9;p=sudo Add rootpw, runaspw, and targetpw options. --- diff --git a/CHANGES b/CHANGES index 6b5ea41d0..86ce39fa3 100644 --- a/CHANGES +++ b/CHANGES @@ -1253,3 +1253,10 @@ Sudo 1.6.2 released. 395) It is now possible to set the path to the editor for visudo as well as the flag that determines whether or not visudo will look at $EDITOR in the sudoers file. + +396) configure now pulls in the values of LIBS, LDFLAGS, CPPFLAGS, etc + as the documentation says it ought to. + +397) Added rootpw, runaspw, and targetpw to prompt for the root, runas_default + and target user's passwords respectively (instead of the invoking user's + password). diff --git a/defaults.c b/defaults.c index 77d93a916..82421f15c 100644 --- a/defaults.c +++ b/defaults.c @@ -184,6 +184,15 @@ struct sudo_defs_types sudo_defs_table[] = { }, { "env_editor", T_FLAG, "Visudo will honor the EDITOR environment variable" + }, { + "rootpw", T_FLAG, + "Prompt for root's password, not the users's" + }, { + "runaspw", T_FLAG, + "Prompt for the runas_default user's password, not the users's" + }, { + "targetpw", T_FLAG, + "Prompt for the target user's password, not the users's" }, { "loglinelen", T_INT|T_BOOL, "Length at which to wrap log file lines (0 for no wrap): %d" @@ -534,7 +543,7 @@ init_defaults() def_flag(I_INSULTS) = TRUE; #endif #ifdef ENV_EDITOR - def_flag(I_ENVEDITOR) = TRUE; + def_flag(I_ENV_EDITOR) = TRUE; #endif /* Syslog options need special care since they both strings and ints */ diff --git a/defaults.h b/defaults.h index 869e88d03..7b23ac891 100644 --- a/defaults.h +++ b/defaults.h @@ -111,36 +111,39 @@ struct sudo_defs_types { #define I_FQDN 21 #define I_INSULTS 22 #define I_REQUIRETTY 23 -#define I_ENVEDITOR 24 +#define I_ENV_EDITOR 24 +#define I_ROOTPW 25 +#define I_RUNASPW 26 +#define I_TARGETPW 27 /* Integer values */ -#define I_LOGLEN 25 /* wrap log file line after N chars */ -#define I_TS_TIMEOUT 26 /* timestamp stale after N minutes */ -#define I_PW_TIMEOUT 27 /* exit if pass not entered in N minutes */ -#define I_PW_TRIES 28 /* exit after N bad password tries */ -#define I_UMASK 29 /* umask to use or 0777 to use user's */ +#define I_LOGLEN 28 /* wrap log file line after N chars */ +#define I_TS_TIMEOUT 29 /* timestamp stale after N minutes */ +#define I_PW_TIMEOUT 30 /* exit if pass not entered in N minutes */ +#define I_PW_TRIES 31 /* exit after N bad password tries */ +#define I_UMASK 32 /* umask to use or 0777 to use user's */ /* Strings */ -#define I_LOGFILE 30 /* path to logfile (or NULL for none) */ -#define I_MAILERPATH 31 /* path to sendmail or other mailer */ -#define I_MAILERFLAGS 32 /* flags to pass to the mailer */ -#define I_MAILTO 33 /* who to send bitch mail to */ -#define I_MAILSUB 34 /* subject line of mail msg */ -#define I_BADPASS_MSG 35 /* what to say when passwd is wrong */ -#define I_TIMESTAMPDIR 36 /* path to timestamp dir */ -#define I_EXEMPT_GRP 37 /* no password or PATH override for these */ -#define I_PASSPROMPT 38 /* password prompt */ -#define I_RUNAS_DEF 39 /* default user to run commands as */ -#define I_SECURE_PATH 40 /* set $PATH to this if not NULL */ -#define I_EDITOR 41 /* path to editor used by visudo */ +#define I_LOGFILE 33 /* path to logfile (or NULL for none) */ +#define I_MAILERPATH 34 /* path to sendmail or other mailer */ +#define I_MAILERFLAGS 35 /* flags to pass to the mailer */ +#define I_MAILTO 36 /* who to send bitch mail to */ +#define I_MAILSUB 37 /* subject line of mail msg */ +#define I_BADPASS_MSG 38 /* what to say when passwd is wrong */ +#define I_TIMESTAMPDIR 39 /* path to timestamp dir */ +#define I_EXEMPT_GRP 40 /* no password or PATH override for these */ +#define I_PASSPROMPT 41 /* password prompt */ +#define I_RUNAS_DEF 42 /* default user to run commands as */ +#define I_SECURE_PATH 43 /* set $PATH to this if not NULL */ +#define I_EDITOR 44 /* path to editor used by visudo */ /* Integer versions of list/verify options */ -#define I_LISTPW 42 -#define I_VERIFYPW 43 +#define I_LISTPW 45 +#define I_VERIFYPW 46 /* String versions of list/verify options */ -#define I_LISTPWSTR 44 -#define I_VERIFYPWSTR 45 +#define I_LISTPWSTR 47 +#define I_VERIFYPWSTR 48 /* * Macros for accessing sudo_defs_table. diff --git a/getspwuid.c b/getspwuid.c index 80d10d8e2..c331f0baa 100644 --- a/getspwuid.c +++ b/getspwuid.c @@ -94,7 +94,6 @@ int crypt_type = INT_MAX; * Local functions not visible outside getspwuid.c */ static char *sudo_getshell __P((struct passwd *)); -static char *sudo_getepw __P((struct passwd *)); /* @@ -123,7 +122,7 @@ sudo_getshell(pw) * Return the encrypted password for the user described by pw. If shadow * passwords are in use, look in the shadow file. */ -static char * +char * sudo_getepw(pw) struct passwd *pw; { diff --git a/sudo.c b/sudo.c index 697c6d95d..e9f130038 100644 --- a/sudo.c +++ b/sudo.c @@ -108,6 +108,7 @@ static int init_vars __P((int)); static void add_env __P((int)); static void clean_env __P((char **, struct env_table *)); static void initial_setup __P((void)); +static void update_epasswd __P((void)); extern struct passwd *sudo_getpwuid __P((uid_t)); extern void list_matches __P((void)); @@ -304,6 +305,9 @@ main(argc, argv) (void) close(fd); } + /* Update encrypted password in user_password if sudoers said to. */ + update_epasswd(); + /* Require a password unless the NOPASS tag was set. */ if (!(validated & FLAG_NOPASS)) check_user(); @@ -1062,6 +1066,42 @@ set_fqdn() } } +/* + * If the sudoers file says to prompt for a different user's password, + * update the encrypted password in user_passwd accordingly. + */ +static void +update_epasswd() +{ + struct passwd *pw; + + /* We may be configured to prompt for a password other than the user's */ + if (def_ival(I_ROOTPW)) { + if ((pw = getpwuid(0)) == NULL) + log_error(0, "uid 0 does not exist in the passwd file!"); + free(user_passwd); + user_passwd = estrdup(sudo_getepw(pw)); + } else if (def_ival(I_RUNASPW)) { + if ((pw = getpwnam(def_str(I_RUNAS_DEF))) == NULL) + log_error(0, "user %s does not exist in the passwd file!", + def_str(I_RUNAS_DEF)); + free(user_passwd); + user_passwd = estrdup(sudo_getepw(pw)); + } else if (def_ival(I_TARGETPW)) { + if (**user_runas == '#') { + if ((pw = getpwuid(atoi(*user_runas + 1))) == NULL) + log_error(0, "uid %s does not exist in the passwd file!", + user_runas); + } else { + if ((pw = getpwnam(*user_runas)) == NULL) + log_error(0, "user %s does not exist in the passwd file!", + user_runas); + } + free(user_passwd); + user_passwd = estrdup(sudo_getepw(pw)); + } +} + /* * Tell which options are mutually exclusive and exit. */ diff --git a/sudo.h b/sudo.h index 0ffe6260a..5f6972862 100644 --- a/sudo.h +++ b/sudo.h @@ -208,6 +208,7 @@ int lock_file __P((int, int)); int touch __P((char *, time_t)); int user_is_exempt __P((void)); void set_fqdn __P((void)); +char *sudo_getepw __P((struct passwd *)); YY_DECL; /* Only provide extern declarations outside of sudo.c. */ diff --git a/sudoers.cat b/sudoers.cat index 271b063db..9e7533a87 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -381,13 +381,13 @@ sudoers(5) FILE FORMATS sudoers(5) to get a shell (which would be a root shell and not be logged). - IIIInnnntttteeeeggggeeeerrrrssss: - - passwd_tries - The number of tries a user gets to enter - his/her password before sudo logs the failure - and exits. The default is 3. + rootpw If set, sudo will prompt for the root password + instead of the password of the invoking user. + runaspw If set, sudo will prompt for the password of + the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t option + (defaults to root) instead of the password of + the invoking user. @@ -400,6 +400,18 @@ sudoers(5) FILE FORMATS sudoers(5) sudoers(5) FILE FORMATS sudoers(5) + targetpw If set, sudo will prompt for the password of + the user specified by the -u flag (defaults to + root) instead of the password of the invoking + user. + + IIIInnnntttteeeeggggeeeerrrrssss: + + passwd_tries + The number of tries a user gets to enter + his/her password before sudo logs the failure + and exits. The default is 3. + IIIInnnntttteeeeggggeeeerrrrssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt: loglinelen Number of characters per line for the file @@ -441,18 +453,6 @@ sudoers(5) FILE FORMATS sudoers(5) timestamp files. The default is either /var/run/sudo or /tmp/sudo. - passprompt The default prompt to use when asking for a - password; can be overridden via the -p option - or the SUDO_PROMPT environment variable. - Supports two escapes: "%u" expands to the - user's login name and "%h" expands to the - local hostname. The default value is - "Password:". - - runas_default - The default user to run commands as if the -u - flag is not specified on the command line. - This defaults to "root". @@ -466,6 +466,19 @@ sudoers(5) FILE FORMATS sudoers(5) sudoers(5) FILE FORMATS sudoers(5) + passprompt The default prompt to use when asking for a + password; can be overridden via the -p option + or the SUDO_PROMPT environment variable. + Supports two escapes: "%u" expands to the + user's login name and "%h" expands to the + local hostname. The default value is + "Password:". + + runas_default + The default user to run commands as if the -u + flag is not specified on the command line. + This defaults to "root". + syslog_goodpri Syslog priority to use when user authenticates successfully. Defaults to "notice". @@ -507,6 +520,18 @@ sudoers(5) FILE FORMATS sudoers(5) verifypw This option controls when a password will be required when a user runs sudo with the ----vvvv. + + + +18/Feb/2000 1.6.3 8 + + + + + +sudoers(5) FILE FORMATS sudoers(5) + + It has the following possible values: all All the user's I entries for the @@ -521,17 +546,6 @@ sudoers(5) FILE FORMATS sudoers(5) never The user need never enter a password to use the B<-v> flag. - - -18/Feb/2000 1.6.3 8 - - - - - -sudoers(5) FILE FORMATS sudoers(5) - - always The user must always enter a password to use the B<-v> flag. @@ -572,31 +586,31 @@ sudoers(5) FILE FORMATS sudoers(5) User_Spec ::= User_list Host_List '=' User_List Cmnd_Spec_List \ (':' User_Spec)* - Cmnd_Spec_List ::= Cmnd_Spec | - Cmnd_Spec ',' Cmnd_Spec_List - Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd - Runas_Spec ::= '(' Runas_List ')' - A uuuusssseeeerrrr ssssppppeeeecccciiiiffffiiiiccccaaaattttiiiioooonnnn determines which commands a user may - run (and as what user) on specified hosts. By default, - commands are run as rrrrooooooootttt but this can be changed on a per- - command basis. +18/Feb/2000 1.6.3 9 - Let's break that down into its constituent parts: -18/Feb/2000 1.6.3 9 +sudoers(5) FILE FORMATS sudoers(5) + Cmnd_Spec_List ::= Cmnd_Spec | + Cmnd_Spec ',' Cmnd_Spec_List + Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd + Runas_Spec ::= '(' Runas_List ')' -sudoers(5) FILE FORMATS sudoers(5) + A uuuusssseeeerrrr ssssppppeeeecccciiiiffffiiiiccccaaaattttiiiioooonnnn determines which commands a user may + run (and as what user) on specified hosts. By default, + commands are run as rrrrooooooootttt but this can be changed on a per- + command basis. + Let's break that down into its constituent parts: RRRRuuuunnnnaaaassss____SSSSppppeeeecccc @@ -639,6 +653,17 @@ sudoers(5) FILE FORMATS sudoers(5) able to run _/_b_i_n_/_k_i_l_l without a password the entry would be: + + +18/Feb/2000 1.6.3 10 + + + + + +sudoers(5) FILE FORMATS sudoers(5) + + ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm Note however, that the PASSWD tag has no effect on users @@ -652,18 +677,6 @@ sudoers(5) FILE FORMATS sudoers(5) pertain to the current host. This behavior may be overridden via the verifypw and listpw options. - - - -18/Feb/2000 1.6.3 10 - - - - - -sudoers(5) FILE FORMATS sudoers(5) - - WWWWiiiillllddddccccaaaarrrrddddssss ((((aaaakkkkaaaa mmmmeeeettttaaaa cccchhhhaaaarrrraaaacccctttteeeerrrrssss)))):::: ssssuuuuddddoooo allows shell-style _w_i_l_d_c_a_r_d_s to be used in pathnames @@ -705,6 +718,18 @@ sudoers(5) FILE FORMATS sudoers(5) The pound sign ('#') is used to indicate a comment (unless it occurs in the context of a user name and is followed by + + + +18/Feb/2000 1.6.3 11 + + + + + +sudoers(5) FILE FORMATS sudoers(5) + + one or more digits, in which case it is treated as a uid). Both the comment character and any text after it, up to the end of the line, are ignored. @@ -718,18 +743,6 @@ sudoers(5) FILE FORMATS sudoers(5) dangerous since in a command context, it allows the user to run aaaannnnyyyy command on the system. - - - -18/Feb/2000 1.6.3 11 - - - - - -sudoers(5) FILE FORMATS sudoers(5) - - An exclamation point ('!') can be used as a logical _n_o_t operator both in an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain values. Note, however, that @@ -771,6 +784,18 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS Host_Alias SERVERS = master, mail, www, ns Host_Alias CDROM = orion, perseus, hercules + + + +18/Feb/2000 1.6.3 12 + + + + + +sudoers(5) FILE FORMATS sudoers(5) + + # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore @@ -784,18 +809,6 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS /usr/local/bin/zsh Cmnd_Alias SU = /usr/bin/su - - - -18/Feb/2000 1.6.3 12 - - - - - -sudoers(5) FILE FORMATS sudoers(5) - - Here we override some of the compiled in default values. We want sudo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't want to subject the full time @@ -837,31 +850,31 @@ sudoers(5) FILE FORMATS sudoers(5) _C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those networks, only <128.138.204.0> has an explicit netmask (in CIDR notation) - indicating it is a class C network. For the other - networks in _C_S_N_E_T_S, the local machine's netmask will be - used during matching. - lisa CUNETS = ALL - The user lllliiiissssaaaa may run any command on any host in the - _C_U_N_E_T_S alias (the class B network 128.138.0.0). - operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\ - /usr/oper/bin/ +18/Feb/2000 1.6.3 13 - The ooooppppeeeerrrraaaattttoooorrrr user may run commands limited to simple -18/Feb/2000 1.6.3 13 +sudoers(5) FILE FORMATS sudoers(5) + indicating it is a class C network. For the other + networks in _C_S_N_E_T_S, the local machine's netmask will be + used during matching. + lisa CUNETS = ALL -sudoers(5) FILE FORMATS sudoers(5) + The user lllliiiissssaaaa may run any command on any host in the + _C_U_N_E_T_S alias (the class B network 128.138.0.0). + operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\ + /usr/oper/bin/ + The ooooppppeeeerrrraaaattttoooorrrr user may run commands limited to simple maintenance. Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/. @@ -903,30 +916,31 @@ sudoers(5) FILE FORMATS sudoers(5) john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* On the _A_L_P_H_A machines, user jjjjoooohhhhnnnn may su to anyone except - root but he is not allowed to give _s_u(1) any flags. - jen ALL, !SERVERS = ALL - The user jjjjeeeennnn may run any command on any machine except for - those in the _S_E_R_V_E_R_S Host_Alias (master, mail, www and - ns). - jill SERVERS = /usr/bin/, !SU, !SHELLS +18/Feb/2000 1.6.3 14 - For any machine in the _S_E_R_V_E_R_S Host_Alias, jjjjiiiillllllll may run - any commands in the directory /usr/bin/ except for those - commands belonging to the _S_U and _S_H_E_L_L_S Cmnd_Aliases. -18/Feb/2000 1.6.3 14 +sudoers(5) FILE FORMATS sudoers(5) + root but he is not allowed to give _s_u(1) any flags. + jen ALL, !SERVERS = ALL -sudoers(5) FILE FORMATS sudoers(5) + The user jjjjeeeennnn may run any command on any machine except for + those in the _S_E_R_V_E_R_S Host_Alias (master, mail, www and + ns). + + jill SERVERS = /usr/bin/, !SU, !SHELLS + For any machine in the _S_E_R_V_E_R_S Host_Alias, jjjjiiiillllllll may run + any commands in the directory /usr/bin/ except for those + commands belonging to the _S_U and _S_H_E_L_L_S Cmnd_Aliases. steve CSNETS = (operator) /usr/local/op_commands/ @@ -968,6 +982,18 @@ SSSSEEEECCCCUUUURRRRIIIITTTTYYYY NNNNOOOOTTTTE restrictions should be considered advisory at best (and reinforced by policy). + + + +18/Feb/2000 1.6.3 15 + + + + + +sudoers(5) FILE FORMATS sudoers(5) + + CCCCAAAAVVVVEEEEAAAATTTTSSSS The _s_u_d_o_e_r_s file should aaaallllwwwwaaaayyyyssss be edited by the vvvviiiissssuuuuddddoooo command which locks the file and does grammatical @@ -981,19 +1007,6 @@ CCCCAAAAVVVVEEEEAAAATTTTSSSS hostname be fully-qualified as returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. - - - - -18/Feb/2000 1.6.3 15 - - - - - -sudoers(5) FILE FORMATS sudoers(5) - - FFFFIIIILLLLEEEESSSS /etc/sudoers List of who can run what /etc/group Local groups file @@ -1024,19 +1037,6 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO - - - - - - - - - - - - - diff --git a/sudoers.man b/sudoers.man index 083b35917..705ca8ebb 100644 --- a/sudoers.man +++ b/sudoers.man @@ -2,8 +2,8 @@ ''' $RCSfile$$Revision$$Date$ ''' ''' $Log$ -''' Revision 1.26 2000/02/18 17:11:43 millert -''' enveditor -> env_editor +''' Revision 1.27 2000/02/18 17:56:27 millert +''' Add rootpw, runaspw, and targetpw options. ''' ''' .de Sh @@ -469,6 +469,17 @@ If set, visudo will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0 environm falling back on the default editor. Note that this may create a security hole as most editors allow a user to get a shell (which would be a root shell and not be logged). +.Ip "rootpw" 12 +If set, sudo will prompt for the root password instead of the password +of the invoking user. +.Ip "runaspw" 12 +If set, sudo will prompt for the password of the user defined by the +\fIrunas_default\fR option (defaults to root) instead of the password +of the invoking user. +.Ip "targetpw" 12 +If set, sudo will prompt for the password of the user specified by +the \f(CW-u\fR flag (defaults to root) instead of the password of the +invoking user. .PP \fBIntegers\fR: .Ip "passwd_tries" 12 @@ -1009,6 +1020,12 @@ as returned by the \f(CWhostname\fR command or use the \fIfqdn\fR option in .IX Item "env_editor" +.IX Item "rootpw" + +.IX Item "runaspw" + +.IX Item "targetpw" + .IX Item "passwd_tries" .IX Item "loglinelen" diff --git a/sudoers.pod b/sudoers.pod index aeca4b2bd..ef2cd72f0 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -353,6 +353,23 @@ falling back on the default editor. Note that this may create a security hole as most editors allow a user to get a shell (which would be a root shell and not be logged). +=item rootpw + +If set, sudo will prompt for the root password instead of the password +of the invoking user. + +=item runaspw + +If set, sudo will prompt for the password of the user defined by the +I option (defaults to root) instead of the password +of the invoking user. + +=item targetpw + +If set, sudo will prompt for the password of the user specified by +the C<-u> flag (defaults to root) instead of the password of the +invoking user. + =back B: diff --git a/visudo.c b/visudo.c index fc14425f1..f7cbd984f 100644 --- a/visudo.c +++ b/visudo.c @@ -227,7 +227,7 @@ main(argc, argv) * If we are allowing EDITOR and VISUAL envariables set Editor * base on whichever exists... */ - if (!def_flag(I_ENVEDITOR) || + if (!def_flag(I_ENV_EDITOR) || (!(Editor = getenv("EDITOR")) && !(Editor = getenv("VISUAL")))) Editor = def_str(I_EDITOR);