From: Todd C. Miller Date: Wed, 7 Apr 2010 14:09:31 +0000 (-0400) Subject: Add a note about the security implications of the fast_glob option. X-Git-Tag: SUDO_1_8_0~742 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=29f22dba2d83dbbf25d94df1f92287463d7203c2;p=sudo Add a note about the security implications of the fast_glob option. --- diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 2bdffdb13..a5c1160fc 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.3b2 December 19, 2009 1 +1.8.0a1 April 7, 2010 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b2 December 19, 2009 2 +1.8.0a1 April 7, 2010 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b2 December 19, 2009 3 +1.8.0a1 April 7, 2010 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b2 December 19, 2009 4 +1.8.0a1 April 7, 2010 4 @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b2 December 19, 2009 5 +1.8.0a1 April 7, 2010 5 @@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b2 December 19, 2009 6 +1.8.0a1 April 7, 2010 6 @@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b2 December 19, 2009 7 +1.8.0a1 April 7, 2010 7 @@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b2 December 19, 2009 8 +1.8.0a1 April 7, 2010 8 @@ -589,7 +589,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS -1.7.3b2 December 19, 2009 9 +1.8.0a1 April 7, 2010 9 @@ -615,7 +615,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) alternative is to place a colon-separated list of editors in the editor variable. vviissuuddoo will then only use the EDITOR or VISUAL if they match a value - specified in editor. This flag is _o_f_f by default. + specified in editor. This flag is _o_n by default. env_reset If set, ssuuddoo will reset the environment to only contain the LOGNAME, SHELL, USER, USERNAME and the SUDO_* @@ -637,7 +637,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) which does not access the file system to do its matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is unable to match relative path names such as _._/_l_s or - _._._/_b_i_n_/_l_s. This flag is _o_f_f by default. + _._._/_b_i_n_/_l_s. This has security implications when path + names that include globbing characters are used with + the negation operator, '!', as such rules can be + trivially bypassed. As such, this option should not be + used when _s_u_d_o_e_r_s contains rules that contain negated + path names which include globbing characters. This + flag is _o_f_f by default. fqdn Set this flag if you want to put fully qualified host names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you @@ -646,16 +652,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) that turning on _f_q_d_n requires ssuuddoo to make DNS lookups which may make ssuuddoo unusable if DNS stops working (for example if the machine is not plugged into the - network). Also note that you must use the host's - official name as DNS knows it. That is, you may not - use a host alias (CNAME entry) due to performance - issues and the fact that there is no way to get all - aliases from DNS. If your machine's host name (as - returned by the hostname command) is already fully -1.7.3b2 December 19, 2009 10 +1.8.0a1 April 7, 2010 10 @@ -664,12 +664,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + network). Also note that you must use the host's + official name as DNS knows it. That is, you may not + use a host alias (CNAME entry) due to performance + issues and the fact that there is no way to get all + aliases from DNS. If your machine's host name (as + returned by the hostname command) is already fully qualified you shouldn't need to set _f_q_d_n. This flag is _o_f_f by default. ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the PATH environment variable; the PATH itself is not - modified. This flag is _o_f_f by default. + modified. This flag is _o_n by default. ignore_local_sudoers If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be @@ -685,7 +691,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) _o_f_f by default. insults If set, ssuuddoo will insult users when they enter an - incorrect password. This flag is _o_f_f by default. + incorrect password. This flag is _o_n by default. log_host If set, the host name will be logged in the (non- syslog) ssuuddoo log file. This flag is _o_f_f by default. @@ -712,16 +718,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) allowed to run commands on the current host. This flag is _o_f_f by default. - mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the - invoking user is allowed to use ssuuddoo but the command - they are trying is not listed in their _s_u_d_o_e_r_s file - entry or is explicitly denied. This flag is _o_f_f by - default. - -1.7.3b2 December 19, 2009 11 +1.8.0a1 April 7, 2010 11 @@ -730,6 +730,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the + invoking user is allowed to use ssuuddoo but the command + they are trying is not listed in their _s_u_d_o_e_r_s file + entry or is explicitly denied. This flag is _o_f_f by + default. + mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the invoking user is not in the _s_u_d_o_e_r_s file. This flag is _o_n by default. @@ -778,16 +784,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) to a real tty. When this flag is set, ssuuddoo can only be run from a login session and not via other means such as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by - default. - root_sudo If set, root is allowed to run ssuuddoo too. Disabling - this prevents users from "chaining" ssuuddoo commands to - get a root shell by doing something like "sudo sudo - /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o - -1.7.3b2 December 19, 2009 12 +1.8.0a1 April 7, 2010 12 @@ -796,6 +796,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + default. + + root_sudo If set, root is allowed to run ssuuddoo too. Disabling + this prevents users from "chaining" ssuuddoo commands to + get a root shell by doing something like "sudo sudo + /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o will also prevent root and from running ssuuddooeeddiitt. Disabling _r_o_o_t___s_u_d_o provides no real additional security; it exists purely for historical reasons. @@ -844,16 +850,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) stay_setuid Normally, when ssuuddoo executes a command the real and effective UIDs are set to the target user (root by - default). This option changes that behavior such that - the real UID is left as the invoking user's UID. In - other words, this makes ssuuddoo act as a setuid wrapper. - This can be useful on systems that disable some - potentially dangerous functionality when a program is - run setuid. This option is only effective on systems -1.7.3b2 December 19, 2009 13 +1.8.0a1 April 7, 2010 13 @@ -862,6 +862,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + default). This option changes that behavior such that + the real UID is left as the invoking user's UID. In + other words, this makes ssuuddoo act as a setuid wrapper. + This can be useful on systems that disable some + potentially dangerous functionality when a program is + run setuid. This option is only effective on systems with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. This flag is _o_f_f by default. @@ -910,16 +916,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) use_loginclass If set, ssuuddoo will apply the defaults specified for the target user's login class if one exists. Only - available if ssuuddoo is configured with the - --with-logincap option. This flag is _o_f_f by default. - - visiblepw By default, ssuuddoo will refuse to run if the user must - enter a password but it is not possible to disable echo - on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo -1.7.3b2 December 19, 2009 14 +1.8.0a1 April 7, 2010 14 @@ -928,6 +928,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + available if ssuuddoo is configured with the + --with-logincap option. This flag is _o_f_f by default. + + visiblepw By default, ssuuddoo will refuse to run if the user must + enter a password but it is not possible to disable echo + on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo will prompt for a password even when it would be visible on the screen. This makes it possible to run things like "rsh somehost sudo ls" since _r_s_h(1) does @@ -976,23 +982,23 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The actual umask that is used will be the union of the user's umask and 0022. This guarantees that ssuuddoo never lowers the umask when running a command. Note on - systems that use PAM, the default PAM configuration may - specify its own umask which will override the value set - in _s_u_d_o_e_r_s. - SSttrriinnggss: +1.8.0a1 April 7, 2010 15 -1.7.3b2 December 19, 2009 15 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + systems that use PAM, the default PAM configuration may + specify its own umask which will override the value set + in _s_u_d_o_e_r_s. + SSttrriinnggss: badpass_message Message that is displayed if a user enters an incorrect password. The default is Sorry, try again. unless @@ -1042,16 +1048,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The default value is Password:. - runas_default The default user to run commands as if the --uu option is - not specified on the command line. This defaults to - root. Note that if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur - before any Runas_Alias specifications. - - syslog_badpri Syslog priority to use when user authenticates -1.7.3b2 December 19, 2009 16 +1.8.0a1 April 7, 2010 16 @@ -1060,6 +1060,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + runas_default The default user to run commands as if the --uu option is + not specified on the command line. This defaults to + root. Note that if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur + before any Runas_Alias specifications. + + syslog_badpri Syslog priority to use when user authenticates unsuccessfully. Defaults to alert. syslog_goodpri Syslog priority to use when user authenticates @@ -1109,15 +1115,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) once Only lecture the user the first time they run ssuuddoo. - If no value is specified, a value of _o_n_c_e is implied. - Negating the option results in a value of _n_e_v_e_r being used. - The default value is _o_n_c_e. - - - -1.7.3b2 December 19, 2009 17 +1.8.0a1 April 7, 2010 17 @@ -1126,6 +1126,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + If no value is specified, a value of _o_n_c_e is implied. + Negating the option results in a value of _n_e_v_e_r being used. + The default value is _o_n_c_e. + lecture_file Path to a file containing an alternate ssuuddoo lecture that will be used in place of the standard lecture if the named @@ -1176,14 +1180,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) environment variable you may want to use this. Another use is if you want to have the "root path" be separate from the "user path." Users in the group specified by the - _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This - option is not set by default. - - syslog Syslog facility if syslog is being used for logging (negate -1.7.3b2 December 19, 2009 18 +1.8.0a1 April 7, 2010 18 @@ -1192,7 +1192,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - to disable syslog logging). Defaults to local2. + _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This + option is not set by default. + + syslog Syslog facility if syslog is being used for logging (negate + to disable syslog logging). Defaults to authpriv. verifypw This option controls when a password will be required when a user runs ssuuddoo with the --vv option. It has the following @@ -1242,14 +1246,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) default list of environment variables to remove is displayed when ssuuddoo is run by root with the _-_V option. Note that many operating systems will remove - potentially dangerous variables from the environment of - any setuid process (such as ssuuddoo). - env_keep Environment variables to be preserved in the user's - -1.7.3b2 December 19, 2009 19 +1.8.0a1 April 7, 2010 19 @@ -1258,6 +1258,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + potentially dangerous variables from the environment of + any setuid process (such as ssuuddoo). + + env_keep Environment variables to be preserved in the user's environment when the _e_n_v___r_e_s_e_t option is in effect. This allows fine-grained control over the environment ssuuddoo-spawned processes will receive. The argument may @@ -1308,14 +1312,10 @@ EEXXAAMMPPLLEESS Host_Alias SERVERS = master, mail, www, ns Host_Alias CDROM = orion, perseus, hercules - # Cmnd alias specification - Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ - /usr/sbin/restore, /usr/sbin/rrestore - Cmnd_Alias KILL = /usr/bin/kill -1.7.3b2 December 19, 2009 20 +1.8.0a1 April 7, 2010 20 @@ -1324,6 +1324,10 @@ EEXXAAMMPPLLEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + # Cmnd alias specification + Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ + /usr/sbin/restore, /usr/sbin/rrestore + Cmnd_Alias KILL = /usr/bin/kill Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown Cmnd_Alias HALT = /usr/sbin/halt @@ -1375,13 +1379,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) jack CSNETS = ALL - The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias - (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of - those networks, only 128.138.204.0 has an explicit netmask (in CIDR - -1.7.3b2 December 19, 2009 21 +1.8.0a1 April 7, 2010 21 @@ -1390,6 +1390,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias + (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of + those networks, only 128.138.204.0 has an explicit netmask (in CIDR notation) indicating it is a class C network. For the other networks in _C_S_N_E_T_S, the local machine's netmask will be used during matching. @@ -1442,12 +1445,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user ffrreedd can run commands as any user in the _D_B Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password. - john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* - - -1.7.3b2 December 19, 2009 22 +1.8.0a1 April 7, 2010 22 @@ -1456,6 +1456,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* + On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is not allowed to specify any options to the _s_u(1) command. @@ -1508,12 +1510,10 @@ SSEECCUURRIITTYY NNOOTTEESS kind of restrictions should be considered advisory at best (and reinforced by policy). -PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS - Once ssuuddoo executes a program, that program is free to do whatever it -1.7.3b2 December 19, 2009 23 +1.8.0a1 April 7, 2010 23 @@ -1522,6 +1522,23 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not possible to + reliably negate commands where the path name includes globbing (aka + wildcard) characters. This is because the C library's _f_n_m_a_t_c_h(3) + function cannot resolve relative paths. While this is typically only + an inconvenience for rules that grant privileges, it can result in a + security issue for rules that subtract or revoke privileges. + + For example, given the following _s_u_d_o_e_r_s entry: + + john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, + /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root + + User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by + changing to _/_u_s_r_/_b_i_n and running ./passwd root instead. + +PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS + Once ssuuddoo executes a program, that program is free to do whatever it pleases, including run other programs. This can be a security issue since it is not uncommon for a program to allow shell escapes, which lets a user bypass ssuuddoo's access control and logging. Common programs @@ -1559,6 +1576,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) then ssuuddoo may be able to replace the exec family of functions in the standard library with its own that simply return an error. Unfortunately, there is no foolproof way to know + + + +1.8.0a1 April 7, 2010 24 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + whether or not _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and @@ -1576,18 +1605,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will prevent those two commands - - - -1.7.3b2 December 19, 2009 24 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - from executing other commands (such as a shell). If you are unsure whether or not your system is capable of supporting _n_o_e_x_e_c you can always just try it out and see if it works. @@ -1625,6 +1642,18 @@ DDIISSCCLLAAIIMMEERR ssuuddoo is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. + + + +1.8.0a1 April 7, 2010 25 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + See the LICENSE file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. @@ -1645,6 +1674,43 @@ DDIISSCCLLAAIIMMEERR -1.7.3b2 December 19, 2009 25 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +1.8.0a1 April 7, 2010 26 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index ab165962f..0ddf31821 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -1,4 +1,4 @@ -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2009 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -144,7 +144,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "April 7, 2010" "1.8.0a1" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -755,7 +755,12 @@ system that is mounted on demand (automounted). The \fIfast_glob\fR option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does not access the file system to do its matching. The disadvantage of \fIfast_glob\fR is that it is unable to match relative path names -such as \fI./ls\fR or \fI../bin/ls\fR. This flag is \fIoff\fR by default. +such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications +when path names that include globbing characters are used with the +negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed. +As such, this option should not be used when \fIsudoers\fR contains rules +that contain negated path names which include globbing characters. +This flag is \fIoff\fR by default. .IP "fqdn" 16 .IX Item "fqdn" Set this flag if you want to put fully qualified host names in the @@ -1568,6 +1573,24 @@ Doesn't really prevent \fBbill\fR from running the commands listed in different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). +.PP +Furthermore, if the \fIfast_glob\fR option is in use, it is not possible +to reliably negate commands where the path name includes globbing +(aka wildcard) characters. This is because the C library's +\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this +is typically only an inconvenience for rules that grant privileges, +it can result in a security issue for rules that subtract or revoke +privileges. +.PP +For example, given the following \fIsudoers\fR entry: +.PP +.Vb 2 +\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*, +\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root +.Ve +.PP +User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is +enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead. .SH "PREVENTING SHELL ESCAPES" .IX Header "PREVENTING SHELL ESCAPES" Once \fBsudo\fR executes a program, that program is free to do whatever diff --git a/doc/sudoers.pod b/doc/sudoers.pod index d1cfea79c..3dce776b1 100644 --- a/doc/sudoers.pod +++ b/doc/sudoers.pod @@ -1,4 +1,4 @@ -Copyright (c) 1994-1996, 1998-2005, 2007-2009 +Copyright (c) 1994-1996, 1998-2005, 2007-2010 Todd C. Miller Permission to use, copy, modify, and distribute this software for any @@ -628,7 +628,12 @@ system that is mounted on demand (automounted). The I option causes B to use the L function, which does not access the file system to do its matching. The disadvantage of I is that it is unable to match relative path names -such as F<./ls> or F<../bin/ls>. This flag is I by default. +such as F<./ls> or F<../bin/ls>. This has security implications +when path names that include globbing characters are used with the +negation operator, C<'!'>, as such rules can be trivially bypassed. +As such, this option should not be used when I contains rules +that contain negated path names which include globbing characters. +This flag is I by default. =item fqdn @@ -1508,6 +1513,22 @@ different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). +Furthermore, if the I option is in use, it is not possible +to reliably negate commands where the path name includes globbing +(aka wildcard) characters. This is because the C library's +L function cannot resolve relative paths. While this +is typically only an inconvenience for rules that grant privileges, +it can result in a security issue for rules that subtract or revoke +privileges. + +For example, given the following I entry: + + john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, + /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root + +User B can still run C if I is +enabled by changing to F and running C<./passwd root> instead. + =head1 PREVENTING SHELL ESCAPES Once B executes a program, that program is free to do whatever