From: Todd C. Miller Date: Wed, 7 Apr 1999 00:24:36 +0000 (+0000) Subject: runas-lists and NOPASSWD/PASSWD modifiers are now sticky and you can use "!" most... X-Git-Tag: SUDO_1_6_0~294 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2d8c7c08122513cfd7f044bc89a3262140067e33;p=sudo runas-lists and NOPASSWD/PASSWD modifiers are now sticky and you can use "!" most everywhere --- diff --git a/sudoers.cat b/sudoers.cat index b8f2032cc..7bc47369f 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -13,22 +13,22 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN specification section. All command or host aliases need to start with their respective keywords (ie: Host_Alias, User_Alias, Runas_Alias or Cmnd_Alias). If there are - multiple occurrences of a user, the union of the entries - will be used. + multiple occurrences of a user, the logical union of the + entries will be used. Note that if there is an entry that + denies access to a command that is followed by an entry + that grants access the user will be allowed to run the + command. uuuusssseeeerrrr ssssppppeeeecccciiiiffffiiiiccccaaaattttiiiioooonnnn ffffoooorrrrmmmmaaaatttt:::: user access_group [: access_group] ... - access_group ::= host_type = [(runas_list)] [NOPASSWD:] [op]cmnd_type - [,[(user_list)] [NOPASSWD:] [op]cmnd_type] ... + access_group ::= host_type = [(runas-list)] [NOPASSWD:] [op]cmnd_type + [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ... host_type ::= a lower-case hostname, netgroup, ip address, network number, network number/netmask, or host alias. - runas_list ::= comma-separated list of users, groups, - netgroups or Runas_Aliases the user may run - commands as (default is root). cmnd_type ::= a command OR a command alias. op ::= the logical "!" NOT operator. @@ -41,7 +41,8 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN Host_Alias ::= a keyword. HOSTALIAS ::= an upper-case alias name. host-list ::= a comma separated list of hosts, netgroups, - ip addresses, networks. + ip addresses, networks. A logical "!" + NOT operator may be prefixed to any of these. uuuusssseeeerrrr aaaalllliiiiaaaassss sssseeeeccccttttiiiioooonnnn ffffoooorrrrmmmmaaaatttt:::: @@ -52,16 +53,15 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN User_Alias ::= a keyword. USERALIAS ::= an upper-case alias name. user-list ::= a comma separated list of users, groups, netgroups. + A logical "!" NOT operator may be prefixed to any + of these. - rrrruuuunnnnaaaassss aaaalllliiiiaaaassss sssseeeeccccttttiiiioooonnnn ffffoooorrrrmmmmaaaatttt:::: - - Runas_Alias RUNASALIAS = runas-list -17/Jan/99 1.6 1 +6/Apr/99 1.6 1 @@ -70,9 +70,16 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN sudoers(5) FILE FORMATS sudoers(5) + rrrruuuunnnnaaaassss aaaalllliiiiaaaassss sssseeeeccccttttiiiioooonnnn ffffoooorrrrmmmmaaaatttt:::: + + + Runas_Alias RUNASALIAS = runas-list + Runas_Alias ::= a keyword. RUNASALIAS ::= an upper-case alias name. runas-list ::= a comma separated list of users, groups, netgroups. + A logical "!" NOT operator may be prefixed to any + of these. ccccoooommmmmmmmaaaannnndddd aaaalllliiiiaaaassss sssseeeeccccttttiiiioooonnnn ffffoooorrrrmmmmaaaatttt:::: @@ -83,6 +90,8 @@ sudoers(5) FILE FORMATS sudoers(5) Cmnd_Alias ::= a keyword. CMNDALIAS ::= an upper-case alias name. cmnd-list ::= a comma separated list commands. + A logical "!" NOT operator may be prefixed to any + of these. ccccoooommmmmmmmaaaannnndddd ssssppppeeeecccciiiiffffiiiiccccaaaattttiiiioooonnnn:::: @@ -94,6 +103,46 @@ sudoers(5) FILE FORMATS sudoers(5) arg[1..n] ::= optional command line arguments. + ppppeeeerrrrssssiiiisssstttteeeennnncccceeee ooooffff mmmmooooddddiiiiffffiiiieeeerrrrssss + + When a _r_u_n_a_s_-_l_i_s_t is specified for an _a_c_c_e_s_s___g_r_o_u_p, it + affects all commands in the _a_c_c_e_s_s___g_r_o_u_p. For example, + given: + oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm + User oper will be able to run /usr/bin/kill and /bin/rm as + rrrrooooooootttt or ssssyyyyssssaaaaddddmmmm on the machine, bigserver. The _r_u_n_a_s_-_l_i_s_t + is "sticky" across entries in the comma-separated + _a_c_c_e_s_s___g_r_o_u_p. You can override the _r_u_n_a_s_-_l_i_s_t with + another one, at which point the new _r_u_n_a_s_-_l_i_s_t becomes the + default for that _a_c_c_e_s_s___g_r_o_u_p. For example, given: + oper bigserver = (root, sysadm) /usr/bin/kill, (root) + /bin/rm, \ /bin/rmdir User oper can still run + /usr/bin/kill as rrrrooooooootttt or ssssyyyyssssaaaaddddmmmm but can only run /bin/rm + and /bin/rmdir as rrrrooooooootttt. + + Similarly, the NNNNOOOOPPPPAAAASSSSSSSSWWWWDDDD modifier is also persistent across + an _a_c_c_e_s_s___g_r_o_u_p. For example given: + oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, + /bin/rmdir User oper will be able to run /usr/bin/kill, + + + +6/Apr/99 1.6 2 + + + + + +sudoers(5) FILE FORMATS sudoers(5) + + + /bin/rm, and /bin/rmdir as rrrrooooooootttt without a password. If we + change that to: + oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: + /bin/rm, /bin/rmdir User oper can still run /usr/bin/kill + without a password but must give a password to run /bin/rm + and /bin/rmdir. + wwwwiiiillllddddccccaaaarrrrddddssss ((((aaaakkkkaaaa mmmmeeeettttaaaa cccchhhhaaaarrrraaaacccctttteeeerrrrssss)))):::: ssssuuuuddddoooo allows shell-style _w_i_l_d_c_a_r_d_s along with command @@ -124,35 +173,34 @@ sudoers(5) FILE FORMATS sudoers(5) Text after a pound sign (####) is considered a comment. Words that begin with a percent sign (%%%%) are assumed to be + UN*X groups (%staff refers to users in the group _s_t_a_f_f). + Words that begin with a plus sign (++++) are assumed to be + netgroups (++++ccccsssshhhhoooossssttttssss refers to the netgroup _c_s_h_o_s_t_s). Long + lines can be newline escaped with the backslash \\\\ + character. + The reserved word NNNNOOOOPPPPAAAASSSSSSSSWWWWDDDD indicates that a user need not + enter a password for the command listed in that entry. + The NNNNOOOOPPPPAAAASSSSSSSSWWWWDDDD modifier is persistent across entries in a + _u_s_e_r_-_l_i_s_t and can be reversed with the PPPPAAAASSSSSSSSWWWWDDDD modifier. + The reserved alias _A_L_L can be used for both + {Host,User,Cmnd}_Alias. DDDDOOOO NNNNOOOOTTTT define an alias of _A_L_L, it + will NNNNOOOOTTTT be used. Note that _A_L_L implies the entire + universe of hosts/users/commands. You can subtract + elements from the universe by using the syntax: + user host=ALL,!ALIAS1,!/sbin/halt... -17/Jan/99 1.6 2 +6/Apr/99 1.6 3 -sudoers(5) FILE FORMATS sudoers(5) - UN*X groups (%staff refers to users in the group _s_t_a_f_f). - Words that begin with a plus sign (++++) are assumed to be - netgroups (++++ccccsssshhhhoooossssttttssss refers to the netgroup _c_s_h_o_s_t_s). Long - lines can be newline escaped with the backslash \\\\ - character. The reserved word NNNNOOOOPPPPAAAASSSSSSSSWWWWDDDD indicates that a - user need not enter a password for the command listed in - that entry. +sudoers(5) FILE FORMATS sudoers(5) - The reserved alias _A_L_L can be used for both - {Host,User,Cmnd}_Alias. DDDDOOOO NNNNOOOOTTTT define an alias of _A_L_L, it - will NNNNOOOOTTTT be used. Note that _A_L_L implies the entire - universe of hosts/users/commands. You can subtract - elements from the universe by using the syntax: - user host=ALL,!ALIAS1,!/etc/halt... Note that the "!" - notation only works in a user's command list. You may not - use it to subtract elements in a User_Alias, Host_Alias, - Cmnd_Alias or user list. Commands may have optional command line arguments. If they do, then the arguments in the _s_u_d_o_e_r_s file must @@ -179,28 +227,11 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS Runas_Alias OP=root,operator # Command alias specification - Cmnd_Alias LPCS=/usr/etc/lpc,/usr/ucb/lprm + Cmnd_Alias LPCS=/usr/sbin/lpc,/usr/bin/lprm Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh - Cmnd_Alias SU=/bin/su + Cmnd_Alias SU=/usr/bin/su Cmnd_Alias MISC=/bin/rm,/bin/cat:\ - SHUTDOWN=/etc/halt,/etc/shutdown - - - - - - - - - -17/Jan/99 1.6 3 - - - - - -sudoers(5) FILE FORMATS sudoers(5) - + SHUTDOWN=/sbin/halt,/sbin/shutdown # User specification FULLTIME ALL=(ALL) NOPASSWD: ALL @@ -208,12 +239,12 @@ sudoers(5) FILE FORMATS sudoers(5) PARTTIME ALL=ALL,!SHELLS,!SU +interns +openlabs=ALL,!SHELLS,!SU britt REMOTE=SHUTDOWN:ALL=LPCS - jimbo CUNETS=/bin/su ?*,!/bin/su *root* - nieusma SERVERS=SHUTDOWN,/etc/reboot:\ + jimbo CUNETS=/usr/bin/su [!-]*,!/usr/bin/su *root* + nieusma SERVERS=SHUTDOWN,/sbin/reboot:\ HUB=ALL,!SHELLS - jill houdini=/etc/shutdown -[hr] now,MISC - markm HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt - davehieb merlin=(OP) ALL:SERVERS=/etc/halt:\ + jill houdini=/sbin/shutdown -[hr] now,MISC + markm HUB=ALL,!MISC,!/sbin/shutdown,!/sbin/halt + davehieb merlin=(OP) ALL:SERVERS=/sbin/halt:\ kodiakthorn=NOPASSWD: ALL steve CSNETS=(operator) /usr/op_commands/ @@ -225,11 +256,23 @@ sudoers(5) FILE FORMATS sudoers(5) three machines merlin, kodiakthorn and spirit. Similarly, SERVERS is set to the machines houdini, merlin, kodiakthorn and spirit. The CSNETS alias will match any + + + +6/Apr/99 1.6 4 + + + + + +sudoers(5) FILE FORMATS sudoers(5) + + host on the 128.138.243.0, 128.138.204.0, or 128.138.205.192 nets. The CUNETS alias will match any host on the 128.138.0.0 (class B) network. Note that these are nnnneeeettttwwwwoooorrrrkkkk addresses, not ip addresses. Unless an - explicate netmask is given, the local _n_e_t_m_a_s_k is used to + explicit netmask is given, the local _n_e_t_m_a_s_k is used to determine whether or not the current host belongs to a network. @@ -256,18 +299,6 @@ sudoers(5) FILE FORMATS sudoers(5) PARTTIME Part-time sysadmins in the PARTTIME alias may run any command except those in the - - - -17/Jan/99 1.6 4 - - - - - -sudoers(5) FILE FORMATS sudoers(5) - - SHELLS and SU aliases on any host. +interns Any user in the netgroup interns may run @@ -281,27 +312,39 @@ sudoers(5) FILE FORMATS sudoers(5) jimbo The user jimbo may su to any user save root on the machines on CUNETS (which is - explicately listed as a class B network). + explicitly listed as a class B network). nieusma The user nieusma may run commands in the - SHUTDOWN alias as well as _/_e_t_c_/_r_e_b_o_o_t on + SHUTDOWN alias as well as _/_s_b_i_n_/_r_e_b_o_o_t on the SERVER machines and any command except those in the SHELLS alias on the HUB machines. - jill The user jill may run /etc/shutdown -h now - or /etc/shutdown -r now as well as the - commands in the MISC alias on houdini. + jill The user jill may run /sbin/shutdown -h + now or /sbin/shutdown -r now as well as + + + +6/Apr/99 1.6 5 + + + + + +sudoers(5) FILE FORMATS sudoers(5) + + + the commands in the MISC alias on houdini. markm The user markm may run any command on the - HUB machines except _/_e_t_c_/_s_h_u_t_d_o_w_n, - _/_e_t_c_/_h_a_l_t, and commands listed in the MISC - alias. + HUB machines except _/_s_b_i_n_/_s_h_u_t_d_o_w_n, + _/_s_b_i_n_/_h_a_l_t, and commands listed in the + MISC alias. davehieb The user davehieb may run any command on merlin as any user in the Runas_Alias OP (ie: root or operator). He may also run - _/_e_t_c_/_h_a_l_t on the SERVERS and any command + _/_s_b_i_n_/_h_a_l_t on the SERVERS and any command on kodiakthorn (no password required on kodiakthorn). @@ -321,11 +364,34 @@ FFFFIIIILLLLEEEESSSS /etc/netgroup list of network groups. +SSSSEEEEEEEE AAAALLLLSSSSOOOO + _s_u_d_o(8), _v_i_s_u_d_o(8), _s_u(1), _f_n_m_a_t_c_h(3). + + + + + + + + + + + -17/Jan/99 1.6 5 + + + + + + + + + + +6/Apr/99 1.6 6 @@ -334,8 +400,6 @@ FFFFIIIILLLLEEEESSSS sudoers(5) FILE FORMATS sudoers(5) -SSSSEEEEEEEE AAAALLLLSSSSOOOO - _s_u_d_o(8), _v_i_s_u_d_o(8), _s_u(1), _f_n_m_a_t_c_h(3). @@ -391,6 +455,8 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO -17/Jan/99 1.6 6 + + +6/Apr/99 1.6 7 diff --git a/sudoers.html b/sudoers.html index 886f54f94..6b1053bab 100644 --- a/sudoers.html +++ b/sudoers.html @@ -21,6 +21,7 @@
  • runas alias section format:
  • command alias section format:
  • command specification: +
  • persistence of modifiers
  • wildcards (aka meta characters):
  • exceptions to wildcard rules:
  • other special characters and reserved words: @@ -61,7 +62,9 @@ The sudoers file is composed of an optional host alias section, an opti alias section and the user specification section. All command or host aliases need to start with their respective keywords (ie: Host_Alias, User_Alias, Runas_Alias or Cmnd_Alias). If there are multiple occurrences -of a user, the union of the entries will be used. +of a user, the logical union of the entries will be used. Note that if +there is an entry that denies access to a command that is followed by an +entry that grants access the user will be allowed to run the command.

    @@ -76,14 +79,11 @@ of a user, the union of the entries will be used.

    -

        access_group ::= host_type = [(runas_list)] [NOPASSWD:] [op]cmnd_type
-                     [,[(user_list)] [NOPASSWD:] [op]cmnd_type] ... 
+
        access_group ::= host_type = [(runas-list)] [NOPASSWD:] [op]cmnd_type
+                     [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ... 
        host_type ::= a lower-case hostname, netgroup, ip address,
                      network number, network number/netmask,
                      or host alias.
-       runas_list ::= comma-separated list of users, groups,
-                      netgroups or Runas_Aliases the user may run
-                      commands as (default is root).
        cmnd_type ::= a command OR a command alias.
               op ::= the logical "!" NOT operator.
 
    
@@ -103,7 +103,8 @@ of a user, the union of the entries will be used.
 
          Host_Alias ::= a keyword.
        HOSTALIAS ::= an upper-case alias name.
        host-list ::= a comma separated list of hosts, netgroups,
-                     ip addresses, networks.
+                     ip addresses, networks.  A logical "!"
+                     NOT operator may be prefixed to any of these.
 
    
 
 
    
@@ -121,6 +122,8 @@ of a user, the union of the entries will be used.
 
          User_Alias ::= a keyword.
        USERALIAS ::= an upper-case alias name.
        user-list ::= a comma separated list of users, groups, netgroups.
+                     A logical "!" NOT operator may be prefixed to any
+                     of these.
 
    
 
 
    
@@ -138,6 +141,8 @@ of a user, the union of the entries will be used.
 
          Runas_Alias ::= a keyword.
        RUNASALIAS ::= an upper-case alias name.
        runas-list ::= a comma separated list of users, groups, netgroups.
+                      A logical "!" NOT operator may be prefixed to any
+                      of these.
 
    
 
 
    
@@ -155,6 +160,8 @@ of a user, the union of the entries will be used.
 
          Cmnd_Alias ::= a keyword.
        CMNDALIAS ::= an upper-case alias name.
        cmnd-list ::= a comma separated list commands.
+                     A logical "!" NOT operator may be prefixed to any
+                     of these.
 
    
 
 
    
@@ -173,6 +180,30 @@ of a user, the union of the entries will be used.
        arg[1..n] ::= optional command line arguments.
    +

    + +

    +

    +

    persistence of modifiers + +

    +When a runas-list is specified for an access_group, it affects all commands in the access_group. For example, given: oper bigserver = (root, sysadm) /usr/bin/kill, +/bin/rm User oper will be able to run /usr/bin/kill and /bin/rm +as root or sysadm on the machine, bigserver. The +runas-list is ``sticky'' across entries in the comma-separated +access_group. You can override the runas-list with another one, at which point the new runas-list becomes the default for that access_group. For example, given: oper bigserver = (root, sysadm) /usr/bin/kill, (root) +/bin/rm, \ /bin/rmdir User oper can still run /usr/bin/kill as root or sysadm but can only run /bin/rm and /bin/rmdir as root. + + +

    + +Similarly, the NOPASSWD modifier is also persistent across an +access_group. For example given: oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, +/bin/rmdir User oper will be able to run /usr/bin/kill, /bin/rm, and +/bin/rmdir as root without a password. If we change that to: oper bigserver = NOPASSWD: +/usr/bin/kill, PASSWD: /bin/rm, /bin/rmdir User oper can still run /usr/bin/kill without a password but must give a password to run /bin/rm and /bin/rmdir. + +

    @@ -254,8 +285,15 @@ If the empty string "" is the only command line argument in the

    other special characters and reserved words:

    -Text after a pound sign (#) is considered a comment. Words that begin with a percent sign (%) are assumed to be UN*X groups (%staff refers to users in the group staff). Words that begin with a plus sign (+) are assumed to be netgroups (+cshosts refers to the netgroup cshosts). Long lines can be newline escaped with the backslash \ character. The reserved word NOPASSWD indicates that a user need not enter a password for the command listed in -that entry. +Text after a pound sign (#) is considered a comment. Words that begin with a percent sign (%) are assumed to be UN*X groups (%staff refers to users in the group staff). Words that begin with a plus sign (+) are assumed to be netgroups (+cshosts refers to the netgroup cshosts). Long lines can be newline escaped with the backslash \ character. + + +

    + +The reserved word NOPASSWD indicates that a user need not enter a password for the command listed in +that entry. The +NOPASSWD modifier is persistent across entries in a user-list +and can be reversed with the PASSWD modifier.

    @@ -263,9 +301,7 @@ that entry. The reserved alias ALL can be used for both {Host,User,Cmnd}_Alias. DO NOT define an alias of ALL, it will NOT be used. Note that ALL implies the entire universe of hosts/users/commands. You can subtract elements from the universe by using the syntax: user -host=ALL,!ALIAS1,!/etc/halt... Note that the ``!'' notation only works in a -user's command list. You may not use it to subtract elements in a -User_Alias, Host_Alias, Cmnd_Alias or user list. +host=ALL,!ALIAS1,!/sbin/halt...

    @@ -310,11 +346,11 @@ escaped with a ``\'' if used in command arguments: ``,'', ``:'', ``='', 

        # Command alias specification
-    Cmnd_Alias  LPCS=/usr/etc/lpc,/usr/ucb/lprm
+    Cmnd_Alias  LPCS=/usr/sbin/lpc,/usr/bin/lprm
     Cmnd_Alias  SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
-    Cmnd_Alias  SU=/bin/su
+    Cmnd_Alias  SU=/usr/bin/su
     Cmnd_Alias  MISC=/bin/rm,/bin/cat:\
-                SHUTDOWN=/etc/halt,/etc/shutdown
+                SHUTDOWN=/sbin/halt,/sbin/shutdown

    @@ -325,12 +361,12 @@ escaped with a ``\'' if used in command arguments: ``,'', ``:'', ``='', PARTTIME ALL=ALL,!SHELLS,!SU +interns +openlabs=ALL,!SHELLS,!SU britt REMOTE=SHUTDOWN:ALL=LPCS - jimbo CUNETS=/bin/su ?*,!/bin/su *root* - nieusma SERVERS=SHUTDOWN,/etc/reboot:\ + jimbo CUNETS=/usr/bin/su [!-]*,!/usr/bin/su *root* + nieusma SERVERS=SHUTDOWN,/sbin/reboot:\ HUB=ALL,!SHELLS - jill houdini=/etc/shutdown -[hr] now,MISC - markm HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt - davehieb merlin=(OP) ALL:SERVERS=/etc/halt:\ + jill houdini=/sbin/shutdown -[hr] now,MISC + markm HUB=ALL,!MISC,!/sbin/shutdown,!/sbin/halt + davehieb merlin=(OP) ALL:SERVERS=/sbin/halt:\ kodiakthorn=NOPASSWD: ALL steve CSNETS=(operator) /usr/op_commands/ @@ -346,8 +382,7 @@ The are four host aliases. The first actually contains two aliases< to the three machines merlin, kodiakthorn and spirit. Similarly, SERVERS is set to the machines houdini, merlin, kodiakthorn and spirit. The CSNETS alias will match any host on the 128.138.243.0, 128.138.204.0, or 128.138.205.192 nets. The CUNETS alias will match any host on the 128.138.0.0 (class B) network. Note that -these are network addresses, not ip addresses. Unless an explicate netmask is given, the -local netmask +these are network addresses, not ip addresses. Unless an explicit netmask is given, the local netmask is used to determine whether or not the current host belongs to a network. @@ -424,7 +459,7 @@ The user britt may run commands in the SHUTDOWN<

    jimbo
    -The user jimbo may su to any user save root on the machines on CUNETS (which is explicately listed as a class B network). +The user jimbo may su to any user save root on the machines on CUNETS (which is explicitly listed as a class B network).

    @@ -432,7 +467,7 @@ The user jimbo may su to any user save ro

    nieusma
    -The user nieusma may run commands in the SHUTDOWN alias as well as /etc/reboot on the SERVER machines and any command except those in the SHELLS alias on the HUB +The user nieusma may run commands in the SHUTDOWN alias as well as /sbin/reboot on the SERVER machines and any command except those in the SHELLS alias on the HUB machines. @@ -441,8 +476,8 @@ machines.
    jill
    -The user jill may run /etc/shutdown -h now or -/etc/shutdown -r now as well as the commands in the +The user jill may run /sbin/shutdown -h now or +/sbin/shutdown -r now as well as the commands in the MISC alias on houdini. @@ -451,7 +486,7 @@ The user jill may run /etc/shutdown -h now
    markm
    -The user markm may run any command on the HUB machines except /etc/shutdown, /etc/halt, and commands listed in the MISC alias. +The user markm may run any command on the HUB machines except /sbin/shutdown, /sbin/halt, and commands listed in the MISC alias.

    @@ -459,7 +494,7 @@ The user markm may run any command on the HUBdavehieb

    -The user davehieb may run any command on merlin as any user in the Runas_Alias OP (ie: root or operator). He may also run /etc/halt on the SERVERS and any command on kodiakthorn (no password required on kodiakthorn). +The user davehieb may run any command on merlin as any user in the Runas_Alias OP (ie: root or operator). He may also run /sbin/halt on the SERVERS and any command on kodiakthorn (no password required on kodiakthorn).

    diff --git a/sudoers.man b/sudoers.man index f7ce248e3..fd834d032 100644 --- a/sudoers.man +++ b/sudoers.man @@ -2,8 +2,8 @@ ''' $RCSfile$$Revision$$Date$ ''' ''' $Log$ -''' Revision 1.7 1999/04/05 20:57:23 millert -''' Crank version to 1.6 and combine copyright statements +''' Revision 1.8 1999/04/07 00:24:35 millert +''' runas-lists and NOPASSWD/PASSWD modifiers are now sticky and you can use "!" most everywhere ''' ''' .de Sh @@ -96,7 +96,7 @@ .nr % 0 .rr F .\} -.TH sudoers 5 "1.6" "17/Jan/99" "FILE FORMATS" +.TH sudoers 5 "1.6" "6/Apr/99" "FILE FORMATS" .UC .if n .hy 0 .if n .na @@ -197,22 +197,21 @@ The \fIsudoers\fR file is composed of an optional host alias section, an optional command alias section and the user specification section. All command or host aliases need to start with their respective keywords (ie: Host_Alias, User_Alias, Runas_Alias or Cmnd_Alias). -If there are multiple occurrences of a user, the union of the entries -will be used. +If there are multiple occurrences of a user, the logical union of the +entries will be used. Note that if there is an entry that denies access +to a command that is followed by an entry that grants access the user +will be allowed to run the command. .Sh "user specification format:" .PP .Vb 1 \& user access_group [: access_group] ... .Ve -.Vb 10 -\& access_group ::= host_type = [(runas_list)] [NOPASSWD:] [op]cmnd_type -\& [,[(user_list)] [NOPASSWD:] [op]cmnd_type] ... +.Vb 7 +\& access_group ::= host_type = [(runas-list)] [NOPASSWD:] [op]cmnd_type +\& [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ... \& host_type ::= a lower-case hostname, netgroup, ip address, \& network number, network number/netmask, \& or host alias. -\& runas_list ::= comma-separated list of users, groups, -\& netgroups or Runas_Aliases the user may run -\& commands as (default is root). \& cmnd_type ::= a command OR a command alias. \& op ::= the logical "!" NOT operator. .Ve @@ -221,41 +220,48 @@ will be used. .Vb 1 \& Host_Alias HOSTALIAS = host-list .Ve -.Vb 4 +.Vb 5 \& Host_Alias ::= a keyword. \& HOSTALIAS ::= an upper-case alias name. \& host-list ::= a comma separated list of hosts, netgroups, -\& ip addresses, networks. +\& ip addresses, networks. A logical "!" +\& NOT operator may be prefixed to any of these. .Ve .Sh "user alias section format:" .PP .Vb 1 \& User_Alias USERALIAS = user-list .Ve -.Vb 3 +.Vb 5 \& User_Alias ::= a keyword. \& USERALIAS ::= an upper-case alias name. \& user-list ::= a comma separated list of users, groups, netgroups. +\& A logical "!" NOT operator may be prefixed to any +\& of these. .Ve .Sh "runas alias section format:" .PP .Vb 1 \& Runas_Alias RUNASALIAS = runas-list .Ve -.Vb 3 +.Vb 5 \& Runas_Alias ::= a keyword. \& RUNASALIAS ::= an upper-case alias name. \& runas-list ::= a comma separated list of users, groups, netgroups. +\& A logical "!" NOT operator may be prefixed to any +\& of these. .Ve .Sh "command alias section format:" .PP .Vb 1 \& Cmnd_Alias CMNDALIAS = cmnd-list .Ve -.Vb 3 +.Vb 5 \& Cmnd_Alias ::= a keyword. \& CMNDALIAS ::= an upper-case alias name. \& cmnd-list ::= a comma separated list commands. +\& A logical "!" NOT operator may be prefixed to any +\& of these. .Ve .Sh "command specification:" .PP @@ -266,6 +272,29 @@ will be used. \& path ::= a fully qualified pathname. \& arg[1..n] ::= optional command line arguments. .Ve +.Sh "persistence of modifiers" +When a \fIrunas-list\fR is specified for an \fIaccess_group\fR, it +affects all commands in the \fIaccess_group\fR. For example, given: + oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm +User \f(CWoper\fR will be able to run \f(CW/usr/bin/kill\fR and \f(CW/bin/rm\fR +as \fBroot\fR or \fBsysadm\fR on the machine, \f(CWbigserver\fR. The +\fIrunas-list\fR is \*(L"sticky\*(R" across entries in the comma-separated +\fIaccess_group\fR. You can override the \fIrunas-list\fR with another +one, at which point the new \fIrunas-list\fR becomes the default for +that \fIaccess_group\fR. For example, given: + oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \e + /bin/rmdir +User \f(CWoper\fR can still run \f(CW/usr/bin/kill\fR as \fBroot\fR or \fBsysadm\fR but +can only run \f(CW/bin/rm\fR and \f(CW/bin/rmdir\fR as \fBroot\fR. +.PP +Similarly, the \fB\s-1NOPASSWD\s0\fR modifier is also persistent across an +\fIaccess_group\fR. For example given: + oper bigserver = \s-1NOPASSWD\s0: /usr/bin/kill, /bin/rm, /bin/rmdir +User \f(CWoper\fR will be able to run \f(CW/usr/bin/kill\fR, \f(CW/bin/rm\fR, and +\f(CW/bin/rmdir\fR as \fBroot\fR without a password. If we change that to: + oper bigserver = \s-1NOPASSWD\s0: /usr/bin/kill, \s-1PASSWD\s0: /bin/rm, /bin/rmdir +User \f(CWoper\fR can still run \f(CW/usr/bin/kill\fR without a password but +must give a password to run \f(CW/bin/rm\fR and \f(CW/bin/rmdir\fR. .Sh "wildcards (aka meta characters):" \fBsudo\fR allows shell-style \fIwildcards\fR along with command arguments in the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR @@ -293,17 +322,17 @@ be \s-1UN\s0*X groups (%staff refers to users in the group \fIstaff\fR). Words that begin with a plus sign (\fB+\fR) are assumed to be netgroups (\fB+cshosts\fR refers to the netgroup \fIcshosts\fR). Long lines can be newline escaped with the backslash \fB\e\fR character. +.PP The reserved word \fB\s-1NOPASSWD\s0\fR indicates that a user need not -enter a password for the command listed in that entry. +enter a password for the command listed in that entry. The +\fB\s-1NOPASSWD\s0\fR modifier is persistent across entries in a \fIuser-list\fR +and can be reversed with the \fB\s-1PASSWD\s0\fR modifier. .PP The reserved alias \fI\s-1ALL\s0\fR can be used for both {Host,User,Cmnd}_Alias. \fB\s-1DO\s0 \s-1NOT\s0\fR define an alias of \fI\s-1ALL\s0\fR, it will \fB\s-1NOT\s0\fR be used. Note that \fI\s-1ALL\s0\fR implies the entire universe of hosts/users/commands. You can subtract elements from the universe by using the syntax: - user host=\s-1ALL\s0,!\s-1ALIAS1\s0,!/etc/halt... -Note that the \*(L"!\*(R" notation only works in a user's command list. You -may not use it to subtract elements in a User_Alias, Host_Alias, -Cmnd_Alias or user list. + user host=\s-1ALL\s0,!\s-1ALIAS1\s0,!/sbin/halt... .PP Commands may have optional command line arguments. If they do, then the arguments in the \fIsudoers\fR file must exactly match those @@ -333,11 +362,11 @@ with a \*(L"\e\*(R" if used in command arguments: \*(L",\*(R", \*(L":\*(R", \*(L .Ve .Vb 6 \& # Command alias specification -\& Cmnd_Alias LPCS=/usr/etc/lpc,/usr/ucb/lprm +\& Cmnd_Alias LPCS=/usr/sbin/lpc,/usr/bin/lprm \& Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh -\& Cmnd_Alias SU=/bin/su +\& Cmnd_Alias SU=/usr/bin/su \& Cmnd_Alias MISC=/bin/rm,/bin/cat:\e -\& SHUTDOWN=/etc/halt,/etc/shutdown +\& SHUTDOWN=/sbin/halt,/sbin/shutdown .Ve .Vb 14 \& # User specification @@ -346,12 +375,12 @@ with a \*(L"\e\*(R" if used in command arguments: \*(L",\*(R", \*(L":\*(R", \*(L \& PARTTIME ALL=ALL,!SHELLS,!SU \& +interns +openlabs=ALL,!SHELLS,!SU \& britt REMOTE=SHUTDOWN:ALL=LPCS -\& jimbo CUNETS=/bin/su ?*,!/bin/su *root* -\& nieusma SERVERS=SHUTDOWN,/etc/reboot:\e +\& jimbo CUNETS=/usr/bin/su [!-]*,!/usr/bin/su *root* +\& nieusma SERVERS=SHUTDOWN,/sbin/reboot:\e \& HUB=ALL,!SHELLS -\& jill houdini=/etc/shutdown -[hr] now,MISC -\& markm HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt -\& davehieb merlin=(OP) ALL:SERVERS=/etc/halt:\e +\& jill houdini=/sbin/shutdown -[hr] now,MISC +\& markm HUB=ALL,!MISC,!/sbin/shutdown,!/sbin/halt +\& davehieb merlin=(OP) ALL:SERVERS=/sbin/halt:\e \& kodiakthorn=NOPASSWD: ALL \& steve CSNETS=(operator) /usr/op_commands/ .Ve @@ -364,7 +393,7 @@ Similarly, \f(CWSERVERS\fR is set to the machines \f(CWhoudini\fR, \f(CWmerlin\f any host on the 128.138.243.0, 128.138.204.0, or 128.138.205.192 nets. The \f(CWCUNETS\fR alias will match any host on the 128.138.0.0 (class B) network. Note that these are \fBnetwork\fR addresses, not ip -addresses. Unless an explicate netmask is given, the local \fInetmask\fR +addresses. Unless an explicit netmask is given, the local \fInetmask\fR is used to determine whether or not the current host belongs to a network. .Sh "User Alias specifications:" The two \fIuser aliases\fR simply groups the \f(CWFULLTIME\fR and @@ -393,25 +422,25 @@ on the \f(CWREMOTE\fR machines and commands in the \f(CWLPCS\fR alias on any machine. .Ip "jimbo" 16 The user \f(CWjimbo\fR may \f(CWsu\fR to any user save root on the -machines on \f(CWCUNETS\fR (which is explicately listed as a class +machines on \f(CWCUNETS\fR (which is explicitly listed as a class B network). .Ip "nieusma" 16 The user \f(CWnieusma\fR may run commands in the \f(CWSHUTDOWN\fR alias -as well as \fI/etc/reboot\fR on the \f(CWSERVER\fR machines and +as well as \fI/sbin/reboot\fR on the \f(CWSERVER\fR machines and any command except those in the \f(CWSHELLS\fR alias on the \f(CWHUB\fR machines. .Ip "jill" 16 -The user \f(CWjill\fR may run \f(CW/etc/shutdown -h now\fR or -\f(CW/etc/shutdown -r now\fR as well as the commands in the +The user \f(CWjill\fR may run \f(CW/sbin/shutdown -h now\fR or +\f(CW/sbin/shutdown -r now\fR as well as the commands in the \f(CWMISC\fR alias on houdini. .Ip "markm" 16 The user \f(CWmarkm\fR may run any command on the \f(CWHUB\fR machines -except \fI/etc/shutdown\fR, \fI/etc/halt\fR, and commands listed +except \fI/sbin/shutdown\fR, \fI/sbin/halt\fR, and commands listed in the \f(CWMISC\fR alias. .Ip "davehieb" 16 The user \f(CWdavehieb\fR may run any command on \f(CWmerlin\fR as any user in the Runas_Alias \s-1OP\s0 (ie: root or operator). He may -also run \fI/etc/halt\fR on the \f(CWSERVERS\fR and any command +also run \fI/sbin/halt\fR on the \f(CWSERVERS\fR and any command on \f(CWkodiakthorn\fR (no password required on \f(CWkodiakthorn\fR). .Ip "steve" 16 The user \f(CWsteve\fR may run any command in the \fI/usr/op_commands/\fR @@ -450,6 +479,8 @@ will not run with a syntactically incorrect \fIsudoers\fR file. .IX Subsection "command specification:" +.IX Subsection "persistence of modifiers" + .IX Subsection "wildcards (aka meta characters):" .IX Item "\f(CW*\fR" diff --git a/sudoers.pod b/sudoers.pod index 07261af01..8fbf30771 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -12,21 +12,20 @@ The I file is composed of an optional host alias section, an optional command alias section and the user specification section. All command or host aliases need to start with their respective keywords (ie: Host_Alias, User_Alias, Runas_Alias or Cmnd_Alias). -If there are multiple occurrences of a user, the union of the entries -will be used. +If there are multiple occurrences of a user, the logical union of the +entries will be used. Note that if there is an entry that denies access +to a command that is followed by an entry that grants access the user +will be allowed to run the command. =head2 user specification format: user access_group [: access_group] ... - access_group ::= host_type = [(runas_list)] [NOPASSWD:] [op]cmnd_type - [,[(user_list)] [NOPASSWD:] [op]cmnd_type] ... + access_group ::= host_type = [(runas-list)] [NOPASSWD:] [op]cmnd_type + [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ... host_type ::= a lower-case hostname, netgroup, ip address, network number, network number/netmask, or host alias. - runas_list ::= comma-separated list of users, groups, - netgroups or Runas_Aliases the user may run - commands as (default is root). cmnd_type ::= a command OR a command alias. op ::= the logical "!" NOT operator. @@ -37,7 +36,8 @@ will be used. Host_Alias ::= a keyword. HOSTALIAS ::= an upper-case alias name. host-list ::= a comma separated list of hosts, netgroups, - ip addresses, networks. + ip addresses, networks. A logical "!" + NOT operator may be prefixed to any of these. =head2 user alias section format: @@ -46,6 +46,8 @@ will be used. User_Alias ::= a keyword. USERALIAS ::= an upper-case alias name. user-list ::= a comma separated list of users, groups, netgroups. + A logical "!" NOT operator may be prefixed to any + of these. =head2 runas alias section format: @@ -54,6 +56,8 @@ will be used. Runas_Alias ::= a keyword. RUNASALIAS ::= an upper-case alias name. runas-list ::= a comma separated list of users, groups, netgroups. + A logical "!" NOT operator may be prefixed to any + of these. =head2 command alias section format: @@ -62,6 +66,8 @@ will be used. Cmnd_Alias ::= a keyword. CMNDALIAS ::= an upper-case alias name. cmnd-list ::= a comma separated list commands. + A logical "!" NOT operator may be prefixed to any + of these. =head2 command specification: @@ -70,6 +76,31 @@ will be used. path ::= a fully qualified pathname. arg[1..n] ::= optional command line arguments. +=head2 persistence of modifiers + +When a I is specified for an I, it +affects all commands in the I. For example, given: + oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm +User C will be able to run C and C +as B or B on the machine, C. The +I is "sticky" across entries in the comma-separated +I. You can override the I with another +one, at which point the new I becomes the default for +that I. For example, given: + oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \ + /bin/rmdir +User C can still run C as B or B but +can only run C and C as B. + +Similarly, the B modifier is also persistent across an +I. For example given: + oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, /bin/rmdir +User C will be able to run C, C, and +C as B without a password. If we change that to: + oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: /bin/rm, /bin/rmdir +User C can still run C without a password but +must give a password to run C and C. + =head2 wildcards (aka meta characters): B allows shell-style I along with command arguments @@ -122,17 +153,17 @@ be UN*X groups (%staff refers to users in the group I). Words that begin with a plus sign (B<+>) are assumed to be netgroups (B<+cshosts> refers to the netgroup I). Long lines can be newline escaped with the backslash B<\> character. + The reserved word B indicates that a user need not -enter a password for the command listed in that entry. +enter a password for the command listed in that entry. The +B modifier is persistent across entries in a I +and can be reversed with the B modifier. The reserved alias I can be used for both {Host,User,Cmnd}_Alias. B define an alias of I, it will B be used. Note that I implies the entire universe of hosts/users/commands. You can subtract elements from the universe by using the syntax: user host=ALL,!ALIAS1,!/sbin/halt... -Note that the "!" notation only works in a user's command list. You -may not use it to subtract elements in a User_Alias, Host_Alias, -Cmnd_Alias or user list. Commands may have optional command line arguments. If they do, then the arguments in the I file must exactly match those @@ -190,7 +221,7 @@ C and C. The C alias will match any host on the 128.138.243.0, 128.138.204.0, or 128.138.205.192 nets. The C alias will match any host on the 128.138.0.0 (class B) network. Note that these are B addresses, not ip -addresses. Unless an explicate netmask is given, the local I +addresses. Unless an explicit netmask is given, the local I is used to determine whether or not the current host belongs to a network. =head2 User Alias specifications: @@ -238,7 +269,7 @@ on any machine. =item jimbo The user C may C to any user save root on the -machines on C (which is explicately listed as a class +machines on C (which is explicitly listed as a class B network). =item nieusma