From: Todd C. Miller Date: Sun, 30 Dec 2001 19:26:22 +0000 (+0000) Subject: Mention that no double quotes are needed when adding/deleting/assigning X-Git-Tag: SUDO_1_6_4~42 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=412819b40ae1a59e8e3b8acda9b1982e80fd5ffd;p=sudo Mention that no double quotes are needed when adding/deleting/assigning a single value to a list. --- diff --git a/sudoers.cat b/sudoers.cat index 45571a249..728d19a28 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN -December 17, 2001 1.6.4 1 +December 30, 2001 1.6.4 1 @@ -127,7 +127,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 17, 2001 1.6.4 2 +December 30, 2001 1.6.4 2 @@ -193,7 +193,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 17, 2001 1.6.4 3 +December 30, 2001 1.6.4 3 @@ -259,7 +259,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 17, 2001 1.6.4 4 +December 30, 2001 1.6.4 4 @@ -325,7 +325,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 17, 2001 1.6.4 5 +December 30, 2001 1.6.4 5 @@ -391,7 +391,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 17, 2001 1.6.4 6 +December 30, 2001 1.6.4 6 @@ -457,7 +457,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 17, 2001 1.6.4 7 +December 30, 2001 1.6.4 7 @@ -523,7 +523,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 17, 2001 1.6.4 8 +December 30, 2001 1.6.4 8 @@ -589,7 +589,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 17, 2001 1.6.4 9 +December 30, 2001 1.6.4 9 @@ -655,7 +655,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 17, 2001 1.6.4 10 +December 30, 2001 1.6.4 10 @@ -692,36 +692,36 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) LLLLiiiissssttttssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt: - env_check A double-quoted, space-separated list of envi­ - ronment variables to be removed from the + env_check Environment variables to be removed from the user's environment if the variable's value contains % or / characters. This can be used to guard against printf-style format vulnera­ - bilties in poorly-written programs. The list - can be replaced, added to, deleted from, or - disabled by using the =, +=, -=, and ! opera­ - tors respectively. The default list of envi­ - ronment variable to check is printed when ssssuuuuddddoooo - is run by root with the _-_V option. - - env_delete A double-quoted, space-separated list of envi­ - ronment variables to be removed from the - user's environment. The list can be replaced, - added to, deleted from, or disabled by using - the =, +=, -=, and ! operators respectively. - The default list of environment variable to - remove is printed when ssssuuuuddddoooo is run by root - with the _-_V option. - - env_keep A double-quoted, space-separated list of envi­ - ronment variables to be preserved in the + bilties in poorly-written programs. The argu­ + ment may be a double-quoted, space-separated + list or a single value without double-quotes. + The list can be replaced, added to, deleted + from, or disabled by using the =, +=, -=, and + ! operators respectively. The default list of + environment variable to check is printed when + ssssuuuuddddoooo is run by root with the _-_V option. + + env_delete Environment variables to be removed from the + user's environment. The argument may be a + double-quoted, space-separated list or a sin­ + gle value without double-quotes. The list can + be replaced, added to, deleted from, or dis­ + abled by using the =, +=, -=, and ! operators + respectively. The default list of environment + variable to remove is printed when ssssuuuuddddoooo is run + by root with the _-_V option. + + env_keep Environment variables to be preserved in the user's environment when the _e_n_v___r_e_s_e_t option - is in effect. This allows fine-grained con­ - trol over the environment ssssuuuuddddoooo-spawned + is in effect. This allows fine-grained -December 17, 2001 1.6.4 11 +December 30, 2001 1.6.4 11 @@ -730,10 +730,14 @@ December 17, 2001 1.6.4 11 sudoers(4) MAINTENANCE COMMANDS sudoers(4) - processes will get. The list can be replaced, - added to, deleted from, or disabled by using - the =, +=, -=, and ! operators respectively. - This list has no default members. + control over the environment ssssuuuuddddoooo-spawned pro­ + cesses will receive. The argument may be a + double-quoted, space-separated list or a sin­ + gle value without double-quotes. The list can + be replaced, added to, deleted from, or dis­ + abled by using the =, +=, -=, and ! operators + respectively. This list has no default mem­ + bers. When logging via _s_y_s_l_o_g(3), ssssuuuuddddoooo accepts the following values for the syslog facility (the value of the ssssyyyysssslllloooogggg @@ -781,13 +785,9 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) It is also possible to override a Runas_Spec later on in an entry. If we modify the entry like so: - dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm - - Then user ddddggggbbbb is now allowed to run _/_b_i_n_/_l_s as ooooppppeeeerrrraaaattttoooorrrr, - -December 17, 2001 1.6.4 12 +December 30, 2001 1.6.4 12 @@ -796,6 +796,9 @@ December 17, 2001 1.6.4 12 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm + + Then user ddddggggbbbb is now allowed to run _/_b_i_n_/_l_s as ooooppppeeeerrrraaaattttoooorrrr, but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rrrrooooooootttt. NNNNOOOOPPPPAAAASSSSSSSSWWWWDDDD aaaannnndddd PPPPAAAASSSSSSSSWWWWDDDD @@ -847,13 +850,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) used to escape special characters such as: "*", "?", "[", and "}". - Note that a forward slash ('/') will nnnnooootttt be matched by - wildcards used in the pathname. When matching the command - line arguments, however, as slash ddddooooeeeessss get matched by -December 17, 2001 1.6.4 13 +December 30, 2001 1.6.4 13 @@ -862,6 +862,9 @@ December 17, 2001 1.6.4 13 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + Note that a forward slash ('/') will nnnnooootttt be matched by + wildcards used in the pathname. When matching the command + line arguments, however, as slash ddddooooeeeessss get matched by wildcards. This is to make a path like: /usr/bin/* @@ -913,13 +916,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS Below are example _s_u_d_o_e_r_s entries. Admittedly, some of - these are a bit contrived. First, we define our _a_l_i_a_s_e_s: - - -December 17, 2001 1.6.4 14 +December 30, 2001 1.6.4 14 @@ -928,6 +928,8 @@ December 17, 2001 1.6.4 14 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + these are a bit contrived. First, we define our _a_l_i_a_s_e_s: + # User alias specification User_Alias FULLTIMERS = millert, mikef, dowdy User_Alias PARTTIMERS = bostley, jwfox, crawl @@ -981,11 +983,9 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) root ALL = (ALL) ALL %wheel ALL = (ALL) ALL - We let rrrrooooooootttt and any user in group wwwwhhhheeeeeeeellll run any command on - -December 17, 2001 1.6.4 15 +December 30, 2001 1.6.4 15 @@ -994,6 +994,7 @@ December 17, 2001 1.6.4 15 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + We let rrrrooooooootttt and any user in group wwwwhhhheeeeeeeellll run any command on any host as any user. FULLTIMERS ALL = NOPASSWD: ALL @@ -1050,8 +1051,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) - -December 17, 2001 1.6.4 16 +December 30, 2001 1.6.4 16 @@ -1117,7 +1117,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 17, 2001 1.6.4 17 +December 30, 2001 1.6.4 17 @@ -1183,6 +1183,6 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO -December 17, 2001 1.6.4 18 +December 30, 2001 1.6.4 18 diff --git a/sudoers.man.in b/sudoers.man.in index f2ed96e1b..6689670db 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -1,5 +1,5 @@ .\" Automatically generated by Pod::Man version 1.15 -.\" Mon Dec 17 16:34:22 2001 +.\" Sun Dec 30 12:24:30 2001 .\" .\" Standard preamble: .\" ====================================================================== @@ -138,7 +138,7 @@ .\" ====================================================================== .\" .IX Title "sudoers @mansectform@" -.TH sudoers @mansectform@ "1.6.4" "December 17, 2001" "MAINTENANCE COMMANDS" +.TH sudoers @mansectform@ "1.6.4" "December 30, 2001" "MAINTENANCE COMMANDS" .UC .SH "NAME" sudoers \- list of which users may execute what @@ -678,28 +678,31 @@ The default value is `any'. \&\fBLists that can be used in a boolean context\fR: .Ip "env_check" 12 .IX Item "env_check" -A double-quoted, space-separated list of environment variables to -be removed from the user's environment if the variable's value -contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can be used to guard against -printf-style format vulnerabilties in poorly-written programs. The +Environment variables to be removed from the user's environment if +the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can +be used to guard against printf-style format vulnerabilties in +poorly-written programs. The argument may be a double-quoted, +space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. The default list of environment variable to check is printed when \fBsudo\fR is run by root with the \fI\-V\fR option. .Ip "env_delete" 12 .IX Item "env_delete" -A double-quoted, space-separated list of environment variables to -be removed from the user's environment. The list can be replaced, -added to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, -and \f(CW\*(C`!\*(C'\fR operators respectively. The default list of environment +Environment variables to be removed from the user's environment. +The argument may be a double-quoted, space-separated list or a +single value without double-quotes. The list can be replaced, added +to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and +\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of environment variable to remove is printed when \fBsudo\fR is run by root with the \&\fI\-V\fR option. .Ip "env_keep" 12 .IX Item "env_keep" -A double-quoted, space-separated list of environment variables to -be preserved in the user's environment when the \fIenv_reset\fR option -is in effect. This allows fine-grained control over the environment -\&\fBsudo\fR\-spawned processes will get. The list can be replaced, added +Environment variables to be preserved in the user's environment +when the \fIenv_reset\fR option is in effect. This allows fine-grained +control over the environment \fBsudo\fR\-spawned processes will receive. +The argument may be a double-quoted, space-separated list or a +single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \&\f(CW\*(C`!\*(C'\fR operators respectively. This list has no default members. .PP diff --git a/sudoers.pod b/sudoers.pod index 99e1ce386..210e5d506 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -645,10 +645,11 @@ B: =item env_check -A double-quoted, space-separated list of environment variables to -be removed from the user's environment if the variable's value -contains C<%> or C characters. This can be used to guard against -printf-style format vulnerabilties in poorly-written programs. The +Environment variables to be removed from the user's environment if +the variable's value contains C<%> or C characters. This can +be used to guard against printf-style format vulnerabilties in +poorly-written programs. The argument may be a double-quoted, +space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and C operators respectively. The default list of environment variable to check is printed when B is @@ -656,19 +657,21 @@ run by root with the I<-V> option. =item env_delete -A double-quoted, space-separated list of environment variables to -be removed from the user's environment. The list can be replaced, -added to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, -and C operators respectively. The default list of environment +Environment variables to be removed from the user's environment. +The argument may be a double-quoted, space-separated list or a +single value without double-quotes. The list can be replaced, added +to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and +C operators respectively. The default list of environment variable to remove is printed when B is run by root with the I<-V> option. =item env_keep -A double-quoted, space-separated list of environment variables to -be preserved in the user's environment when the I option -is in effect. This allows fine-grained control over the environment -B-spawned processes will get. The list can be replaced, added +Environment variables to be preserved in the user's environment +when the I option is in effect. This allows fine-grained +control over the environment B-spawned processes will receive. +The argument may be a double-quoted, space-separated list or a +single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and C operators respectively. This list has no default members.