From: Todd C. Miller Date: Tue, 16 Nov 1999 05:23:41 +0000 (+0000) Subject: Add warning about using ALL in a command context. X-Git-Tag: SUDO_1_6_0~6 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=42f7c6f3f45097abcfb35df168d4f40102a21e2e;p=sudo Add warning about using ALL in a command context. --- diff --git a/sudoers.cat b/sudoers.cat index 8e177315d..56dbf0b4d 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN -8/Nov/1999 1.6 1 +15/Nov/1999 1.6 1 @@ -127,7 +127,7 @@ sudoers(5) FILE FORMATS sudoers(5) -8/Nov/1999 1.6 2 +15/Nov/1999 1.6 2 @@ -193,7 +193,7 @@ sudoers(5) FILE FORMATS sudoers(5) -8/Nov/1999 1.6 3 +15/Nov/1999 1.6 3 @@ -259,7 +259,7 @@ sudoers(5) FILE FORMATS sudoers(5) -8/Nov/1999 1.6 4 +15/Nov/1999 1.6 4 @@ -325,7 +325,7 @@ sudoers(5) FILE FORMATS sudoers(5) -8/Nov/1999 1.6 5 +15/Nov/1999 1.6 5 @@ -391,7 +391,7 @@ sudoers(5) FILE FORMATS sudoers(5) -8/Nov/1999 1.6 6 +15/Nov/1999 1.6 6 @@ -457,7 +457,7 @@ sudoers(5) FILE FORMATS sudoers(5) -8/Nov/1999 1.6 7 +15/Nov/1999 1.6 7 @@ -503,7 +503,9 @@ sudoers(5) FILE FORMATS sudoers(5) might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, or Host_Alias. You should not try to define your own _a_l_i_a_s called AAAALLLLLLLL as the built in alias will be used in - preference to your own. + preference to your own. Please note that using AAAALLLLLLLL can be + dangerous since in a command context, it allows the user + to run aaaannnnyyyy command on the system. An exclamation point ('!') can be used as a logical _n_o_t operator both in an _a_l_i_a_s and in front of a Cmnd. This @@ -519,11 +521,9 @@ sudoers(5) FILE FORMATS sudoers(5) syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional. - The following characters must be escaped with a backslash - -8/Nov/1999 1.6 8 +15/Nov/1999 1.6 8 @@ -532,6 +532,7 @@ sudoers(5) FILE FORMATS sudoers(5) sudoers(5) FILE FORMATS sudoers(5) + The following characters must be escaped with a backslash ('\') when used as part of a word (eg. a username or hostname): '@', '!', '=', ':', ',', '(', ')', '\'. @@ -588,8 +589,7 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS - -8/Nov/1999 1.6 9 +15/Nov/1999 1.6 9 @@ -655,7 +655,7 @@ sudoers(5) FILE FORMATS sudoers(5) -8/Nov/1999 1.6 10 +15/Nov/1999 1.6 10 @@ -721,7 +721,7 @@ sudoers(5) FILE FORMATS sudoers(5) -8/Nov/1999 1.6 11 +15/Nov/1999 1.6 11 @@ -787,7 +787,7 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO -8/Nov/1999 1.6 12 +15/Nov/1999 1.6 12 @@ -853,6 +853,6 @@ sudoers(5) FILE FORMATS sudoers(5) -8/Nov/1999 1.6 13 +15/Nov/1999 1.6 13 diff --git a/sudoers.html b/sudoers.html index c34f50e6a..9dcd4eb97 100644 --- a/sudoers.html +++ b/sudoers.html @@ -555,7 +555,8 @@ up to the end of the line, are ignored.

The reserved word ALL is a a built in alias that always causes a match to succeed. It can be used wherever one might -otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, or Host_Alias. You should not try to define your own alias called ALL as the built in alias will be used in preference to your own. +otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, or Host_Alias. You should not try to define your own alias called ALL as the built in alias will be used in preference to your own. Please note +that using ALL can be dangerous since in a command context, it allows the user to run any command on the system.

An exclamation point ('!') can be used as a logical not operator both in an alias and in front of a Cmnd. This allows one to exclude certain values. Note, however, that using a ! in conjunction with the built in ALL alias to allow a user to run ``all but a few'' commands rarely works as diff --git a/sudoers.man b/sudoers.man index 46572187b..241e3cab0 100644 --- a/sudoers.man +++ b/sudoers.man @@ -2,8 +2,8 @@ ''' $RCSfile$$Revision$$Date$ ''' ''' $Log$ -''' Revision 1.14 1999/11/09 00:00:29 millert -''' Mention what characters need to be escaped in names. +''' Revision 1.15 1999/11/16 05:23:41 millert +''' Add warning about using ALL in a command context. ''' ''' .de Sh @@ -96,7 +96,7 @@ .nr % 0 .rr F .\} -.TH sudoers 5 "1.6" "8/Nov/1999" "FILE FORMATS" +.TH sudoers 5 "1.6" "15/Nov/1999" "FILE FORMATS" .UC .if n .hy 0 .if n .na @@ -568,7 +568,9 @@ The reserved word \fB\s-1ALL\s0\fR is a a built in \fIalias\fR that always cause a match to succeed. It can be used wherever one might otherwise use a \f(CWCmnd_Alias\fR, \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, or \f(CWHost_Alias\fR. You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the -built in alias will be used in preference to your own. +built in alias will be used in preference to your own. Please note +that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it +allows the user to run \fBany\fR command on the system. .PP An exclamation point (\*(R'!') can be used as a logical \fInot\fR operator both in an \fIalias\fR and in front of a \f(CWCmnd\fR. This allows one to diff --git a/sudoers.pod b/sudoers.pod index d7ad822dc..3dfb773c4 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -523,7 +523,9 @@ The reserved word B is a a built in I that always causes a match to succeed. It can be used wherever one might otherwise use a C, C, C, or C. You should not try to define your own I called B as the -built in alias will be used in preference to your own. +built in alias will be used in preference to your own. Please note +that using B can be dangerous since in a command context, it +allows the user to run B command on the system. An exclamation point ('!') can be used as a logical I operator both in an I and in front of a C. This allows one to