From: Todd C. Miller Date: Mon, 29 Jun 2009 13:35:21 +0000 (+0000) Subject: regen X-Git-Tag: SUDO_1_7_2~5 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4764730f791260a7006153642222cfd01182bdae;p=sudo regen --- diff --git a/sudo.cat b/sudo.cat index d67868e87..c7375477c 100644 --- a/sudo.cat +++ b/sudo.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.2 June 11, 2009 1 +1.7.2 June 15, 2009 1 @@ -127,7 +127,7 @@ OOPPTTIIOONNSS -1.7.2 June 11, 2009 2 +1.7.2 June 15, 2009 2 @@ -193,7 +193,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.2 June 11, 2009 3 +1.7.2 June 15, 2009 3 @@ -259,7 +259,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.2 June 11, 2009 4 +1.7.2 June 15, 2009 4 @@ -325,7 +325,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.2 June 11, 2009 5 +1.7.2 June 15, 2009 5 @@ -391,7 +391,7 @@ SSEECCUURRIITTYY NNOOTTEESS -1.7.2 June 11, 2009 6 +1.7.2 June 15, 2009 6 @@ -457,7 +457,7 @@ EENNVVIIRROONNMMEENNTT -1.7.2 June 11, 2009 7 +1.7.2 June 15, 2009 7 @@ -511,10 +511,10 @@ EEXXAAMMPPLLEESS $ sudo ls /usr/local/protected - To list the home directory of user yazza on a machine where the file - system holding ~yazza is not exported as root: + To list the home directory of user yaz on a machine where the file + system holding ~yaz is not exported as root: - $ sudo -u yazza ls ~yazza + $ sudo -u yaz ls ~yaz To edit the _i_n_d_e_x_._h_t_m_l file as user www: @@ -523,7 +523,7 @@ EEXXAAMMPPLLEESS -1.7.2 June 11, 2009 8 +1.7.2 June 15, 2009 8 @@ -532,6 +532,14 @@ EEXXAAMMPPLLEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + To view system logs only accessible to root and users in the adm group: + + $ sudo -g adm view /var/log/syslog + + To run an editor as jim with a different primary group: + + $ sudo -u jim -g audio vi ~jim/sound.txt + To shutdown a machine: $ sudo shutdown -r +15 "quick reboot" @@ -578,18 +586,10 @@ CCAAVVEEAATTSS make setuid shell scripts unsafe on some operating systems (if your OS has a /dev/fd/ directory, setuid shell scripts are generally safe). -BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at - http://www.sudo.ws/sudo/bugs/ - -SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. -1.7.2 June 11, 2009 9 +1.7.2 June 15, 2009 9 @@ -598,6 +598,15 @@ SSUUPPPPOORRTT SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) +BBUUGGSS + If you feel you have found a bug in ssuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ + +SSUUPPPPOORRTT + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search + the archives. + DDIISSCCLLAAIIMMEERR ssuuddoo is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of @@ -646,15 +655,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - -1.7.2 June 11, 2009 10 +1.7.2 June 15, 2009 10 diff --git a/sudoers.cat b/sudoers.cat index d7f6e3057..a6ba6e35f 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.2 June 11, 2009 1 +1.7.2 June 23, 2009 1 @@ -98,6 +98,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) '!'* '#'uid | '!'* '%'group | '!'* '+'netgroup | + '!'* '%:'nonunix_group | '!'* User_Alias A User_List is made up of one or more usernames, uids (prefixed with @@ -106,6 +107,35 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) operators. An odd number of '!' operators negate the value of the item; an even number just cancel each other out. + A username, group, netgroup and nonunix_groups may be enclosed in + double quotes to avoid the need for escaping special characters. + Alternately, special characters may be specified in escaped hex mode, + e.g. \x20 for space. + + The nonunix_group syntax depends on the underlying implementation. For + instance, the QAS AD backend supports the following formats: + + +o Group in the same domain: "Group Name" + + +o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN" + + +o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" + + Note that quotes around group names are optional. Unquoted strings + must use a backslash (\) to escape spaces and the '@' symbol. + + + + +1.7.2 June 23, 2009 2 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + Runas_List ::= Runas_Member | Runas_Member ',' Runas_List @@ -125,18 +155,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Host_List ::= Host | Host ',' Host_List - - -1.7.2 June 11, 2009 2 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - Host ::= '!'* hostname | '!'* ip_addr | '!'* network(/netmask)? | @@ -172,6 +190,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) other aliases. A commandname is a fully qualified filename which may include shell-style wildcards (see the Wildcards section below). A simple filename allows the user to run the command with any arguments + + + +1.7.2 June 23, 2009 3 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify "" to indicate that the command may only be run wwiitthhoouutt command line arguments. A @@ -187,21 +217,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may take command line arguments just as a normal command does. - - - - - - -1.7.2 June 11, 2009 3 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - DDeeffaauullttss Certain configuration options may be changed from their default values @@ -241,33 +256,33 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) not exist in a list. Defaults entries are parsed in the following order: generic, host and - user Defaults first, then runas Defaults and finally command defaults. - See "SUDOERS OPTIONS" for a list of supported Defaults parameters. - UUsseerr SSppeecciiffiiccaattiioonn - User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ - (':' Host_List '=' Cmnd_Spec_List)* +1.7.2 June 23, 2009 4 - Cmnd_Spec_List ::= Cmnd_Spec | - Cmnd_Spec ',' Cmnd_Spec_List - Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd - Runas_Spec ::= '(' Runas_List? (: Runas_List)? ')' +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.2 June 11, 2009 4 + user Defaults first, then runas Defaults and finally command defaults. + See "SUDOERS OPTIONS" for a list of supported Defaults parameters. + UUsseerr SSppeecciiffiiccaattiioonn + User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ + (':' Host_List '=' Cmnd_Spec_List)* -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Cmnd_Spec_List ::= Cmnd_Spec | + Cmnd_Spec ',' Cmnd_Spec_List + Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd + Runas_Spec ::= '(' Runas_List? (: Runas_List)? ')' Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | 'SETENV:' | 'NOSETENV:' ) @@ -308,6 +323,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) It is also possible to override a Runas_Spec later on in an entry. If we modify the entry like so: + + +1.7.2 June 23, 2009 5 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l @@ -323,17 +349,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) device file with the dialer group. Note that in this example only the group will be set, the command still runs as user ttccmm. - - -1.7.2 June 11, 2009 5 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ /usr/local/bin/minicom @@ -374,31 +389,30 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) _N_O_E_X_E_C _a_n_d _E_X_E_C - If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying - operating system supports it, the NOEXEC tag can be used to prevent a - dynamically-linked executable from running further commands itself. - - In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and - _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - See the "PREVENTING SHELL ESCAPES" section below for more details on - how NOEXEC works and whether or not it will work on your system. +1.7.2 June 23, 2009 6 - _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V -1.7.2 June 11, 2009 6 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying + operating system supports it, the NOEXEC tag can be used to prevent a + dynamically-linked executable from running further commands itself. + In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and + _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + See the "PREVENTING SHELL ESCAPES" section below for more details on + how NOEXEC works and whether or not it will work on your system. + _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V These tags override the value of the _s_e_t_e_n_v option on a per-command basis. Note that if SETENV has been set for a command, any environment @@ -440,32 +454,32 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) /usr/bin/* - match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. - EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess - The following exceptions apply to the above rules: - "" If the empty string "" is the only command line argument in the - _s_u_d_o_e_r_s entry it means that command is not allowed to be run - with aannyy arguments. +1.7.2 June 23, 2009 7 - IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss - It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s - file currently being parsed using the #include and #includedir -1.7.2 June 11, 2009 7 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. + EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess + The following exceptions apply to the above rules: -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + "" If the empty string "" is the only command line argument in the + _s_u_d_o_e_r_s entry it means that command is not allowed to be run + with aannyy arguments. + IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss + It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s + file currently being parsed using the #include and #includedir directives. This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in @@ -506,6 +520,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) in the file names can be used to avoid such problems. Note that unlike files included via #include, vviissuuddoo will not edit the + + + +1.7.2 June 23, 2009 8 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + files in a #includedir directory unless one of them contains a syntax error. It is still possible to run vviissuuddoo with the -f flag to edit the files directly. @@ -520,18 +546,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to succeed. It can be used wherever one might otherwise use a Cmnd_Alias, - - - -1.7.2 June 11, 2009 8 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - User_Alias, Runas_Alias, or Host_Alias. You should not try to define your own _a_l_i_a_s called AALLLL as the built-in alias will be used in preference to your own. Please note that using AALLLL can be dangerous @@ -573,6 +587,17 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS the PASSWD and NOPASSWD tags. This flag is _o_n by default. + + +1.7.2 June 23, 2009 9 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + closefrom_override If set, the user may use ssuuddoo's --CC option which overrides the default starting point at which ssuuddoo @@ -586,18 +611,6 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS arbitrary command as root without logging. A safer alternative is to place a colon-separated list of editors in the editor variable. vviissuuddoo will then only - - - -1.7.2 June 11, 2009 9 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - use the EDITOR or VISUAL if they match a value specified in editor. This flag is _o_f_f by default. @@ -639,6 +652,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) operators who would attempt to add roles to _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present, _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this + + + +1.7.2 June 23, 2009 10 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + option tells ssuuddoo how to behave when no specific LDAP entries have been matched, this sudoOption is only meaningful for the cn=defaults section. This flag is @@ -653,17 +678,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) log_year If set, the four-digit year will be logged in the (non- syslog) ssuuddoo log file. This flag is _o_f_f by default. - - -1.7.2 June 11, 2009 10 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - long_otp_prompt When validating with a One Time Password (OPT) scheme such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to make it easier to cut and paste the challenge to a @@ -704,6 +718,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) sites may wish to disable this as it could be used to gather information on the location of executables that the normal user does not have access to. The + + + +1.7.2 June 23, 2009 11 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + disadvantage is that if the executable is simply not in the user's PATH, ssuuddoo will tell the user that they are not allowed to run it, which can be confusing. This @@ -718,18 +744,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) preserve_groups By default, ssuuddoo will initialize the group vector to the list of groups the target user is in. When - - - -1.7.2 June 11, 2009 11 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group vector is left unaltered. The real and effective group IDs, however, are still set to match the target user. @@ -770,6 +784,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) flag is _o_f_f by default. set_home If set and ssuuddoo is invoked with the --ss option the HOME + + + +1.7.2 June 23, 2009 12 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + environment variable will be set to the home directory of the target user (which is root unless the --uu option is used). This effectively makes the --ss option imply @@ -784,18 +810,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) This can be done by negating the set_logname option. Note that if the _e_n_v___r_e_s_e_t option has not been disabled, entries in the _e_n_v___k_e_e_p list will override - - - -1.7.2 June 11, 2009 12 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_f_f by default. setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the @@ -836,6 +850,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. This flag is _o_f_f by default. + + + +1.7.2 June 23, 2009 13 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + targetpw If set, ssuuddoo will prompt for the password of the user specified by the --uu option (defaults to root) instead of the password of the invoking user. Note that this @@ -850,18 +876,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) user is logged in on in that directory. This flag is _o_f_f by default. - - - -1.7.2 June 11, 2009 13 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s without modification. This makes it possible to specify a more permissive umask in _s_u_d_o_e_r_s than the @@ -902,6 +916,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) value is used to decide when to wrap lines for nicer log files. This has no effect on the syslog log file, only the file log. The default is 80 (use 0 or negate + + + +1.7.2 June 23, 2009 14 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + the option to disable word wrap). passwd_timeout Number of minutes before the ssuuddoo password prompt times @@ -917,17 +943,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) their own timestamps via sudo -v and sudo -k respectively. - - -1.7.2 June 11, 2009 14 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - umask Umask to use when running the command. Negate this option or set it to 0777 to preserve the user's umask. The actual umask that is used will be the union of the @@ -967,32 +982,32 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) escapes are supported: %H expanded to the local hostname including the domain - name (on if the machine's hostname is fully - qualified or the _f_q_d_n option is set) - %h expanded to the local hostname without the domain - name - %p expanded to the user whose password is being asked - for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w - flags in _s_u_d_o_e_r_s) - %U expanded to the login name of the user the command - will be run as (defaults to root) +1.7.2 June 23, 2009 15 - %u expanded to the invoking user's login name -1.7.2 June 11, 2009 15 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + name (on if the machine's hostname is fully + qualified or the _f_q_d_n option is set) + %h expanded to the local hostname without the domain + name + %p expanded to the user whose password is being asked + for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w + flags in _s_u_d_o_e_r_s) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + %U expanded to the login name of the user the command + will be run as (defaults to root) + %u expanded to the invoking user's login name %% two consecutive % characters are collapsed into a single % character @@ -1033,32 +1048,34 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) variable. env_file The _e_n_v___f_i_l_e options specifies the fully qualified path to - a file containing variables to be set in the environment of - the program being run. Entries in this file should be of - the form VARIABLE=value. Variables in this file are - subject to other ssuuddoo environment settings such as _e_n_v___k_e_e_p - and _e_n_v___c_h_e_c_k. - exempt_group - Users in this group are exempt from password and PATH - requirements. This is not set by default. - lecture This option controls when a short lecture will be printed - along with the password prompt. It has the following - possible values: - always Always lecture the user. +1.7.2 June 23, 2009 16 -1.7.2 June 11, 2009 16 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + a file containing variables to be set in the environment of + the program being run. Entries in this file should either + be of the form VARIABLE=value or export VARIABLE=value. + The value may optionally be surrounded by single or double + quotes. Variables in this file are subject to other ssuuddoo + environment settings such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + exempt_group + Users in this group are exempt from password and PATH + requirements. This is not set by default. + + lecture This option controls when a short lecture will be printed + along with the password prompt. It has the following + possible values: + always Always lecture the user. never Never lecture the user. @@ -1097,6 +1114,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) logfile Path to the ssuuddoo log file (not the syslog log file). Setting a path turns on logging to a file; negating this + + + +1.7.2 June 23, 2009 17 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + option turns it off. By default, ssuuddoo logs via syslog. mailerflags Flags to use when invoking mailer. Defaults to --tt. @@ -1114,18 +1143,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ssuuddoo interpreting the @ sign. Defaults to root. secure_path Path used for every command run from ssuuddoo. If you don't - - - -1.7.2 June 11, 2009 17 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - trust the people running ssuuddoo to have a sane PATH environment variable you may want to use this. Another use is if you want to have the "root path" be separate from the @@ -1163,6 +1180,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) env_check Environment variables to be removed from the user's environment if the variable's value contains % or / characters. This can be used to guard against printf- + + + +1.7.2 June 23, 2009 18 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + style format vulnerabilities in poorly-written programs. The argument may be a double-quoted, space- separated list or a single value without double-quotes. @@ -1176,28 +1205,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) is run by root with the _-_V option. env_delete Environment variables to be removed from the user's - environment. The argument may be a double-quoted, - space-separated list or a single value without double- - quotes. The list can be replaced, added to, deleted - from, or disabled by using the =, +=, -=, and ! - - - -1.7.2 June 11, 2009 18 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - operators respectively. The default list of - environment variables to remove is displayed when ssuuddoo - is run by root with the _-_V option. Note that many - operating systems will remove potentially dangerous - variables from the environment of any setuid process - (such as ssuuddoo). + environment when the _e_n_v___r_e_s_e_t option is not in effect. + The argument may be a double-quoted, space-separated + list or a single value without double-quotes. The list + can be replaced, added to, deleted from, or disabled by + using the =, +=, -=, and ! operators respectively. The + default list of environment variables to remove is + displayed when ssuuddoo is run by root with the _-_V option. + Note that many operating systems will remove + potentially dangerous variables from the environment of + any setuid process (such as ssuuddoo). env_keep Environment variables to be preserved in the user's environment when the _e_n_v___r_e_s_e_t option is in effect. @@ -1228,6 +1245,19 @@ EEXXAAMMPPLLEESS Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit contrived. First, we define our _a_l_i_a_s_e_s: + + + + +1.7.2 June 23, 2009 19 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + # User alias specification User_Alias FULLTIMERS = millert, mikef, dowdy User_Alias PARTTIMERS = bostley, jwfox, crawl @@ -1236,6 +1266,7 @@ EEXXAAMMPPLLEESS # Runas alias specification Runas_Alias OP = root, operator Runas_Alias DB = oracle, sybase + Runas_Alias ADMINGRP = adm, oper # Host alias specification Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ @@ -1247,18 +1278,6 @@ EEXXAAMMPPLLEESS Host_Alias SERVERS = master, mail, www, ns Host_Alias CDROM = orion, perseus, hercules - - -1.7.2 June 11, 2009 19 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore @@ -1293,6 +1312,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Defaults!PAGERS noexec The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run + + + +1.7.2 June 23, 2009 20 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + what. root ALL = (ALL) ALL @@ -1312,18 +1343,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) any host but they must authenticate themselves first (since the entry lacks the NOPASSWD tag). - - - -1.7.2 June 11, 2009 20 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - jack CSNETS = ALL The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias @@ -1351,10 +1370,26 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root + %opers ALL = (: ADMINGRP) /usr/sbin/ + + Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves + with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups). + The user ppeettee is allowed to change anyone's password except for root on the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take multiple usernames on the command line. + + +1.7.2 June 23, 2009 21 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + bob SPARC = (OP) ALL : SGI = (OP) ALL The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user @@ -1378,18 +1413,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* - - - -1.7.2 June 11, 2009 21 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is not allowed to specify any options to the _s_u(1) command. @@ -1420,6 +1443,19 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) and wim), may run any command as user www (which owns the web pages) or simply _s_u(1) to www. + + + + +1.7.2 June 23, 2009 22 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM @@ -1444,18 +1480,6 @@ SSEECCUURRIITTYY NNOOTTEESS PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS Once ssuuddoo executes a program, that program is free to do whatever it - - - -1.7.2 June 11, 2009 22 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - pleases, including run other programs. This can be a security issue since it is not uncommon for a program to allow shell escapes, which lets a user bypass ssuuddoo's access control and logging. Common programs @@ -1486,6 +1510,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) sudo -V | grep "dummy exec" + + + +1.7.2 June 23, 2009 23 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + If the resulting output contains a line that begins with: File containing dummy exec functions: @@ -1510,18 +1546,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will prevent those two commands - - - -1.7.2 June 11, 2009 23 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - from executing other commands (such as a shell). If you are unsure whether or not your system is capable of supporting _n_o_e_x_e_c you can always just try it out and see if it works. @@ -1552,6 +1576,18 @@ BBUUGGSS SSUUPPPPOORRTT Limited free support is available via the sudo-users mailing list, see + + + +1.7.2 June 23, 2009 24 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. @@ -1579,6 +1615,36 @@ DDIISSCCLLAAIIMMEERR -1.7.2 June 11, 2009 24 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +1.7.2 June 23, 2009 25