From: Todd C. Miller Date: Mon, 22 Jan 1996 01:53:52 +0000 (+0000) Subject: Initial revision X-Git-Tag: SUDO_1_5_0~315 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=57155eeaa00daca529a3bd77bb5d1ccc01cd6047;p=sudo Initial revision --- diff --git a/sudo.pod b/sudo.pod new file mode 100644 index 000000000..689660cb5 --- /dev/null +++ b/sudo.pod @@ -0,0 +1,204 @@ +=cut +$Id$ +=pod + +=head1 NAME + +sudo - execute a command as the superuser + +=head1 SYNOPSIS + +B B<-V> | B<-h> | B<-l> | B<-v> | B<-k> | B<-s> | [ B<-b> ] +[ B<-p> prompt ] I + +=head1 DESCRIPTION + +B allows a permitted user to execute a I +as the superuser (real and effective uid and gid are set +to 0 and root's group as set in the passwd file respectively). + +B determines who is an authorized user by consulting the +file I. By giving B the I<-v> flag a user +can update the time stamp without running a I +The password prompt itself will also time out if the password is +not entered with N minutes (again, this is defined at installation +time and defaults to 5 minutes). + +If an unauthorized user executes sudo, mail will be sent from the +user to the local authorities (defined at installation time). + +B was designed to log via the 4.3 BSD syslog(3) facility but +can log to a file instead if so desired (or to both syslog and a file). + +All preferences are defined at installation time and are derived from +the options.h and pathnames.h include files as well as as well as the +Makefile. + +=head1 OPTIONS + +B accepts the following command line options: + +=over 4 + +=item -V + +The -V (version) option causes B to print the +version number and exit. + +=item -l + +The -l (list) option will list out the allowed and +forbidden commands for the user on the current host. +Note that Command Aliases are currently not expanded. + +=item -h + +The -h (help) option causes B to print the version +of sudo and a usage message before exiting. + +=item -v + +If given the -v (validate) option, B will update the +user's timestamp file, prompting for a password if necessary. +This extends the B timeout to for another N minutes +(where N is defined at installation time and defaults to 5 +minutes) but does not run a command. + +=item -k + +The -k (kill) option to B removes the user's timestamp +file, thus requiring a password the next time B is run. +This option does not require and password and was added to +allow a user to revoke B permissions from a .logout file. + +=item -b + +The -b (background) option tells B to run the given +command in the background. Note that if you use the -b +option you cannot use shell job control to manipulate the command. + +=item -p + +The -p (prompt) option allows you to override the default +password prompt and use a custom one. + +=item -s + +The -s (shell) option runs the shell specified by the I +environmental variable if it is set or the shell as specified +in passwd(5). + +=item -- + +The -- flag indicates that B should stop processing command +line arguments. It is most useful in conjunction with the -s flag. + +=head1 RETURN VALUES + +B quits with an exit value of 1 if there is a +configuration/permission problem or if B cannot execute +the given command. In the latter case the error string is +printed to stdout via perror(3). If B cannot stat(3) +one or more entries in the user's PATH the error is printed +on stdout via perror(3). (If the directory does not exist +or if it is not really a directory, the entry is ignored and +no error is printed.) This should not happen under normal +circumstances. The most common reason for stat(3) to return +"permission denied" is if you are running an automounter and +one of the directories in your PATH is on a machine that is +currently unreachable. + +=head1 SECURITY NOTES + +B tries to be safe when executing external commands. +To this end the IFS, LD_*, SHLIB_PATH (HP-UX only), +LIBPATH (AIX only), and _RLD_* (Digital UNIX only) environmental +variables are removed from the environment passed on to all +commands executed. + +To prevent command spoofing, B checks '.' and '' (both +denoting current directory) last when searching for a command +in the user's PATH (if one or both are in the PATH). +Note, however, that the actual PATH environmental variable +is I modified and is passed unchanged to the program that +B executes. + +For security reasons, if your OS supports shared libraries, +B should always be statically linked unless the +dynamic loader disables user-defined library search paths +for setuid programs. + +B will check the ownership of its timestamp directory +(/tmp/.odus by default) and ignore the directory's contents +if it is not owned by root and only read, writable, and +executable by root. On systems that allow users to give +files away to root (via chown) it is possible for a user +to create the timestamp directory before B is run. +However, because B checks the ownership & mode of +the directory, the only damage that can be done is to "hide" +files by putting them in the timestamp dir. This is unlikely +to happen since once the timestamp dir is owned by root and +inaccessible by any other user the user placing files there +would be unable to get them back out. To get around this +issue you can use a directory that is not world-writable +for the timestamps (/var/sudo for instance). + +To keep users from creating their own timestamp files +(by creating the timestamp directory before B +is first run and then using chmod and chown to set +the ownership and mode to a combination B +will accept) with timestamps far in the future B +will not honor any timestamp with a date greater than +current_time + 2 * TIMEOUT. + +=head1 FILES + + /etc/sudoers file of authorized users. + +=head1 ENVIRONMENT VARIABLES + + PATH Set to a sane value if SECURE_PATH is set + SHELL Used to determine shell to run with -s option + SUDO_COMMAND Set to the command run by sudo + SUDO_USER Set to the login of the user who invoked sudo + SUDO_UID Set to the uid of the user who invoked sudo + SUDO_GID Set to the gid of the user who invoked sudo + +=head1 AUTHORS + +Many people have worked on B over the years, this +version consists of code written primarily by: + + Jeff Nieusma + David Hieb + Todd Miller + Chris Jepeway + +See the HISTORY file in the sudo distribution for more details. + +Please send all bugs, comments, and changes to sudo-bugs@cs.colorado.edu. + +=head1 BUGS + +The -l (list) option should expand Command Aliases. + +=head1 DISCLAIMER + +This program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License along +with this program; if not, write to the Free Software Foundation, Inc., +675 Mass Ave, Cambridge, MA 02139, USA. + +=head1 CAVEATS + +There is no easy way to prevent a user from gaining a root shell if +that user has access to commands that are shell scripts or that +allow shell escapes. + +=head1 SEE ALSO + +sudoers(5), visudo(8), su(1). diff --git a/visudo.pod b/visudo.pod new file mode 100644 index 000000000..b5337e3ef --- /dev/null +++ b/visudo.pod @@ -0,0 +1,99 @@ +=cut +$Id$ +=pod + +=head1 NAME + +visudo - edit the sudoers file + +=head1 SYNOPSIS + +B [ B<-V> ] + +=head1 DESCRIPTION + +B edits the I file in a safe fashion, analogous to +vipw(8). B locks the I file against multiple +simultaneous edits, provides basic sanity checks, and checks +for parse errors. If the I file is currently being +edited you will receive a message to try again later. In the +default configuration, the vi(1) editor is used, but there is +a compile time option to allow use of whatever editor the +environmental variables EDITOR or VISUAL are set to. + +B parses the I file after the edit and will +not save the changes if there is a syntax error. Upon finding +an error, a message will be printed stating the line number(s) +that the error occurred on and the user will receive the +"What now?" prompt. At this point the user may enter "e" +to re-edit the I file, enter "x" to exit without +saving the changes, or "q" to quit and save changes. The +"q" option should be used with extreme care because if B +believes there to be a parse error, so will B and no one +will be able to execute B again until the error is fixed. +Any other command at this prompt will print a short help message. +When editing the I file after a parse error has been +detected the cursor will be placed on the line where the error +occurred (if the editor supports this feature). + +=head1 OPTIONS + +B accepts the following command line option: + +=over 4 + +=item -V + +The B<-V> (version) option causes visudo to print the version number +and exit. + +=back + +=head1 FILES + + /etc/sudoers file of authorized users. + /etc/stmp lock file for visudo. + +=head1 ENVIRONMENT VARIABLES + +The following are used only if B was compiled with the +ENV_EDITOR option: + + EDITOR Used by visudo as the editor to use. + VISUAL Used by visudo if EDITOR is not set. + +=head1 AUTHOR + +Many people have worked on I over the years, this version of +I was written by: + + Todd Miller + +See the HISTORY file in the sudo distribution for more details. + +Please send all bugs, comments, and changes to sudo-bugs@cs.colorado.edu. + +=head1 DISCLAIMER + +This program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License along +with this program; if not, write to the Free Software Foundation, Inc., +675 Mass Ave, Cambridge, MA 02139, USA. + +=head1 CAVEATS + +There is no easy way to prevent a user from gaining a root shell if +the editor used by visudo allows shell escapes. + +=head1 BUGS + +The I<-V> flag gives the version of the I package rather than +the individual I program. + +=head1 SEE ALSO + +sudo(8), vipw(8).