From: Todd C. Miller Date: Thu, 10 Jun 2004 20:54:25 +0000 (+0000) Subject: regen X-Git-Tag: SUDO_1_6_8~43 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5f7943db50bd1744e5979bdb0e53b55a00d77103;p=sudo regen --- diff --git a/sudo.cat b/sudo.cat index 8d06bd13b..79667a74a 100644 --- a/sudo.cat +++ b/sudo.cat @@ -21,11 +21,14 @@ DDEESSCCRRIIPPTTIIOONN superuser or another user, as specified in the _s_u_d_o_e_r_s file. The real and effective uid and gid are set to match those of the target user as specified in the passwd file - (the group vector is also initialized when the target user - is not root). By default, ssuuddoo requires that users - authenticate themselves with a password (NOTE: by default - this is the user's password, not the root password). Once - a user has been authenticated, a timestamp is updated and + and the group vector is initialized based on the group + file (unless the --PP option was specified). If the invok­ + ing user is root or if the target user is the same as the + invoking user, no password is required. Otherwise, ssuuddoo + requires that users authenticate themselves with a pass­ + word by default (NOTE: in the default configuration this + is the user's password, not the root password). Once a + user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (5 minutes unless overridden in _s_u_d_o_e_r_s). @@ -41,7 +44,7 @@ DDEESSCCRRIIPPTTIIOONN If a user who is not listed in the _s_u_d_o_e_r_s file tries to run a command via ssuuddoo, mail is sent to the proper author­ - ities, as defined at configure time or the _s_u_d_o_e_r_s file + ities, as defined at configure time or in the _s_u_d_o_e_r_s file (defaults to root). Note that the mail will not be sent if an unauthorized user tries to run sudo with the --ll or --vv flags. This allows users to determine for themselves @@ -56,12 +59,9 @@ DDEESSCCRRIIPPTTIIOONN however, that the sudoers lookup is still done for root, not the user specified by SUDO_USER. - ssuuddoo can log both successful and unsuccessful attempts (as - well as errors) to _s_y_s_l_o_g(3), a log file, or both. By - -1.6.8 May 17, 2004 1 +1.6.8 June 10, 2004 1 @@ -70,6 +70,8 @@ DDEESSCCRRIIPPTTIIOONN SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + ssuuddoo can log both successful and unsuccessful attempts (as + well as errors) to _s_y_s_l_o_g(3), a log file, or both. By default ssuuddoo will log via _s_y_s_l_o_g(3) but this is changeable at configure time or via the _s_u_d_o_e_r_s file. @@ -79,11 +81,12 @@ OOPPTTIIOONNSS -H The --HH (_H_O_M_E) option sets the HOME environment vari­ able to the homedir of the target user (root by default) as specified in passwd(4). By default, ssuuddoo - does not modify HOME. + does not modify HOME (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e + in sudoers(4)). - -K The --KK (sure _k_i_l_l) option to ssuuddoo removes the user's - timestamp entirely. Likewise, this option does not - require a password. + -K The --KK (sure _k_i_l_l) option is like --kk except that it + removes the user's timestamp entirely. Like --kk, this + option does not require a password. -L The --LL (_l_i_s_t defaults) option will list out the param­ eters that may be set in a _D_e_f_a_u_l_t_s line along with a @@ -91,14 +94,15 @@ OOPPTTIIOONNSS conjunction with _g_r_e_p(1). -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to - preserve the user's group vector unaltered. By - default, ssuuddoo will initialize the group vector to the - list of groups the target user is in. The real and - effective group IDs, however, are still set to match - the target user. + preserve the invoking user's group vector unaltered. + By default, ssuuddoo will initialize the group vector to + the list of groups the target user is in. The real + and effective group IDs, however, are still set to + match the target user. -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password - from standard input instead of the terminal device. + from the standard input instead of the terminal + device. -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the ver­ sion number and exit. If the invoking user is already @@ -120,14 +124,10 @@ OOPPTTIIOONNSS --bb option you cannot use shell job control to manipu­ late the process. - -c The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified - command with resources limited by the specified login - class. The _c_l_a_s_s argument can be either a class name - as defined in /etc/login.conf, or a single '-' -1.6.8 May 17, 2004 2 +1.6.8 June 10, 2004 2 @@ -136,8 +136,12 @@ OOPPTTIIOONNSS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - character. Specifying a _c_l_a_s_s of - indicates that the - command should be run restricted by the default login + -c The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified + command with resources limited by the specified login + class. The _c_l_a_s_s argument can be either a class name + as defined in /etc/login.conf, or a single '-' charac­ + ter. Specifying a _c_l_a_s_s of - indicates that the com­ + mand should be run restricted by the default login capabilities for the user the command is run as. If the _c_l_a_s_s argument specifies an existing user class, the command must be run as root, or the ssuuddoo command @@ -153,7 +157,8 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) authorized by _s_u_d_o_e_r_s the following steps are taken: 1. Temporary copies are made of the files to be - edited, owned by the invoking user. + edited with the owner set to the invoking + user. 2. The editor specified by the VISUAL or EDITOR environment variables is run to edit the tem­ @@ -185,15 +190,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) It also initializes the environment, leaving _T_E_R_M unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and _P_A_T_H, and unsetting all other environment variables. - Note that because the shell to use is determined - before the _s_u_d_o_e_r_s file is parsed, a _r_u_n_a_s___d_e_f_a_u_l_t - setting in _s_u_d_o_e_r_s will specify the user to run the - shell as but will not affect which shell is actually - run. -1.6.8 May 17, 2004 3 +1.6.8 June 10, 2004 3 @@ -202,6 +202,12 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + Note that because the shell to use is determined + before the _s_u_d_o_e_r_s file is parsed, a _r_u_n_a_s___d_e_f_a_u_l_t + setting in _s_u_d_o_e_r_s will specify the user to run the + shell as but will not affect which shell is actually + run. + -k The --kk (_k_i_l_l) option to ssuuddoo invalidates the user's timestamp by setting the time on it to the epoch. The next time ssuuddoo is run a password will be required. @@ -250,16 +256,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) command line arguments. It is most useful in conjunc­ tion with the --ss flag. -RREETTUURRNN VVAALLUUEESS - Upon successful execution of a program, the return value - from ssuuddoo will simply be the return value of the program - that was executed. - Otherwise, ssuuddoo quits with an exit value of 1 if there is - -1.6.8 May 17, 2004 4 +1.6.8 June 10, 2004 4 @@ -268,6 +268,12 @@ RREETTUURRNN VVAALLUUEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) +RREETTUURRNN VVAALLUUEESS + Upon successful execution of a program, the return value + from ssuuddoo will simply be the return value of the program + that was executed. + + Otherwise, ssuuddoo quits with an exit value of 1 if there is a configuration/permission problem or if ssuuddoo cannot exe­ cute the given command. In the latter case the error string is printed to stderr. If ssuuddoo cannot _s_t_a_t(2) one @@ -316,16 +322,10 @@ SSEECCUURRIITTYY NNOOTTEESS (_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con­ tents if it is not owned by root and only writable by root. On systems that allow non-root users to give away - files via _c_h_o_w_n(2), if the timestamp directory is located - in a directory writable by anyone (e.g.: _/_t_m_p), it is pos­ - sible for a user to create the timestamp directory before - ssuuddoo is run. However, because ssuuddoo checks the ownership - and mode of the directory and its contents, the only dam­ - age that can be done is to "hide" files by putting them in -1.6.8 May 17, 2004 5 +1.6.8 June 10, 2004 5 @@ -334,6 +334,12 @@ SSEECCUURRIITTYY NNOOTTEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + files via _c_h_o_w_n(2), if the timestamp directory is located + in a directory writable by anyone (e.g.: _/_t_m_p), it is pos­ + sible for a user to create the timestamp directory before + ssuuddoo is run. However, because ssuuddoo checks the ownership + and mode of the directory and its contents, the only dam­ + age that can be done is to "hide" files by putting them in the timestamp dir. This is unlikely to happen since once the timestamp dir is owned by root and inaccessible by any other user the user placing files there would be unable to @@ -366,39 +372,39 @@ EEXXAAMMPPLLEESS To get a file listing of an unreadable directory: - % sudo ls /usr/local/protected + $ sudo ls /usr/local/protected To list the home directory of user yazza on a machine where the file system holding ~yazza is not exported as root: - % sudo -u yazza ls ~yazza + $ sudo -u yazza ls ~yazza To edit the _i_n_d_e_x_._h_t_m_l file as user www: - % sudo -u www vi ~www/htdocs/index.html + $ sudo -u www vi ~www/htdocs/index.html To shutdown a machine: - % sudo shutdown -r +15 "quick reboot" + $ sudo shutdown -r +15 "quick reboot" - To make a usage listing of the directories in the /home - partition. Note that this runs the commands in a sub- - shell to make the cd and file redirection work. - % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" +1.6.8 June 10, 2004 6 -1.6.8 May 17, 2004 6 +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + To make a usage listing of the directories in the /home + partition. Note that this runs the commands in a sub- + shell to make the cd and file redirection work. + $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" EENNVVIIRROONNMMEENNTT ssuuddoo utilizes the following environment variables: @@ -448,16 +454,10 @@ AAUUTTHHOORRSS BBUUGGSS If you feel you have found a bug in sudo, please submit a - bug report at http://www.sudo.ws/sudo/bugs/ - -DDIISSCCLLAAIIMMEERR - SSuuddoo is provided ``AS IS'' and any express or implied war­ - ranties, including, but not limited to, the implied war­ - ranties of merchantability and fitness for a particular -1.6.8 May 17, 2004 7 +1.6.8 June 10, 2004 7 @@ -466,6 +466,12 @@ DDIISSCCLLAAIIMMEERR SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + bug report at http://www.sudo.ws/sudo/bugs/ + +DDIISSCCLLAAIIMMEERR + SSuuddoo is provided ``AS IS'' and any express or implied war­ + ranties, including, but not limited to, the implied war­ + ranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with ssuuddoo for complete details. @@ -478,9 +484,18 @@ CCAAVVEEAATTSS prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality. See the sudoers(4) manual for details. + It is not meaningful to run the cd command directly via + sudo, e.g. + + $ sudo cd /usr/local/protected + + since when whe command exits the parent process (your + shell) will still be the same. Please see the EXAMPLES + section for more information. + If users have sudo ALL there is nothing to prevent them from creating their own program that gives them a root - shell regardless of any '!' elements in the user specifi­ + shell regardless of any '!' elements in the user specifi­ cation. Running shell scripts via ssuuddoo can expose the same kernel @@ -508,21 +523,6 @@ SSEEEE AALLSSOO - - - - - - - - - - - - - - - -1.6.8 May 17, 2004 8 +1.6.8 June 10, 2004 8 diff --git a/sudo.man.in b/sudo.man.in index 2cb2844e5..f5bb8b347 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "May 17, 2004" "1.6.8" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "June 10, 2004" "1.6.8" "MAINTENANCE COMMANDS" .SH "NAME" sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" @@ -168,13 +168,16 @@ file [...] \&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the superuser or another user, as specified in the \fIsudoers\fR file. The real and effective uid and gid are set to match those of the -target user as specified in the passwd file (the group vector is -also initialized when the target user is not root). By default, +target user as specified in the passwd file and the group vector +is initialized based on the group file (unless the \fB\-P\fR option was +specified). If the invoking user is root or if the target user is +the same as the invoking user, no password is required. Otherwise, \&\fBsudo\fR requires that users authenticate themselves with a password -(\s-1NOTE:\s0 by default this is the user's password, not the root password). -Once a user has been authenticated, a timestamp is updated and the -user may then use sudo without a password for a short period of -time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless overridden in \fIsudoers\fR). +by default (\s-1NOTE:\s0 in the default configuration this is the user's +password, not the root password). Once a user has been authenticated, +a timestamp is updated and the user may then use sudo without a +password for a short period of time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless +overridden in \fIsudoers\fR). .PP When invoked as \fBsudoedit\fR, the \fB\-e\fR option (described below), is implied. @@ -188,11 +191,11 @@ entered within \f(CW\*(C`@password_timeout@\*(C'\fR minutes (unless overridden v .PP If a user who is not listed in the \fIsudoers\fR file tries to run a command via \fBsudo\fR, mail is sent to the proper authorities, as -defined at configure time or the \fIsudoers\fR file (defaults to root). -Note that the mail will not be sent if an unauthorized user tries -to run sudo with the \fB\-l\fR or \fB\-v\fR flags. This allows users to -determine for themselves whether or not they are allowed to use -\&\fBsudo\fR. +defined at configure time or in the \fIsudoers\fR file (defaults to +\&\f(CW\*(C`@mailto@\*(C'\fR). Note that the mail will not be sent if an unauthorized +user tries to run sudo with the \fB\-l\fR or \fB\-v\fR flags. This allows +users to determine for themselves whether or not they are allowed +to use \fBsudo\fR. .PP If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable is set, \fBsudo\fR will use this value to determine who the actual @@ -213,11 +216,13 @@ or via the \fIsudoers\fR file. .IX Item "-H" The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable to the homedir of the target user (root by default) as specified -in passwd(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR. +in passwd(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR +(see \fIset_home\fR and \fIalways_set_home\fR in sudoers(@mansectform@)). .IP "\-K" 4 .IX Item "-K" -The \fB\-K\fR (sure \fIkill\fR) option to \fBsudo\fR removes the user's timestamp -entirely. Likewise, this option does not require a password. +The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes +the user's timestamp entirely. Like \fB\-k\fR, this option does not +require a password. .IP "\-L" 4 .IX Item "-L" The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters @@ -225,21 +230,21 @@ that may be set in a \fIDefaults\fR line along with a short description for each. This option is useful in conjunction with \fIgrep\fR\|(1). .IP "\-P" 4 .IX Item "-P" -The \fB\-P\fR (\fIpreserve group vector\fR) option causes \fBsudo\fR to preserve -the user's group vector unaltered. By default, \fBsudo\fR will initialize -the group vector to the list of groups the target user is in. -The real and effective group IDs, however, are still set to match -the target user. +The \fB\-P\fR (\fIpreserve group vector\fR) option causes \fBsudo\fR to +preserve the invoking user's group vector unaltered. By default, +\&\fBsudo\fR will initialize the group vector to the list of groups the +target user is in. The real and effective group IDs, however, are +still set to match the target user. .IP "\-S" 4 .IX Item "-S" The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from -standard input instead of the terminal device. +the standard input instead of the terminal device. .IP "\-V" 4 .IX Item "-V" -The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the -version number and exit. If the invoking user is already root -the \fB\-V\fR option will print out a list of the defaults \fBsudo\fR -was compiled with as well as the machine's local network addresses. +The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version +number and exit. If the invoking user is already root the \fB\-V\fR +option will print out a list of the defaults \fBsudo\fR was compiled +with as well as the machine's local network addresses. .IP "\-a" 4 .IX Item "-a" The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the @@ -275,8 +280,8 @@ the \fIsudoers\fR file. If the user is authorized by \fIsudoers\fR the following steps are taken: .RS 4 .IP "1." 8 -Temporary copies are made of the files to be edited, owned by the -invoking user. +Temporary copies are made of the files to be edited with the owner +set to the invoking user. .IP "2." 8 The editor specified by the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment variables is run to edit the temporary files. If neither \f(CW\*(C`VISUAL\*(C'\fR @@ -460,26 +465,26 @@ Note: the following examples assume suitable sudoers(@mansectform@) entries. To get a file listing of an unreadable directory: .PP .Vb 1 -\& % sudo ls /usr/local/protected +\& $ sudo ls /usr/local/protected .Ve .PP To list the home directory of user yazza on a machine where the file system holding ~yazza is not exported as root: .PP .Vb 1 -\& % sudo -u yazza ls ~yazza +\& $ sudo -u yazza ls ~yazza .Ve .PP To edit the \fIindex.html\fR file as user www: .PP .Vb 1 -\& % sudo -u www vi ~www/htdocs/index.html +\& $ sudo -u www vi ~www/htdocs/index.html .Ve .PP To shutdown a machine: .PP .Vb 1 -\& % sudo shutdown -r +15 "quick reboot" +\& $ sudo shutdown -r +15 "quick reboot" .Ve .PP To make a usage listing of the directories in the /home @@ -487,7 +492,7 @@ partition. Note that this runs the commands in a sub-shell to make the \f(CW\*(C`cd\*(C'\fR and file redirection work. .PP .Vb 1 -\& % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" +\& $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" .Ve .SH "ENVIRONMENT" .IX Header "ENVIRONMENT" @@ -580,11 +585,21 @@ if that user is allowed to run arbitrary commands via \fBsudo\fR. Also, many programs (such as editors) allow the user to run commands via shell escapes, thus avoiding \fBsudo\fR's checks. However, on most systems it is possible to prevent shell escapes with \fBsudo\fR's -\&\fInoexec\fR functionality. See the sudoers(@mansectform@) manual for details. +\&\fInoexec\fR functionality. See the sudoers(@mansectform@) manual +for details. .PP -If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from creating -their own program that gives them a root shell regardless of any '!' -elements in the user specification. +It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g. +.PP +.Vb 1 +\& $ sudo cd /usr/local/protected +.Ve +.PP +since when whe command exits the parent process (your shell) will +still be the same. Please see the \s-1EXAMPLES\s0 section for more information. +.PP +If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from +creating their own program that gives them a root shell regardless +of any '!' elements in the user specification. .PP Running shell scripts via \fBsudo\fR can expose the same kernel bugs that make setuid shell scripts unsafe on some operating systems