From: Todd C. Miller Date: Tue, 8 Jun 2010 15:25:33 +0000 (-0400) Subject: Add use_pty sudoers option to force use of a pty even when not logging I/O. X-Git-Tag: SUDO_1_8_0~519 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6f05b565c3937e873715dd9e424f602e14bf1984;p=sudo Add use_pty sudoers option to force use of a pty even when not logging I/O. --- diff --git a/WHATSNEW b/WHATSNEW index 1797d308c..ff3d0b610 100644 --- a/WHATSNEW +++ b/WHATSNEW @@ -13,6 +13,9 @@ What's new in Sudo 1.7.3? and "log_output" Defaults options in the sudoers manual. Also see the sudoreplay manual for how to replay I/O log sessions. + * The use_pty sudoers option can be used to force a command to be + run in a pseudo-pty, even when I/O logging is not enabled. + * The passwd_timeout and timestamp_timeout options may now be specified as floating point numbers for more granular timeout values. diff --git a/doc/sudoers.cat b/doc/sudoers.cat index c90c0018d..c17aeb05e 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.8.0a2 May 30, 2010 1 +1.8.0a2 June 8, 2010 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a2 May 30, 2010 2 +1.8.0a2 June 8, 2010 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a2 May 30, 2010 3 +1.8.0a2 June 8, 2010 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a2 May 30, 2010 4 +1.8.0a2 June 8, 2010 4 @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a2 May 30, 2010 5 +1.8.0a2 June 8, 2010 5 @@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a2 May 30, 2010 6 +1.8.0a2 June 8, 2010 6 @@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a2 May 30, 2010 7 +1.8.0a2 June 8, 2010 7 @@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a2 May 30, 2010 8 +1.8.0a2 June 8, 2010 8 @@ -576,7 +576,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS earlier. A list of all supported Defaults parameters, grouped by type, are listed below. - FFllaaggss: + BBoooolleeaann FFllaaggss: always_set_home If set, ssuuddoo will set the HOME environment variable to the home directory of the target user (which is root @@ -589,7 +589,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS -1.8.0a2 May 30, 2010 9 +1.8.0a2 June 8, 2010 9 @@ -655,7 +655,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a2 May 30, 2010 10 +1.8.0a2 June 8, 2010 10 @@ -721,7 +721,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a2 May 30, 2010 11 +1.8.0a2 June 8, 2010 11 @@ -787,7 +787,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a2 May 30, 2010 12 +1.8.0a2 June 8, 2010 12 @@ -853,7 +853,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a2 May 30, 2010 13 +1.8.0a2 June 8, 2010 13 @@ -919,7 +919,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a2 May 30, 2010 14 +1.8.0a2 June 8, 2010 14 @@ -941,6 +941,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) available if ssuuddoo is configured with the --with-logincap option. This flag is _o_f_f by default. + use_pty If set, ssuuddoo will run the command in a pseudo-pty even + if no I/O logging is being gone. A malicious program + run under ssuuddoo could conceivably fork a background + process that retains to the user's terminal device + after the main program has finished executing. Use of + this option will make that impossible. + visiblepw By default, ssuuddoo will refuse to run if the user must enter a password but it is not possible to disable echo on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo @@ -976,16 +983,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The default is 5; set this to 0 for no password timeout. - timestamp_timeout - Number of minutes that can elapse before ssuuddoo will ask - for a passwd again. The timeout may include a - fractional component if minute granularity is - insufficient, for example 2.5. The default is 5. Set - this to 0 to always prompt for a password. If set to a - -1.8.0a2 May 30, 2010 15 +1.8.0a2 June 8, 2010 15 @@ -994,6 +994,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + timestamp_timeout + Number of minutes that can elapse before ssuuddoo will ask + for a passwd again. The timeout may include a + fractional component if minute granularity is + insufficient, for example 2.5. The default is 5. Set + this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k @@ -1042,23 +1048,23 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) qualified or the _f_q_d_n option is set) %h expanded to the local host name without the domain - name - %p expanded to the user whose password is being asked - for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w - flags in _s_u_d_o_e_r_s) +1.8.0a2 June 8, 2010 16 -1.8.0a2 May 30, 2010 16 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + name + %p expanded to the user whose password is being asked + for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w + flags in _s_u_d_o_e_r_s) %U expanded to the login name of the user the command will be run as (defaults to root) @@ -1108,16 +1114,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the program being run. Entries in this file should either be of the form VARIABLE=value or export VARIABLE=value. The value may optionally be surrounded by single or double - quotes. Variables in this file are subject to other ssuuddoo - environment settings such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k. - - exempt_group - Users in this group are exempt from password and PATH - requirements. This is not set by default. -1.8.0a2 May 30, 2010 17 +1.8.0a2 June 8, 2010 17 @@ -1126,6 +1126,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + quotes. Variables in this file are subject to other ssuuddoo + environment settings such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k. + + exempt_group + Users in this group are exempt from password and PATH + requirements. This is not set by default. + lecture This option controls when a short lecture will be printed along with the password prompt. It has the following possible values: @@ -1173,17 +1180,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) mailerflags Flags to use when invoking mailer. Defaults to --tt. - mailerpath Path to mail program used to send warning mail. Defaults - to the path to sendmail found at configure time. - - mailfrom Address to use for the "from" address when sending warning - and error mail. The address should be enclosed in double - quotes (") to protect against ssuuddoo interpreting the @ sign. - Defaults to the name of the user running ssuuddoo. -1.8.0a2 May 30, 2010 18 +1.8.0a2 June 8, 2010 18 @@ -1192,6 +1192,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + mailerpath Path to mail program used to send warning mail. Defaults + to the path to sendmail found at configure time. + + mailfrom Address to use for the "from" address when sending warning + and error mail. The address should be enclosed in double + quotes (") to protect against ssuuddoo interpreting the @ sign. + Defaults to the name of the user running ssuuddoo. + mailto Address to send warning and error mail to. The address should be enclosed in double quotes (") to protect against ssuuddoo interpreting the @ sign. Defaults to root. @@ -1238,18 +1246,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) programs. The argument may be a double-quoted, space- separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or - disabled by using the =, +=, -=, and ! operators - respectively. Regardless of whether the env_reset - option is enabled or disabled, variables specified by - env_check will be preserved in the environment if they - pass the aforementioned check. The default list of - environment variables to check is displayed when ssuuddoo - is run by root with the _-_V option. - -1.8.0a2 May 30, 2010 19 +1.8.0a2 June 8, 2010 19 @@ -1258,6 +1258,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + disabled by using the =, +=, -=, and ! operators + respectively. Regardless of whether the env_reset + option is enabled or disabled, variables specified by + env_check will be preserved in the environment if they + pass the aforementioned check. The default list of + environment variables to check is displayed when ssuuddoo + is run by root with the _-_V option. + env_delete Environment variables to be removed from the user's environment when the _e_n_v___r_e_s_e_t option is not in effect. The argument may be a double-quoted, space-separated @@ -1301,21 +1309,13 @@ EEXXAAMMPPLLEESS Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit contrived. First, we define our _a_l_i_a_s_e_s: - # User alias specification - User_Alias FULLTIMERS = millert, mikef, dowdy - User_Alias PARTTIMERS = bostley, jwfox, crawl - User_Alias WEBMASTERS = will, wendy, wim - # Runas alias specification - Runas_Alias OP = root, operator - Runas_Alias DB = oracle, sybase - Runas_Alias ADMINGRP = adm, oper - # Host alias specification -1.8.0a2 May 30, 2010 20 + +1.8.0a2 June 8, 2010 20 @@ -1324,6 +1324,17 @@ EEXXAAMMPPLLEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + # User alias specification + User_Alias FULLTIMERS = millert, mikef, dowdy + User_Alias PARTTIMERS = bostley, jwfox, crawl + User_Alias WEBMASTERS = will, wendy, wim + + # Runas alias specification + Runas_Alias OP = root, operator + Runas_Alias DB = oracle, sybase + Runas_Alias ADMINGRP = adm, oper + + # Host alias specification Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ SGI = grolsch, dandelion, black :\ ALPHA = widget, thalamus, foobar :\ @@ -1367,29 +1378,29 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Defaults!PAGERS noexec The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run - what. - root ALL = (ALL) ALL - %wheel ALL = (ALL) ALL - We let rroooott and any user in group wwhheeeell run any command on any host as - any user. - FULLTIMERS ALL = NOPASSWD: ALL +1.8.0a2 June 8, 2010 21 - Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on -1.8.0a2 May 30, 2010 21 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + what. + root ALL = (ALL) ALL + %wheel ALL = (ALL) ALL -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + We let rroooott and any user in group wwhheeeell run any command on any host as + any user. + FULLTIMERS ALL = NOPASSWD: ALL + Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on any host without authenticating themselves. PARTTIMERS ALL = ALL @@ -1434,27 +1445,26 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take multiple user names on the command line. - bob SPARC = (OP) ALL : SGI = (OP) ALL - The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user - listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr). - jim +biglab = ALL - - The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. - ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. +1.8.0a2 June 8, 2010 22 -1.8.0a2 May 30, 2010 22 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + bob SPARC = (OP) ALL : SGI = (OP) ALL + The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user + listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr). -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + jim +biglab = ALL + The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. + ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser @@ -1499,21 +1509,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) and wim), may run any command as user www (which owns the web pages) or simply _s_u(1) to www. - ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ - /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM - Any user may mount or unmount a CD-ROM on the machines in the CDROM - Host_Alias (orion, perseus, hercules) without entering a password. - This is a bit tedious for users to type, so it is a prime candidate for - encapsulating in a shell script. - -SSEECCUURRIITTYY NNOOTTEESS - It is generally not effective to "subtract" commands from ALL using the - '!' operator. A user can trivially circumvent this by copying the -1.8.0a2 May 30, 2010 23 +1.8.0a2 June 8, 2010 23 @@ -1522,6 +1522,17 @@ SSEECCUURRIITTYY NNOOTTEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ + /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM + + Any user may mount or unmount a CD-ROM on the machines in the CDROM + Host_Alias (orion, perseus, hercules) without entering a password. + This is a bit tedious for users to type, so it is a prime candidate for + encapsulating in a shell script. + +SSEECCUURRIITTYY NNOOTTEESS + It is generally not effective to "subtract" commands from ALL using the + '!' operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example: @@ -1565,21 +1576,10 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS number of programs that offer shell escapes, restricting users to the set of programs that do not if often unworkable. - noexec Many systems that support shared libraries have the ability - to override default library functions by pointing an - environment variable (usually LD_PRELOAD) to an alternate - shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality - can be used to prevent a program run by ssuuddoo from executing - any other programs. Note, however, that this applies only to - native dynamically-linked executables. Statically-linked - executables and foreign executables running under binary - emulation are not affected. - - To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run the -1.8.0a2 May 30, 2010 24 +1.8.0a2 June 8, 2010 24 @@ -1588,6 +1588,17 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + noexec Many systems that support shared libraries have the ability + to override default library functions by pointing an + environment variable (usually LD_PRELOAD) to an alternate + shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality + can be used to prevent a program run by ssuuddoo from executing + any other programs. Note, however, that this applies only to + native dynamically-linked executables. Statically-linked + executables and foreign executables running under binary + emulation are not affected. + + To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run the following as root: sudo -V | grep "dummy exec" @@ -1631,29 +1642,29 @@ SSEEEE AALLSSOO CCAAVVEEAATTSS The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which - locks the file and does grammatical checking. It is imperative that - _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a - syntactically incorrect _s_u_d_o_e_r_s file. - When using netgroups of machines (as opposed to users), if you store - fully qualified host name in the netgroup (as is usually the case), you - either need to have the machine's host name be fully qualified as - returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. -BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at +1.8.0a2 June 8, 2010 25 -1.8.0a2 May 30, 2010 25 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + locks the file and does grammatical checking. It is imperative that + _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a + syntactically incorrect _s_u_d_o_e_r_s file. + When using netgroups of machines (as opposed to users), if you store + fully qualified host name in the netgroup (as is usually the case), you + either need to have the machine's host name be fully qualified as + returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. +BBUUGGSS + If you feel you have found a bug in ssuuddoo, please submit a bug report at http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT @@ -1700,17 +1711,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - - -1.8.0a2 May 30, 2010 26 +1.8.0a2 June 8, 2010 26 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 1a1cbce70..d95a223ee 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -148,7 +148,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "May 30, 2010" "1.8.0a2" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "June 8, 2010" "1.8.0a2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -728,7 +728,7 @@ used as part of a word (e.g.\ a user name or host name): explained earlier. A list of all supported Defaults parameters, grouped by type, are listed below. .PP -\&\fBFlags\fR: +\&\fBBoolean Flags\fR: .IP "always_set_home" 16 .IX Item "always_set_home" If set, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home @@ -1020,6 +1020,13 @@ If set, \fBsudo\fR will apply the defaults specified for the target user's login class if one exists. Only available if \fBsudo\fR is configured with the \-\-with\-logincap option. This flag is \fIoff\fR by default. \} +.IP "use_pty" 16 +.IX Item "use_pty" +If set, \fBsudo\fR will run the command in a pseudo-pty even if no I/O +logging is being gone. A malicious program run under \fBsudo\fR could +conceivably fork a background process that retains to the user's +terminal device after the main program has finished executing. Use +of this option will make that impossible. .IP "visiblepw" 16 .IX Item "visiblepw" By default, \fBsudo\fR will refuse to run if the user must enter a diff --git a/doc/sudoers.pod b/doc/sudoers.pod index aadca50dd..ade7191d4 100644 --- a/doc/sudoers.pod +++ b/doc/sudoers.pod @@ -583,7 +583,7 @@ B's behavior can be modified by C lines, as explained earlier. A list of all supported Defaults parameters, grouped by type, are listed below. -B: +B: =over 16 @@ -915,6 +915,14 @@ If set, B will apply the defaults specified for the target user's login class if one exists. Only available if B is configured with the --with-logincap option. This flag is I by default. +=item use_pty + +If set, B will run the command in a pseudo-pty even if no I/O +logging is being gone. A malicious program run under B could +conceivably fork a background process that retains to the user's +terminal device after the main program has finished executing. Use +of this option will make that impossible. + =item visiblepw By default, B will refuse to run if the user must enter a diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c index fe4678986..fbdc0c791 100644 --- a/plugins/sudoers/def_data.c +++ b/plugins/sudoers/def_data.c @@ -326,6 +326,10 @@ struct sudo_defs_types sudo_defs_table[] = { "compress_io", T_FLAG, "Compress I/O logs using zlib", NULL, + }, { + "use_pty", T_FLAG, + "Always run commands in a pseudo-tty", + NULL, }, { NULL, 0, NULL } diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h index 96652af2c..e868d3226 100644 --- a/plugins/sudoers/def_data.h +++ b/plugins/sudoers/def_data.h @@ -150,6 +150,8 @@ #define I_LOG_OUTPUT 74 #define def_compress_io (sudo_defs_table[75].sd_un.flag) #define I_COMPRESS_IO 75 +#define def_use_pty (sudo_defs_table[76].sd_un.flag) +#define I_USE_PTY 76 enum def_tupple { never, diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in index 56418397d..d903cfaee 100644 --- a/plugins/sudoers/def_data.in +++ b/plugins/sudoers/def_data.in @@ -241,3 +241,6 @@ log_output compress_io T_FLAG "Compress I/O logs using zlib" +use_pty + T_FLAG + "Always run commands in a pseudo-tty" diff --git a/plugins/sudoers/iolog.c b/plugins/sudoers/iolog.c index 4f3897f4c..90199f8db 100644 --- a/plugins/sudoers/iolog.c +++ b/plugins/sudoers/iolog.c @@ -225,7 +225,7 @@ sudoers_io_open(unsigned int version, sudo_conv_t conversation, if (argc == 0) return TRUE; - if (!def_log_input && !def_log_output) + if (!def_log_input && !def_log_output && !def_use_pty) return FALSE; /*