From: Todd C. Miller Date: Thu, 3 Jun 2010 12:35:02 +0000 (-0400) Subject: Document new tty_ticket behavior X-Git-Tag: SUDO_1_7_3~130 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=770d70ae2cd82689001915de2d5649e0009619f4;p=sudo Document new tty_ticket behavior --HG-- branch : 1.7 --- diff --git a/sudo.cat b/sudo.cat index 1b33f2ce2..0134625af 100644 --- a/sudo.cat +++ b/sudo.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.3b2 December 19, 2009 1 +1.7.3b2 June 3, 2010 1 @@ -127,7 +127,7 @@ OOPPTTIIOONNSS -1.7.3b2 December 19, 2009 2 +1.7.3b2 June 3, 2010 2 @@ -193,7 +193,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.3b2 December 19, 2009 3 +1.7.3b2 June 3, 2010 3 @@ -259,7 +259,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.3b2 December 19, 2009 4 +1.7.3b2 June 3, 2010 4 @@ -325,7 +325,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.3b2 December 19, 2009 5 +1.7.3b2 June 3, 2010 5 @@ -391,7 +391,7 @@ SSEECCUURRIITTYY NNOOTTEESS -1.7.3b2 December 19, 2009 6 +1.7.3b2 June 3, 2010 6 @@ -440,6 +440,36 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) his/her own timestamp with a bogus date on systems that allow users to give away files. + On systems where the boot time is available, ssuuddoo will also not honor + time stamps from before the machine booted. + + Since time stamp files live in the file system, they can outlive a + user's login session. As a result, a user may be able to login, run a + command with ssuuddoo after authenticating, logout, login again, and run + ssuuddoo without authenticating so long as the time stamp file's + modification time is within 5 minutes (or whatever the timeout is set + to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s option is enabled in _s_u_d_o_e_r_s, the + time stamp has per-tty granularity but still may outlive the user's + session. On Linux systems where the devpts filesystem is used, Solaris + systems with the devices filesystem, as well as other systems that + utilize a devfs filesystem that monotonically increase the inode number + of devices as they are created (such as Mac OS X), ssuuddoo is able to + + + +1.7.3b2 June 3, 2010 7 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + + + determine when a tty-based time stamp file is stale and will ignore it. + Administrators should not rely on this feature as it is not universally + available. + Please note that ssuuddoo will normally only log the command it explicitly runs. If a user runs a command such as sudo su or sudo sh, subsequent commands run from that shell will _n_o_t be logged, nor will ssuuddoo's access @@ -454,18 +484,6 @@ EENNVVIIRROONNMMEENNTT ssuuddoo utilizes the following environment variables: EDITOR Default editor to use in --ee (sudoedit) mode if neither - - - -1.7.3b2 December 19, 2009 7 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - SUDO_EDITOR nor VISUAL is set HOME In --ss or --HH mode (or if sudo was configured with the @@ -502,6 +520,18 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) VISUAL Default editor to use in --ee (sudoedit) mode if SUDO_EDITOR is not set + + + +1.7.3b2 June 3, 2010 8 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + + FFIILLEESS _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what @@ -520,18 +550,6 @@ EEXXAAMMPPLLEESS To list the home directory of user yaz on a machine where the file system holding ~yaz is not exported as root: - - - -1.7.3b2 December 19, 2009 8 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - $ sudo -u yaz ls ~yaz To edit the _i_n_d_e_x_._h_t_m_l file as user www: @@ -569,6 +587,17 @@ AAUUTTHHOORRSS See the HISTORY file in the ssuuddoo distribution or visit http://www.sudo.ws/sudo/history.html for a short history of ssuuddoo. + + +1.7.3b2 June 3, 2010 9 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + + CCAAVVEEAATTSS There is no easy way to prevent a user from gaining a root shell if that user is allowed to run arbitrary commands via ssuuddoo. Also, many @@ -586,18 +615,6 @@ CCAAVVEEAATTSS If users have sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell regardless of any '!' - - - -1.7.3b2 December 19, 2009 9 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - elements in the user specification. Running shell scripts via ssuuddoo can expose the same kernel bugs that @@ -638,23 +655,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - - - - - - - - -1.7.3b2 December 19, 2009 10 +1.7.3b2 June 3, 2010 10 diff --git a/sudo.man.in b/sudo.man.in index f56637c7e..5d4f0d1fa 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -1,4 +1,4 @@ -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2009 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -144,7 +144,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "June 3, 2010" "1.7.3b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -429,7 +429,7 @@ password prompt on systems that support \s-1PAM\s0 unless the .RE @SEMAN@.IP "\-r \fIrole\fR" 12 @SEMAN@.IX Item "-r role" -@SEMAN@The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to +@SEMAN@The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to @SEMAN@have the role specified by \fIrole\fR. .IP "\-S" 12 .IX Item "-S" @@ -444,7 +444,7 @@ environment variable if it is set or the shell as specified in for execution. Otherwise, an interactive shell is executed. @SEMAN@.IP "\-t \fItype\fR" 12 @SEMAN@.IX Item "-t type" -@SEMAN@The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to +@SEMAN@The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to @SEMAN@have the type specified by \fItype\fR. If no type is specified, the default @SEMAN@type is derived from the specified role. .IP "\-U \fIuser\fR" 12 @@ -564,6 +564,24 @@ will be ignored and sudo will log and complain. This is done to keep a user from creating his/her own timestamp with a bogus date on systems that allow users to give away files. .PP +On systems where the boot time is available, \fBsudo\fR will also not +honor time stamps from before the machine booted. +.PP +Since time stamp files live in the file system, they can outlive a +user's login session. As a result, a user may be able to login, +run a command with \fBsudo\fR after authenticating, logout, login +again, and run \fBsudo\fR without authenticating so long as the time +stamp file's modification time is within \f(CW\*(C`@timeout@\*(C'\fR minutes (or +whatever the timeout is set to in \fIsudoers\fR). When the \fItty_tickets\fR +option is enabled in \fIsudoers\fR, the time stamp has per-tty granularity +but still may outlive the user's session. On Linux systems where +the devpts filesystem is used, Solaris systems with the devices +filesystem, as well as other systems that utilize a devfs filesystem +that monotonically increase the inode number of devices as they are +created (such as Mac \s-1OS\s0 X), \fBsudo\fR is able to determine when a +tty-based time stamp file is stale and will ignore it. Administrators +should not rely on this feature as it is not universally available. +.PP Please note that \fBsudo\fR will normally only log the command it explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or \&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell will \fInot\fR be diff --git a/sudo.pod b/sudo.pod index 4eb0613c9..ff23232ed 100644 --- a/sudo.pod +++ b/sudo.pod @@ -1,4 +1,4 @@ -Copyright (c) 1994-1996, 1998-2005, 2007-2009 +Copyright (c) 1994-1996, 1998-2005, 2007-2010 Todd C. Miller Permission to use, copy, modify, and distribute this software for any @@ -331,7 +331,7 @@ I flag is disabled in I. =item -r I -The B<-r> (I) option causes the new (SELinux) security context to +The B<-r> (I) option causes the new (SELinux) security context to have the role specified by I. =item -S @@ -349,7 +349,7 @@ for execution. Otherwise, an interactive shell is executed. =item -t I -The B<-t> (I) option causes the new (SELinux) security context to +The B<-t> (I) option causes the new (SELinux) security context to have the type specified by I. If no type is specified, the default type is derived from the specified role. @@ -479,6 +479,24 @@ will be ignored and sudo will log and complain. This is done to keep a user from creating his/her own timestamp with a bogus date on systems that allow users to give away files. +On systems where the boot time is available, B will also not +honor time stamps from before the machine booted. + +Since time stamp files live in the file system, they can outlive a +user's login session. As a result, a user may be able to login, +run a command with B after authenticating, logout, login +again, and run B without authenticating so long as the time +stamp file's modification time is within C<@timeout@> minutes (or +whatever the timeout is set to in I). When the I +option is enabled in I, the time stamp has per-tty granularity +but still may outlive the user's session. On Linux systems where +the devpts filesystem is used, Solaris systems with the devices +filesystem, as well as other systems that utilize a devfs filesystem +that monotonically increase the inode number of devices as they are +created (such as Mac OS X), B is able to determine when a +tty-based time stamp file is stale and will ignore it. Administrators +should not rely on this feature as it is not universally available. + Please note that B will normally only log the command it explicitly runs. If a user runs a command such as C or C, subsequent commands run from that shell will I be