From: Todd C. Miller Date: Thu, 11 Nov 2004 16:30:01 +0000 (+0000) Subject: Update env variable info in SECURITY NOTES X-Git-Tag: SUDO_1_7_0~844 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=85d1ca15a7d14285fdcdcebe6b49f8e40ea327d8;p=sudo Update env variable info in SECURITY NOTES --- diff --git a/sudo.cat b/sudo.cat index 548e5a9db..02d9d5b00 100644 --- a/sudo.cat +++ b/sudo.cat @@ -8,7 +8,7 @@ NNAAMMEE sudo, sudoedit - execute a command as another user SSYYNNOOPPSSIISS - ssuuddoo --KK | --LL | --VV | --hh | --kk | --ll [_u_s_e_r_n_a_m_e] | --vv + ssuuddoo --KK | --LL | --VV | --hh | --kk | --ll | --vv ssuuddoo [--HHPPSSbb] [--aa _a_u_t_h___t_y_p_e] [--cc _c_l_a_s_s|_-] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] {--ee file [...] | --ii | --ss | _c_o_m_m_a_n_d} @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.6.9 October 26, 2004 1 +1.6.9 November 11, 2004 1 @@ -127,7 +127,7 @@ OOPPTTIIOONNSS -1.6.9 October 26, 2004 2 +1.6.9 November 11, 2004 2 @@ -193,7 +193,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.6.9 October 26, 2004 3 +1.6.9 November 11, 2004 3 @@ -209,12 +209,11 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) to allow a user to revoke ssuuddoo permissions from a .logout file. - -l [_u_s_e_r_n_a_m_e] - The --ll (_l_i_s_t) option will list out the allowed (and - forbidden) commands for _u_s_e_r_n_a_m_e on the current host. - If _u_s_e_r_n_a_m_e is ommitted, the information listed will - be for the invoking user. Only the superuser may list - other user's commands. + -l The --ll (_l_i_s_t) option will list out the allowed (and + forbidden) commands for the user on the current host. + If the --uu flag is specified and the invoking user has + ssuuddoo ALL on the current host, the information listed + will be for the user specified by the --uu flag. -p The --pp (_p_r_o_m_p_t) option allows you to override the default password prompt and use a custom one. The @@ -259,7 +258,8 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.6.9 October 26, 2004 4 + +1.6.9 November 11, 2004 4 @@ -293,17 +293,20 @@ SSEECCUURRIITTYY NNOOTTEESS To combat this the LD_*, _RLD_*, SHLIB_PATH (HP-UX only), and LIBPATH (AIX only) environment variables are removed from the environment passed on to all commands executed. - ssuuddoo will also remove the IFS, ENV, BASH_ENV, KRB_CONF, - KRBCONFDIR, KRBTKFILE, KRB5_CONFIG, LOCALDOMAIN, + ssuuddoo will also remove the IFS, CDPATH, ENV, BASH_ENV, + KRB_CONF, KRBCONFDIR, KRBTKFILE, KRB5_CONFIG, LOCALDOMAIN, RES_OPTIONS, HOSTALIASES, NLSPATH, PATH_LOCALE, TERMINFO, TERMINFO_DIRS and TERMPATH variables as they too can pose a threat. If the TERMCAP variable is set and is a path­ name, it too is ignored. Additionally, if the LC_* or LANGUAGE variables contain the / or % characters, they are - ignored. If ssuuddoo has been compiled with SecurID support, - the VAR_ACE, USR_ACE and DLC_ACE variables are cleared as - well. The list of environment variables that ssuuddoo clears - is contained in the output of sudo -V when run as root. + ignored. Environment variables with a value beginning + with () are also removed as they could be interpreted as + bbaasshh functions. If ssuuddoo has been compiled with SecurID + support, the VAR_ACE, USR_ACE and DLC_ACE variables are + cleared as well. The list of environment variables that + ssuuddoo clears is contained in the output of sudo -V when run + as root. To prevent command spoofing, ssuuddoo checks "." and "" (both denoting current directory) last when searching for a com­ @@ -319,13 +322,10 @@ SSEECCUURRIITTYY NNOOTTEESS cally. ssuuddoo will check the ownership of its timestamp directory - (_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con­ - tents if it is not owned by root and only writable by - root. On systems that allow non-root users to give away -1.6.9 October 26, 2004 5 +1.6.9 November 11, 2004 5 @@ -334,6 +334,9 @@ SSEECCUURRIITTYY NNOOTTEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + (_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con­ + tents if it is not owned by root and only writable by + root. On systems that allow non-root users to give away files via _c_h_o_w_n(2), if the timestamp directory is located in a directory writable by anyone (e.g.: _/_t_m_p), it is pos­ sible for a user to create the timestamp directory before @@ -385,13 +388,10 @@ EENNVVIIRROONNMMEENNTT SUDO_PROMPT Used as the default password prompt - SUDO_COMMAND Set to the command run by sudo - SUDO_USER Set to the login of the user who invoked sudo - -1.6.9 October 26, 2004 6 +1.6.9 November 11, 2004 6 @@ -400,6 +400,10 @@ EENNVVIIRROONNMMEENNTT SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + SUDO_COMMAND Set to the command run by sudo + + SUDO_USER Set to the login of the user who invoked sudo + SUDO_UID Set to the uid of the user who invoked sudo SUDO_GID Set to the gid of the user who invoked sudo @@ -451,13 +455,9 @@ AAUUTTHHOORRSS Many people have worked on ssuuddoo over the years; this ver­ sion consists of code written primarily by: - Todd Miller - Chris Jepeway - - -1.6.9 October 26, 2004 7 +1.6.9 November 11, 2004 7 @@ -466,6 +466,9 @@ AAUUTTHHOORRSS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + Todd Miller + Chris Jepeway + See the HISTORY file in the ssuuddoo distribution or visit http://www.sudo.ws/sudo/history.html for a short history of ssuuddoo. @@ -516,13 +519,76 @@ DDIISSCCLLAAIIMMEERR ranties, including, but not limited to, the implied war­ ranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed - with ssuuddoo or http://www.sudo.ws/sudo/license.html for com­ - plete details. + with ssuuddoo or http://www.sudo.ws/sudo/license.html for + + + +1.6.9 November 11, 2004 8 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + + + complete details. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + -1.6.9 October 26, 2004 8 +1.6.9 November 11, 2004 9 diff --git a/sudo.man.in b/sudo.man.in index 19c3879ec..a8b0f5a85 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -149,12 +149,12 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "October 26, 2004" "1.6.9" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "November 11, 2004" "1.6.9" "MAINTENANCE COMMANDS" .SH "NAME" sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" .IX Header "SYNOPSIS" -\&\fBsudo\fR \fB\-K\fR | \fB\-L\fR | \fB\-V\fR | \fB\-h\fR | \fB\-k\fR | \fB\-l\fR [\fIusername\fR] | \fB\-v\fR +\&\fBsudo\fR \fB\-K\fR | \fB\-L\fR | \fB\-V\fR | \fB\-h\fR | \fB\-k\fR | \fB\-l\fR | \fB\-v\fR .PP \&\fBsudo\fR [\fB\-HPSb\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] @@ -320,12 +320,12 @@ by setting the time on it to the epoch. The next time \fBsudo\fR is run a password will be required. This option does not require a password and was added to allow a user to revoke \fBsudo\fR permissions from a .logout file. -.IP "\-l [\fIusername\fR]" 4 -.IX Item "-l [username]" +.IP "\-l" 4 +.IX Item "-l" The \fB\-l\fR (\fIlist\fR) option will list out the allowed (and forbidden) -commands for \fIusername\fR on the current host. If \fIusername\fR is -ommitted, the information listed will be for the invoking user. -Only the superuser may list other user's commands. +commands for the user on the current host. If the \fB\-u\fR flag is +specified and the invoking user has \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host, +the information listed will be for the user specified by the \fB\-u\fR flag. .IP "\-p" 4 .IX Item "-p" The \fB\-p\fR (\fIprompt\fR) option allows you to override the default @@ -404,13 +404,15 @@ to subvert the program that \fBsudo\fR runs. To combat this the \&\f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`_RLD_*\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR (\s-1HP\-UX\s0 only), and \f(CW\*(C`LIBPATH\*(C'\fR (\s-1AIX\s0 only) environment variables are removed from the environment passed on to all commands executed. \fBsudo\fR will also remove the \f(CW\*(C`IFS\*(C'\fR, -\&\f(CW\*(C`ENV\*(C'\fR, \f(CW\*(C`BASH_ENV\*(C'\fR, \f(CW\*(C`KRB_CONF\*(C'\fR, \f(CW\*(C`KRBCONFDIR\*(C'\fR, \f(CW\*(C`KRBTKFILE\*(C'\fR, +\&\f(CW\*(C`CDPATH\*(C'\fR, \f(CW\*(C`ENV\*(C'\fR, \f(CW\*(C`BASH_ENV\*(C'\fR, \f(CW\*(C`KRB_CONF\*(C'\fR, \f(CW\*(C`KRBCONFDIR\*(C'\fR, \f(CW\*(C`KRBTKFILE\*(C'\fR, \&\f(CW\*(C`KRB5_CONFIG\*(C'\fR, \f(CW\*(C`LOCALDOMAIN\*(C'\fR, \f(CW\*(C`RES_OPTIONS\*(C'\fR, \f(CW\*(C`HOSTALIASES\*(C'\fR, \&\f(CW\*(C`NLSPATH\*(C'\fR, \f(CW\*(C`PATH_LOCALE\*(C'\fR, \f(CW\*(C`TERMINFO\*(C'\fR, \f(CW\*(C`TERMINFO_DIRS\*(C'\fR and \&\f(CW\*(C`TERMPATH\*(C'\fR variables as they too can pose a threat. If the \&\f(CW\*(C`TERMCAP\*(C'\fR variable is set and is a pathname, it too is ignored. Additionally, if the \f(CW\*(C`LC_*\*(C'\fR or \f(CW\*(C`LANGUAGE\*(C'\fR variables contain the -\&\f(CW\*(C`/\*(C'\fR or \f(CW\*(C`%\*(C'\fR characters, they are ignored. If \fBsudo\fR has been +\&\f(CW\*(C`/\*(C'\fR or \f(CW\*(C`%\*(C'\fR characters, they are ignored. Environment variables +with a value beginning with \f(CW\*(C`()\*(C'\fR are also removed as they could +be interpreted as \fBbash\fR functions. If \fBsudo\fR has been compiled with SecurID support, the \f(CW\*(C`VAR_ACE\*(C'\fR, \f(CW\*(C`USR_ACE\*(C'\fR and \&\f(CW\*(C`DLC_ACE\*(C'\fR variables are cleared as well. The list of environment variables that \fBsudo\fR clears is contained in the output of diff --git a/sudo.pod b/sudo.pod index 5c5bb0d23..080c2a94c 100644 --- a/sudo.pod +++ b/sudo.pod @@ -27,7 +27,7 @@ sudo, sudoedit - execute a command as another user =head1 SYNOPSIS -B B<-K> | B<-L> | B<-V> | B<-h> | B<-k> | B<-l> [I] | B<-v> +B B<-K> | B<-L> | B<-V> | B<-h> | B<-k> | B<-l> | B<-v> B [B<-HPSb>] S<[B<-a> I]> S<[B<-c> I|I<->]> S<[B<-p> I]> S<[B<-u> I|I<#uid>]> @@ -217,12 +217,12 @@ run a password will be required. This option does not require a password and was added to allow a user to revoke B permissions from a .logout file. -=item -l [I] +=item -l The B<-l> (I) option will list out the allowed (and forbidden) -commands for I on the current host. If I is -ommitted, the information listed will be for the invoking user. -Only the superuser may list other user's commands. +commands for the user on the current host. If the B<-u> flag is +specified and the invoking user has B C on the current host, +the information listed will be for the user specified by the B<-u> flag. =item -p @@ -311,13 +311,15 @@ to subvert the program that B runs. To combat this the C, C<_RLD_*>, C (HP-UX only), and C (AIX only) environment variables are removed from the environment passed on to all commands executed. B will also remove the C, -C, C, C, C, C, +C, C, C, C, C, C, C, C, C, C, C, C, C, C and C variables as they too can pose a threat. If the C variable is set and is a pathname, it too is ignored. Additionally, if the C or C variables contain the -C or C<%> characters, they are ignored. If B has been +C or C<%> characters, they are ignored. Environment variables +with a value beginning with C<()> are also removed as they could +be interpreted as B functions. If B has been compiled with SecurID support, the C, C and C variables are cleared as well. The list of environment variables that B clears is contained in the output of