From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Sat, 31 Aug 2013 12:11:25 +0000 (-0600)
Subject: Try to improve the PAGERS noexec example a bit.
X-Git-Tag: SUDO_1_8_8^2~19
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=92a3e13e6c07e18bd5a39a966d3c818c78db9ac5;p=sudo

Try to improve the PAGERS noexec example a bit.
---

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 661be6288..cd213e84b 100644
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -1920,7 +1920,8 @@ EEXXAAMMPPLLEESS
      file and make sure we log the year in each log line since the log entries
      will be kept around for several years.  Lastly, we disable shell escapes
      for the commands in the PAGERS Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and
-     _/_u_s_r_/_b_i_n_/_l_e_s_s).
+     _/_u_s_r_/_b_i_n_/_l_e_s_s).  Note that this will not effectively constrain users with
+     ssuuddoo AALLLL privileges.
 
      # Override built-in defaults
      Defaults                syslog=auth
@@ -2025,7 +2026,9 @@ EEXXAAMMPPLLEESS
 
      For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in
      the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U and
-     _S_H_E_L_L_S Cmnd_Aliases.
+     _S_H_E_L_L_S Cmnd_Aliases.  While not specifically mentioned in the rule, the
+     commands in the _P_A_G_E_R_S Cmnd_Alias all reside in _/_u_s_r_/_b_i_n and have the
+     _n_o_e_x_e_c option set.
 
      steve           CSNETS = (operator) /usr/local/op_commands/
 
@@ -2269,4 +2272,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
      complete details.
 
-Sudo 1.8.8                      August 6, 2013                      Sudo 1.8.8
+Sudo 1.8.8                      August 31, 2013                     Sudo 1.8.8
diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 28581db28..ddbb8dab8 100644
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "@mansectsu@" "August 6, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
+.TH "SUDOERS" "@mansectsu@" "August 31, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -3884,6 +3884,10 @@ Lastly, we disable shell escapes for the commands in the PAGERS
 and
 \fI/usr/bin/less\fR)
 \&.
+Note that this will not effectively constrain users with
+\fBsudo\fR
+\fBALL\fR
+privileges.
 .nf
 .sp
 .RS 0n
@@ -4157,6 +4161,14 @@ belonging to the
 and
 \fISHELLS\fR
 \fRCmnd_Aliases\fR.
+While not specifically mentioned in the rule, the commands in the
+\fIPAGERS\fR
+\fRCmnd_Alias\fR
+all reside in
+\fI/usr/bin\fR
+and have the
+\fInoexec\fR
+option set.
 .nf
 .sp
 .RS 0n
diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index b23f32b97..672132927 100644
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd August 6, 2013
+.Dd August 31, 2013
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -3596,6 +3596,10 @@ Lastly, we disable shell escapes for the commands in the PAGERS
 and
 .Pa /usr/bin/less
 .Pc .
+Note that this will not effectively constrain users with
+.Nm sudo
+.Sy ALL
+privileges.
 .Bd -literal
 # Override built-in defaults
 Defaults		syslog=auth
@@ -3827,6 +3831,14 @@ belonging to the
 and
 .Em SHELLS
 .Li Cmnd_Aliases .
+While not specifically mentioned in the rule, the commands in the
+.Em PAGERS
+.Li Cmnd_Alias
+all reside in
+.Pa /usr/bin
+and have the
+.Em noexec
+option set.
 .Bd -literal
 steve		CSNETS = (operator) /usr/local/op_commands/
 .Ed