From: Todd C. Miller Date: Thu, 20 Jun 2019 17:40:47 +0000 (-0600) Subject: Don't describe env_editor as a security hole. X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=958cf7e37f6b8138a20292d1b537b822cc22ec8e;p=sudo Don't describe env_editor as a security hole. Users that are able to edit sudoers can grant themselves permissions so the fact that visudo runs the editor as root is not a security issue. --- diff --git a/INSTALL b/INSTALL index b8f9be6d5..cf3b45201 100644 --- a/INSTALL +++ b/INSTALL @@ -670,18 +670,19 @@ Options that set runtime-changeable default values: --with-editor=PATH Specify the default editor path for use by visudo. This may be a single path name or a colon-separated list of editors. In the latter - case, visudo will choose the editor that matches the user's VISUAL - or EDITOR environment variables or the first editor in the list that - exists. The default is the path to vi on your system. + case, visudo will choose the editor that matches the user's SUDO_EDITOR, + VISUAL or EDITOR environment variable, or the first editor in the list + that exists. The default is the path to vi on your system. Sudoers option: editor --with-env-editor - Makes visudo consult the VISUAL and EDITOR environment variables before - falling back on the default editor list (as specified by --with-editor). - Note that this may create a security hole as it allows the user to - run any arbitrary command as root without logging. A safer alternative - is to use a colon-separated list of editors with the --with-editor - option. visudo will then only use the VISUAL or EDITOR variables + Makes visudo consult the SUDO_EDITOR, VISUAL and EDITOR environment + variables before falling back on the default editor list (as specified + by --with-editor). Note that visudo is typically run as root so this + option may allow a user with visudo privileges to run arbitrary + commands as root without logging. An alternative is to use a + colon-separated list of "safe" editors with the --with-editor option. + visudo will then only use the SUDO_EDITOR, VISUAL or EDITOR variables if they match a value specified via --with-editor. Sudoers option: env_editor diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 751ec09e4..77c69dbfe 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -1040,17 +1040,18 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS env_editor If set, vviissuuddoo will use the value of the SUDO_EDITOR, VISUAL or EDITOR environment variables before falling - back on the default editor list. Note that this may - create a security hole as it allows the user to run any - arbitrary command as root without logging. A safer - alternative is to place a colon-separated list of - editors in the _e_d_i_t_o_r variable. vviissuuddoo will then only - use SUDO_EDITOR, VISUAL or EDITOR if they match a value - specified in _e_d_i_t_o_r. If the _e_n_v___r_e_s_e_t flag is enabled, - the SUDO_EDITOR, VISUAL and/or EDITOR environment - variables must be present in the _e_n_v___k_e_e_p list for the - _e_n_v___e_d_i_t_o_r flag to function when vviissuuddoo is invoked via - ssuuddoo. This flag is _o_f_f by default. + back on the default editor list. Note that vviissuuddoo is + typically run as root so this option may allow a user + with vviissuuddoo privileges to run arbitrary commands as + root without logging. An alternative is to place a + colon-separated list of "safe" editors int the _e_d_i_t_o_r + variable. vviissuuddoo will then only use SUDO_EDITOR, + VISUAL or EDITOR if they match a value specified in + _e_d_i_t_o_r. If the _e_n_v___r_e_s_e_t flag is enabled, the + SUDO_EDITOR, VISUAL and/or EDITOR environment variables + must be present in the _e_n_v___k_e_e_p list for the _e_n_v___e_d_i_t_o_r + flag to function when vviissuuddoo is invoked via ssuuddoo. This + flag is _o_f_f by default. env_reset If set, ssuuddoo will run the command in a minimal environment containing the TERM, PATH, HOME, MAIL, diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index fcc7ddb54..af400a237 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -2236,10 +2236,14 @@ will use the value of the or \fREDITOR\fR environment variables before falling back on the default editor list. -Note that this may create a security hole as it allows the user to -run any arbitrary command as root without logging. -A safer alternative is to place a colon-separated list of editors -in the +Note that +\fBvisudo\fR +is typically run as root so this option may allow a user with +\fBvisudo\fR +privileges to run arbitrary commands as root without logging. +An alternative is to place a colon-separated list of +\(lqsafe\(rq +editors int the \fIeditor\fR variable. \fBvisudo\fR diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index 8c4e23c08..114399d6f 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -2101,10 +2101,14 @@ will use the value of the or .Ev EDITOR environment variables before falling back on the default editor list. -Note that this may create a security hole as it allows the user to -run any arbitrary command as root without logging. -A safer alternative is to place a colon-separated list of editors -in the +Note that +.Nm visudo +is typically run as root so this option may allow a user with +.Nm visudo +privileges to run arbitrary commands as root without logging. +An alternative is to place a colon-separated list of +.Dq safe +editors int the .Em editor variable. .Nm visudo diff --git a/doc/visudo.cat b/doc/visudo.cat index cd587c400..8fe044496 100644 --- a/doc/visudo.cat +++ b/doc/visudo.cat @@ -41,17 +41,17 @@ DDEESSCCRRIIPPTTIIOONN env_editor If set, vviissuuddoo will use the value of the SUDO_EDITOR, VISUAL or EDITOR environment variables before falling back on the default - editor list. Note that this may create a security hole as it - allows the user to run any arbitrary command as root without - logging. A safer alternative is to place a colon-separated - list of editors in the _e_d_i_t_o_r variable. vviissuuddoo will then only - use SUDO_EDITOR, VISUAL or EDITOR if they match a value - specified in _e_d_i_t_o_r. If the _e_n_v___r_e_s_e_t flag is enabled, the - SUDO_EDITOR, VISUAL and/or EDITOR environment variables must be - present in the _e_n_v___k_e_e_p list for the _e_n_v___e_d_i_t_o_r flag to - function when vviissuuddoo is invoked via ssuuddoo. The default value is - _o_f_f, which can be set at compile time via the --with-env-editor - configure option. + editor list. Note that vviissuuddoo is typically run as root so this + option may allow a user with vviissuuddoo privileges to run arbitrary + commands as root without logging. An alternative is to place a + colon-separated list of "safe" editors int the _e_d_i_t_o_r variable. + vviissuuddoo will then only use SUDO_EDITOR, VISUAL or EDITOR if they + match a value specified in _e_d_i_t_o_r. If the _e_n_v___r_e_s_e_t flag is + enabled, the SUDO_EDITOR, VISUAL and/or EDITOR environment + variables must be present in the _e_n_v___k_e_e_p list for the + _e_n_v___e_d_i_t_o_r flag to function when vviissuuddoo is invoked via ssuuddoo. + The default value is _o_f_f, which can be set at compile time via + the --with-env-editor configure option. The options are as follows: diff --git a/doc/visudo.man.in b/doc/visudo.man.in index 9bdc21979..f04ff36a4 100644 --- a/doc/visudo.man.in +++ b/doc/visudo.man.in @@ -130,10 +130,14 @@ will use the value of the or \fREDITOR\fR environment variables before falling back on the default editor list. -Note that this may create a security hole as it allows the user to -run any arbitrary command as root without logging. -A safer alternative is to place a colon-separated list of editors -in the +Note that +\fBvisudo\fR +is typically run as root so this option may allow a user with +\fBvisudo\fR +privileges to run arbitrary commands as root without logging. +An alternative is to place a colon-separated list of +\(lqsafe\(rq +editors int the \fIeditor\fR variable. \fBvisudo\fR diff --git a/doc/visudo.mdoc.in b/doc/visudo.mdoc.in index 20e5d6326..059dc7b37 100644 --- a/doc/visudo.mdoc.in +++ b/doc/visudo.mdoc.in @@ -127,10 +127,14 @@ will use the value of the or .Ev EDITOR environment variables before falling back on the default editor list. -Note that this may create a security hole as it allows the user to -run any arbitrary command as root without logging. -A safer alternative is to place a colon-separated list of editors -in the +Note that +.Nm visudo +is typically run as root so this option may allow a user with +.Nm visudo +privileges to run arbitrary commands as root without logging. +An alternative is to place a colon-separated list of +.Dq safe +editors int the .Em editor variable. .Nm