From: Todd C. Miller Date: Fri, 12 Nov 2004 16:19:19 +0000 (+0000) Subject: Bring back the "secure_path" Defaults option now that Defaults take X-Git-Tag: SUDO_1_7_0~841 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a768dbc34f232433480ebf5d117bf93ab973adf2;p=sudo Bring back the "secure_path" Defaults option now that Defaults take effect before the path is searched. --- diff --git a/CHANGES b/CHANGES index b8100fa06..6e60923d9 100644 --- a/CHANGES +++ b/CHANGES @@ -1734,29 +1734,36 @@ Sudo 1.6.8 released. Sudo 1.6.8p1 released. -549) New monitor functionality for systems with systrace(4). When tracing +549) Bash exported functions and the CDPATH variable are now stripped from + the environment passed to the program to be executed. + +Sudo 1.6.8p2 released. + +550) New monitor functionality for systems with systrace(4). When tracing is enabled sudo will fork a daemon that traces the command and intercepts and execve() calls and allows/denies the call based on a sudoers lookup. Also updates the command's environment with the SUDO_* variables if supported by the version of systrace(4). -550) Added support for multiple sudoers file via #include. +551) Added support for multiple sudoers file via #include. -551) An empty sudoers file is no longer a parse error. +552) An empty sudoers file is no longer a parse error. -552) Fixed error handling if the lexer runs out of memory. +553) Fixed error handling if the lexer runs out of memory. -553) Optimized lexer slightly by removing use of unput() and removing +554) Optimized lexer slightly by removing use of unput() and removing some ambiguity with the Default keyword. -554) Wildcard matches on commands now use glob() and stat() so +555) Wildcard matches on commands now use glob() and stat() so that relative paths work correctly in conjunction with wildcards. -555) Rewritten parser that converts sudoers into a set of data structures. +556) Rewritten parser that converts sudoers into a set of data structures. This eliminates ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. -556) Visudo will now warn about aliases that are defined but not used. +557) Visudo will now warn about aliases that are defined but not used. -557) "sudo -l" now takes an optional username which lets root see other +558) "sudo -l" now takes an optional username which lets root see other users' privs. + +559) The "secure_path" run-time Defaults option has been restored. diff --git a/def_data.c b/def_data.c index 6cfa9dbce..7b1200519 100644 --- a/def_data.c +++ b/def_data.c @@ -219,6 +219,10 @@ struct sudo_defs_types sudo_defs_table[] = { "Default user to run commands as: %s", NULL, set_runaspw, + }, { + "secure_path", T_STR|T_BOOL, + "Value to override user's $PATH with: %s", + NULL, }, { "editor", T_STR|T_PATH, "Path to the editor for use by visudo: %s", diff --git a/def_data.h b/def_data.h index fde88336f..359716bba 100644 --- a/def_data.h +++ b/def_data.h @@ -96,26 +96,28 @@ #define I_PASSPROMPT 47 #define def_runas_default (sudo_defs_table[48].sd_un.str) #define I_RUNAS_DEFAULT 48 -#define def_editor (sudo_defs_table[49].sd_un.str) -#define I_EDITOR 49 -#define def_listpw (sudo_defs_table[50].sd_un.tuple) -#define I_LISTPW 50 -#define def_verifypw (sudo_defs_table[51].sd_un.tuple) -#define I_VERIFYPW 51 -#define def_noexec (sudo_defs_table[52].sd_un.flag) -#define I_NOEXEC 52 -#define def_noexec_file (sudo_defs_table[53].sd_un.str) -#define I_NOEXEC_FILE 53 -#define def_env_check (sudo_defs_table[54].sd_un.list) -#define I_ENV_CHECK 54 -#define def_env_delete (sudo_defs_table[55].sd_un.list) -#define I_ENV_DELETE 55 -#define def_env_keep (sudo_defs_table[56].sd_un.list) -#define I_ENV_KEEP 56 -#define def_ignore_local_sudoers (sudo_defs_table[57].sd_un.flag) -#define I_IGNORE_LOCAL_SUDOERS 57 -#define def_monitor (sudo_defs_table[58].sd_un.flag) -#define I_MONITOR 58 +#define def_secure_path (sudo_defs_table[49].sd_un.str) +#define I_SECURE_PATH 49 +#define def_editor (sudo_defs_table[50].sd_un.str) +#define I_EDITOR 50 +#define def_listpw (sudo_defs_table[51].sd_un.tuple) +#define I_LISTPW 51 +#define def_verifypw (sudo_defs_table[52].sd_un.tuple) +#define I_VERIFYPW 52 +#define def_noexec (sudo_defs_table[53].sd_un.flag) +#define I_NOEXEC 53 +#define def_noexec_file (sudo_defs_table[54].sd_un.str) +#define I_NOEXEC_FILE 54 +#define def_env_check (sudo_defs_table[55].sd_un.list) +#define I_ENV_CHECK 55 +#define def_env_delete (sudo_defs_table[56].sd_un.list) +#define I_ENV_DELETE 56 +#define def_env_keep (sudo_defs_table[57].sd_un.list) +#define I_ENV_KEEP 57 +#define def_ignore_local_sudoers (sudo_defs_table[58].sd_un.flag) +#define I_IGNORE_LOCAL_SUDOERS 58 +#define def_monitor (sudo_defs_table[59].sd_un.flag) +#define I_MONITOR 59 enum def_tupple { never, diff --git a/def_data.in b/def_data.in index a5bb36d56..9a0d53f16 100644 --- a/def_data.in +++ b/def_data.in @@ -156,6 +156,9 @@ runas_default T_STR "Default user to run commands as: %s" *set_runaspw +secure_path + T_STR|T_BOOL + "Value to override user's $PATH with: %s" editor T_STR|T_PATH "Path to the editor for use by visudo: %s" diff --git a/defaults.c b/defaults.c index 64e648df9..68101e108 100644 --- a/defaults.c +++ b/defaults.c @@ -475,6 +475,9 @@ init_defaults() #endif #ifdef EXEMPTGROUP def_exempt_group = estrdup(EXEMPTGROUP); +#endif +#ifdef SECURE_PATH + def_secure_path = estrdup(SECURE_PATH); #endif def_editor = estrdup(EDITOR); #ifdef _PATH_SUDO_NOEXEC diff --git a/env.c b/env.c index ef04f30be..2b58707e3 100644 --- a/env.c +++ b/env.c @@ -467,10 +467,9 @@ rebuild_env(envp, sudo_mode, noexec) if (!ISSET(didvar, DID_PATH)) insert_env(format_env("PATH", _PATH_DEFPATH, VNULL), 0); -#ifdef SECURE_PATH /* Replace the PATH envariable with a secure one. */ - insert_env(format_env("PATH", SECURE_PATH, VNULL), 1); -#endif + if (def_secure_path && !user_is_exempt()) + insert_env(format_env("PATH", def_secure_path, VNULL), 1); /* Set $USER and $LOGNAME to target if "set_logname" is true. */ if (def_set_logname && runas_pw->pw_name) { diff --git a/find_path.c b/find_path.c index c141e4ef5..38916c169 100644 --- a/find_path.c +++ b/find_path.c @@ -92,11 +92,9 @@ find_path(infile, outfile, sbp, path) } /* Use PATH passed in unless SECURE_PATH is in effect. */ -#ifdef SECURE_PATH - if (!user_is_exempt()) - path = SECURE_PATH; -#endif /* SECURE_PATH */ - if (path == NULL) + if (def_secure_path && !user_is_exempt()) + path = def_secure_path; + else if (path == NULL) return(NOT_FOUND); path = estrdup(path); origpath = path; diff --git a/sudoers.cat b/sudoers.cat index dcef4048f..a5b2e8dc4 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.6.9 October 26, 2004 1 +1.6.9 November 12, 2004 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 26, 2004 2 +1.6.9 November 12, 2004 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 26, 2004 3 +1.6.9 November 12, 2004 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 26, 2004 4 +1.6.9 November 12, 2004 4 @@ -276,7 +276,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the PATH environment variable; the - PATH itself is not modified. This flag is _o_f_f + PATH itself is not modified. This flag is _o_n by default. mail_always Send mail to the _m_a_i_l_t_o user every time a @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 26, 2004 5 +1.6.9 November 12, 2004 5 @@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 26, 2004 6 +1.6.9 November 12, 2004 6 @@ -426,7 +426,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) set _f_q_d_n. This flag is _o_f_f by default. insults If set, ssuuddoo will insult users when they enter - an incorrect password. This flag is _o_f_f by + an incorrect password. This flag is _o_n by default. requiretty If set, ssuuddoo will only run when the user is @@ -447,7 +447,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) is to place a colon-separated list of editors in the editor variable. vviissuuddoo will then only use the EDITOR or VISUAL if they match a value - specified in editor. This flag is off by + specified in editor. This flag is on by default. rootpw If set, ssuuddoo will prompt for the root password @@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 26, 2004 7 +1.6.9 November 12, 2004 7 @@ -509,21 +509,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) TERM is copied unaltered from the old environ­ ment. The other variables are set to default values (possibly modified by the value of the - _s_e_t___l_o_g_n_a_m_e option). If ssuuddoo was compiled - with the SECURE_PATH option, its value will be - used for the PATH environment variable. Other - variables may be preserved with the _e_n_v___k_e_e_p - option. + _s_e_t___l_o_g_n_a_m_e option). If the _s_e_c_u_r_e___p_a_t_h + option is set, its value will be used for the + PATH environment variable. Other variables + may be preserved with the _e_n_v___k_e_e_p option. use_loginclass If set, ssuuddoo will apply the defaults specified for the target user's login class if one exists. Only available if ssuuddoo is configured with the --with-logincap option. This flag is + _o_f_f by default. -1.6.9 October 26, 2004 8 +1.6.9 November 12, 2004 8 @@ -532,8 +532,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - _o_f_f by default. - noexec If set, all commands run via ssuuddoo will behave as if the NOEXEC tag has been set, unless overridden by a EXEC tag. See the description @@ -586,10 +584,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) timestamp_timeout Number of minutes that can elapse before ssuuddoo will ask for a passwd again. The default is + 5. Set this to 0 to always prompt for a pass­ + word. If set to a value less than 0 the -1.6.9 October 26, 2004 9 +1.6.9 November 12, 2004 9 @@ -598,8 +598,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - 5. Set this to 0 to always prompt for a pass­ - word. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k @@ -652,10 +650,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) %H expanded to the local hostname includ­ ing the domain name (on if the + machine's hostname is fully qualified + or the _f_q_d_n option is set) -1.6.9 October 26, 2004 10 +1.6.9 November 12, 2004 10 @@ -664,9 +664,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - machine's hostname is fully qualified - or the _f_q_d_n option is set) - %% two consecutive % characters are col­ laped into a single % character @@ -718,10 +715,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The default value is _o_n_c_e. + lecture_file + Path to a file containing an alternate ssuuddoo + lecture that will be used in place of the -1.6.9 October 26, 2004 11 +1.6.9 November 12, 2004 11 @@ -730,9 +730,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - lecture_file - Path to a file containing an alternate ssuuddoo - lecture that will be used in place of the standard lecture if the named file exists. logfile Path to the ssuuddoo log file (not the syslog log @@ -741,7 +738,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) syslog Syslog facility if syslog is being used for logging (negate to disable syslog logging). - Defaults to local2. + Defaults to authpriv. mailerpath Path to mail program used to send warning mail. Defaults to the path to sendmail found @@ -760,6 +757,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) and PATH requirements. This is not set by default. + secure_path Path used for every command run from ssuuddoo. If + you don't trust the people running ssuuddoo to + have a sane PATH environment variable you may + want to use this. Another use is if you want + to have the "root path" be separate from the + "user path." Users in the group specified by + the _e_x_e_m_p_t___g_r_o_u_p option are not affected by + _s_e_c_u_r_e___p_a_t_h. This is not set by default. + verifypw This option controls when a password will be required when a user runs ssuuddoo with the --vv flag. It has the following possible values: @@ -779,22 +785,22 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) always The user must always enter a password to use the --vv flag. - The default value is `all'. - listpw This option controls when a password will be - required when a user runs ssuuddoo with the --ll - flag. It has the following possible values: +1.6.9 November 12, 2004 12 -1.6.9 October 26, 2004 12 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + The default value is `all'. + listpw This option controls when a password will be + required when a user runs ssuuddoo with the --ll + flag. It has the following possible values: all All the user's _s_u_d_o_e_r_s entries for the current host must have the NOPASSWD @@ -844,16 +850,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) env_keep Environment variables to be preserved in the user's environment when the _e_n_v___r_e_s_e_t option - is in effect. This allows fine-grained con­ - trol over the environment ssuuddoo-spawned pro­ - cesses will receive. The argument may be a - double-quoted, space-separated list or a sin­ - gle value without double-quotes. The list can - be replaced, added to, deleted from, or -1.6.9 October 26, 2004 13 +1.6.9 November 12, 2004 13 @@ -862,9 +862,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - disabled by using the =, +=, -=, and ! opera­ - tors respectively. This list has no default - members. + is in effect. This allows fine-grained con­ + trol over the environment ssuuddoo-spawned pro­ + cesses will receive. The argument may be a + double-quoted, space-separated list or a sin­ + gle value without double-quotes. The list can + be replaced, added to, deleted from, or dis­ + abled by using the =, +=, -=, and ! operators + respectively. This list has no default mem­ + bers. When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following values for the syslog facility (the value of the ssyysslloogg @@ -910,23 +916,24 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only as ooppeerraattoorr. E.g., - $ sudo -u operator /bin/ls. - It is also possible to override a Runas_Spec later on in - an entry. If we modify the entry like so: - dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm +1.6.9 November 12, 2004 14 -1.6.9 October 26, 2004 14 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + $ sudo -u operator /bin/ls. + + It is also possible to override a Runas_Spec later on in + an entry. If we modify the entry like so: + dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. @@ -961,7 +968,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm Note, however, that the PASSWD tag has no effect on users - who are in the group specified by the exempt_group option. + who are in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. By default, if the NOPASSWD tag is applied to any of the entries for a user on the current host, he or she will be @@ -975,24 +982,25 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying operating system supports it, the NOEXEC tag - can be used to prevent a dynamically-linked executable - from running further commands itself. - In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e - and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi +1.6.9 November 12, 2004 15 -1.6.9 October 26, 2004 15 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + can be used to prevent a dynamically-linked executable + from running further commands itself. + + In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e + and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi See the "PREVENTING SHELL ESCAPES" section below for more details on how NOEXEC works and whether or not it will @@ -1039,26 +1047,24 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Note that a forward slash ('/') will nnoott be matched by wildcards used in the pathname. When matching the command - line arguments, however, a slash ddooeess get matched by wild­ - cards. This is to make a path like: - - /usr/bin/* + line arguments, however, a slash ddooeess get matched by - match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. +1.6.9 November 12, 2004 16 -1.6.9 October 26, 2004 16 - +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + wildcards. This is to make a path like: -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + /usr/bin/* + match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess @@ -1108,16 +1114,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) dangerous since in a command context, it allows the user to run aannyy command on the system. - An exclamation point ('!') can be used as a logical _n_o_t - operator both in an _a_l_i_a_s and in front of a Cmnd. This - allows one to exclude certain values. Note, however, that - using a ! in conjunction with the built-in ALL alias to - allow a user to run "all but a few" commands rarely works - as intended (see SECURITY NOTES below). -1.6.9 October 26, 2004 17 +1.6.9 November 12, 2004 17 @@ -1126,6 +1126,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + An exclamation point ('!') can be used as a logical _n_o_t + operator both in an _a_l_i_a_s and in front of a Cmnd. This + allows one to exclude certain values. Note, however, that + using a ! in conjunction with the built-in ALL alias to + allow a user to run "all but a few" commands rarely works + as intended (see SECURITY NOTES below). + Long lines can be continued with a backslash ('\') as the last character on the line. @@ -1165,6 +1172,26 @@ EEXXAAMMPPLLEESS Host_Alias SERVERS = master, mail, www, ns Host_Alias CDROM = orion, perseus, hercules + + + + + + + + + + + +1.6.9 November 12, 2004 18 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore @@ -1180,18 +1207,6 @@ EEXXAAMMPPLLEESS Here we override some of the compiled in default values. We want ssuuddoo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility - - - -1.6.9 October 26, 2004 18 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - in all cases. We don't want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt need not give a password, and we don't want to reset the LOGNAME or USER @@ -1231,34 +1246,34 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) jack CSNETS = ALL The user jjaacckk may run any command on the machines in the - _C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0, - and 128.138.242.0). Of those networks, only 128.138.204.0 - has an explicit netmask (in CIDR notation) indicating it - is a class C network. For the other networks in _C_S_N_E_T_S, - the local machine's netmask will be used during matching. - lisa CUNETS = ALL - The user lliissaa may run any command on any host in the - _C_U_N_E_T_S alias (the class B network 128.138.0.0). - operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ - sudoedit /etc/printcap, /usr/oper/bin/ +1.6.9 November 12, 2004 19 - The ooppeerraattoorr user may run commands limited to simple -1.6.9 October 26, 2004 19 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + _C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0, + and 128.138.242.0). Of those networks, only 128.138.204.0 + has an explicit netmask (in CIDR notation) indicating it + is a class C network. For the other networks in _C_S_N_E_T_S, + the local machine's netmask will be used during matching. + lisa CUNETS = ALL -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + The user lliissaa may run any command on any host in the + _C_U_N_E_T_S alias (the class B network 128.138.0.0). + operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ + sudoedit /etc/printcap, /usr/oper/bin/ - maintenance. Here, those are commands related to backups, + The ooppeerraattoorr user may run commands limited to simple main­ + tenance. Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/. @@ -1298,6 +1313,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* + + +1.6.9 November 12, 2004 20 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is not allowed to give _s_u(1) any flags. @@ -1313,17 +1339,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) any commands in the directory /usr/bin/ except for those commands belonging to the _S_U and _S_H_E_L_L_S Cmnd_Aliases. - - -1.6.9 October 26, 2004 20 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - steve CSNETS = (operator) /usr/local/op_commands/ The user sstteevvee may run any command in the directory @@ -1364,6 +1379,17 @@ SSEECCUURRIITTYY NNOOTTEESS restrictions should be considered advisory at best (and reinforced by policy). + + +1.6.9 November 12, 2004 21 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS Once ssuuddoo executes a program, that program is free to do whatever it pleases, including run other programs. This @@ -1378,18 +1404,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS restrict Avoid giving users access to commands that allow the user to run arbitrary commands. Many edi­ tors have a restricted mode where shell escapes - - - -1.6.9 October 26, 2004 21 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - are disabled, though ssuuddooeeddiitt is a better solu­ tion to running editors via ssuuddoo. Due to the large number of programs that offer shell @@ -1430,33 +1444,33 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the LD_PRELOAD environment variable. Check your operating system's manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, dld.sl, - rld, or loader) to see if LD_PRELOAD is sup­ - ported. - To enable _n_o_e_x_e_c for a command, use the NOEXEC - tag as documented in the User Specification sec­ - tion above. Here is that example again: - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and - _/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will pre­ - vent those two commands from executing other - commands (such as a shell). If you are unsure - whether or not your system is capable of +1.6.9 November 12, 2004 22 -1.6.9 October 26, 2004 22 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + rld, or loader) to see if LD_PRELOAD is sup­ + ported. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + To enable _n_o_e_x_e_c for a command, use the NOEXEC + tag as documented in the User Specification sec­ + tion above. Here is that example again: + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - supporting _n_o_e_x_e_c you can always just try it out + This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and + _/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will pre­ + vent those two commands from executing other + commands (such as a shell). If you are unsure + whether or not your system is capable of sup­ + porting _n_o_e_x_e_c you can always just try it out and see if it works. monitor On operating systems that support the ssyyssttrraaccee @@ -1496,6 +1510,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SSEEEE AALLSSOO _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), sudo(1m), visudo(1m) + + + +1.6.9 November 12, 2004 23 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + CCAAVVEEAATTSS The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which locks the file and does grammatical check­ @@ -1509,19 +1535,6 @@ CCAAVVEEAATTSS hostname be fully qualified as returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. - - - - -1.6.9 October 26, 2004 23 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - BBUUGGSS If you feel you have found a bug in ssuuddoo, please submit a bug report at http://www.sudo.ws/sudo/bugs/ @@ -1566,19 +1579,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - - - - -1.6.9 October 26, 2004 24 +1.6.9 November 12, 2004 24 diff --git a/sudoers.man.in b/sudoers.man.in index aa47d0a6c..784684d06 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "October 26, 2004" "1.6.9" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "November 12, 2004" "1.6.9" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" @@ -570,9 +570,8 @@ following variables: \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*( and \f(CW\*(C`USER\*(C'\fR (in addition to the \f(CW\*(C`SUDO_*\*(C'\fR variables). Of these, only \f(CW\*(C`TERM\*(C'\fR is copied unaltered from the old environment. The other variables are set to default values (possibly modified -by the value of the \fIset_logname\fR option). If \fBsudo\fR was compiled -with the \f(CW\*(C`SECURE_PATH\*(C'\fR option, its value will be used for the \f(CW\*(C`PATH\*(C'\fR -environment variable. +by the value of the \fIset_logname\fR option). If the \fIsecure_path\fR +option is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable. Other variables may be preserved with the \fIenv_keep\fR option. .IP "use_loginclass" 12 .IX Item "use_loginclass" @@ -761,6 +760,14 @@ interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\ .IX Item "exempt_group" Users in this group are exempt from password and \s-1PATH\s0 requirements. This is not set by default. +.IP "secure_path" 12 +.IX Item "secure_path" +Path used for every command run from \fBsudo\fR. If you don't trust the +people running \fBsudo\fR to have a sane \f(CW\*(C`PATH\*(C'\fR environment variable you may +want to use this. Another use is if you want to have the \*(L"root path\*(R" +be separate from the \*(L"user path.\*(R" Users in the group specified by the +\&\fIexempt_group\fR option are not affected by \fIsecure_path\fR. +This is not set by default. .IP "verifypw" 12 .IX Item "verifypw" This option controls when a password will be required when a user runs @@ -942,7 +949,7 @@ run \fI/bin/kill\fR without a password the entry would be: .Ve .PP Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are -in the group specified by the exempt_group option. +in the group specified by the \fIexempt_group\fR option. .PP By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries for a user on the current host, he or she will be able to run diff --git a/sudoers.pod b/sudoers.pod index 65a8e9f50..9146ef19e 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -435,9 +435,8 @@ following variables: C, C, C, C, C, and C (in addition to the C variables). Of these, only C is copied unaltered from the old environment. The other variables are set to default values (possibly modified -by the value of the I option). If B was compiled -with the C option, its value will be used for the C -environment variable. +by the value of the I option). If the I +option is set, its value will be used for the C environment variable. Other variables may be preserved with the I option. =item use_loginclass @@ -675,6 +674,15 @@ interpreting the C<@> sign. Defaults to C<@mailto@>. Users in this group are exempt from password and PATH requirements. This is not set by default. +=item secure_path + +Path used for every command run from B. If you don't trust the +people running B to have a sane C environment variable you may +want to use this. Another use is if you want to have the "root path" +be separate from the "user path." Users in the group specified by the +I option are not affected by I. +This is not set by default. + =item verifypw This option controls when a password will be required when a user runs @@ -856,7 +864,7 @@ run F without a password the entry would be: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm Note, however, that the C tag has no effect on users who are -in the group specified by the exempt_group option. +in the group specified by the I option. By default, if the C tag is applied to any of the entries for a user on the current host, he or she will be able to run diff --git a/visudo.c b/visudo.c index baa637d1e..59c1cf6dc 100644 --- a/visudo.c +++ b/visudo.c @@ -528,6 +528,13 @@ init_envtables() return; } +/* STUB */ +int +user_is_exempt() +{ + return(FALSE); +} + /* * Assuming a parse error occurred, prompt the user for what they want * to do now. Returns the first letter of their choice.