From: Todd C. Miller Date: Thu, 30 Sep 2004 17:25:51 +0000 (+0000) Subject: regen X-Git-Tag: SUDO_1_7_0~915 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=abc7ac8eef8281cb90bd035d1994c0d6c2d3d6c9;p=sudo regen --- diff --git a/sudo.cat b/sudo.cat index 7661b62b2..7c281520f 100644 --- a/sudo.cat +++ b/sudo.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.6.8 September 8, 2004 1 +1.6.9 September 30, 2004 1 @@ -127,7 +127,7 @@ OOPPTTIIOONNSS -1.6.8 September 8, 2004 2 +1.6.9 September 30, 2004 2 @@ -193,7 +193,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.6.8 September 8, 2004 3 +1.6.9 September 30, 2004 3 @@ -259,7 +259,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.6.8 September 8, 2004 4 +1.6.9 September 30, 2004 4 @@ -325,7 +325,7 @@ SSEECCUURRIITTYY NNOOTTEESS -1.6.8 September 8, 2004 5 +1.6.9 September 30, 2004 5 @@ -359,15 +359,17 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) timestamp with a bogus date on systems that allow users to give away files. - Please note that ssuuddoo will only log the command it explic­ - itly runs. If a user runs a command such as sudo su or - sudo sh, subsequent commands run from that shell will _n_o_t - be logged, nor will ssuuddoo's access control affect them. - The same is true for commands that offer shell escapes - (including most editors). Because of this, care must be - taken when giving users access to commands via ssuuddoo to - verify that the command does not inadvertently give the - user an effective root shell. + Please note that ssuuddoo will normally only log the command + it explicitly runs. If a user runs a command such as sudo + su or sudo sh, subsequent commands run from that shell + will _n_o_t be logged, nor will ssuuddoo's access control affect + them. The same is true for commands that offer shell + escapes (including most editors). Because of this, care + must be taken when giving users access to commands via + ssuuddoo to verify that the command does not inadvertently + give the user an effective root shell. For more informa­ + tion, please see the PREVENTING SHELL ESCAPES section in + sudoers(4). EENNVVIIRROONNMMEENNTT ssuuddoo utilizes the following environment variables: @@ -386,12 +388,10 @@ EENNVVIIRROONNMMEENNTT SUDO_PROMPT Used as the default password prompt - SUDO_COMMAND Set to the command run by sudo - -1.6.8 September 8, 2004 6 +1.6.9 September 30, 2004 6 @@ -400,6 +400,8 @@ EENNVVIIRROONNMMEENNTT SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + SUDO_COMMAND Set to the command run by sudo + SUDO_USER Set to the login of the user who invoked sudo SUDO_UID Set to the uid of the user who invoked sudo @@ -455,9 +457,7 @@ AAUUTTHHOORRSS - - -1.6.8 September 8, 2004 7 +1.6.9 September 30, 2004 7 @@ -523,7 +523,7 @@ DDIISSCCLLAAIIMMEERR -1.6.8 September 8, 2004 8 +1.6.9 September 30, 2004 8 @@ -589,6 +589,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.6.8 September 8, 2004 9 +1.6.9 September 30, 2004 9 diff --git a/sudo.man.in b/sudo.man.in index 2c658b96b..3a48b99b9 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "September 8, 2004" "1.6.8" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "September 30, 2004" "1.6.9" "MAINTENANCE COMMANDS" .SH "NAME" sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" @@ -452,14 +452,16 @@ will be ignored and sudo will log and complain. This is done to keep a user from creating his/her own timestamp with a bogus date on systems that allow users to give away files. .PP -Please note that \fBsudo\fR will only log the command it explicitly -runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or \f(CW\*(C`sudo sh\*(C'\fR, -subsequent commands run from that shell will \fInot\fR be logged, nor -will \fBsudo\fR's access control affect them. The same is true for -commands that offer shell escapes (including most editors). Because -of this, care must be taken when giving users access to commands -via \fBsudo\fR to verify that the command does not inadvertently give -the user an effective root shell. +Please note that \fBsudo\fR will normally only log the command it +explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or +\&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell will \fInot\fR be +logged, nor will \fBsudo\fR's access control affect them. The same +is true for commands that offer shell escapes (including most +editors). Because of this, care must be taken when giving users +access to commands via \fBsudo\fR to verify that the command does not +inadvertently give the user an effective root shell. For more +information, please see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in +sudoers(@mansectform@). .SH "ENVIRONMENT" .IX Header "ENVIRONMENT" \&\fBsudo\fR utilizes the following environment variables: diff --git a/sudoers.cat b/sudoers.cat index 065b4dd12..0790129d8 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.6.8 September 6, 2004 1 +1.6.9 September 30, 2004 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 September 6, 2004 2 +1.6.9 September 30, 2004 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 September 6, 2004 3 +1.6.9 September 30, 2004 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 September 6, 2004 4 +1.6.9 September 30, 2004 4 @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 September 6, 2004 5 +1.6.9 September 30, 2004 5 @@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 September 6, 2004 6 +1.6.9 September 30, 2004 6 @@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 September 6, 2004 7 +1.6.9 September 30, 2004 7 @@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 September 6, 2004 8 +1.6.9 September 30, 2004 8 @@ -548,6 +548,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) VENTING SHELL ESCAPES" section at the end of this manual. This flag is _o_f_f by default. + trace If set, all commands run via sudo will behave + as if the TRACE tag has been set, unless over­ + ridden by a NOTRACE tag. See the description + of _T_R_A_C_E _a_n_d _N_O_T_R_A_C_E below as well as the + "PREVENTING SHELL ESCAPES" section at the end + of this manual. Be aware that tracing is only + supported on certain operating systems. On + systems where it is not supported this flag + will have no effect. This flag is _o_f_f by + default. + ignore_local_sudoers If set via LDAP, parsing of @sysconfdir@/sudo­ ers will be skipped. This is intended for an @@ -575,21 +586,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) loglinelen Number of characters per line for the file log. This value is used to decide when to wrap lines for nicer log files. This has no - effect on the syslog log file, only the file - log. The default is 80 (use 0 or negate the - option to disable word wrap). - - timestamp_timeout - Number of minutes that can elapse before ssuuddoo - will ask for a passwd again. The default is - 5. Set this to 0 to always prompt for a pass­ - word. If set to a value less than 0 the - user's timestamp will never expire. This can - be used to allow users to create or delete -1.6.8 September 6, 2004 9 +1.6.9 September 30, 2004 9 @@ -598,6 +598,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + effect on the syslog log file, only the file + log. The default is 80 (use 0 or negate the + option to disable word wrap). + + timestamp_timeout + Number of minutes that can elapse before ssuuddoo + will ask for a passwd again. The default is + 5. Set this to 0 to always prompt for a pass­ + word. If set to a value less than 0 the + user's timestamp will never expire. This can + be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively. @@ -641,30 +652,30 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) %U expanded to the login name of the user the command will be run as (defaults - to root) - %h expanded to the local hostname without - the domain name - %H expanded to the local hostname includ­ - ing the domain name (on if the - machine's hostname is fully qualified - or the _f_q_d_n option is set) - %% two consecutive % characters are +1.6.9 September 30, 2004 10 -1.6.8 September 6, 2004 10 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + to root) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + %h expanded to the local hostname without + the domain name + %H expanded to the local hostname includ­ + ing the domain name (on if the + machine's hostname is fully qualified + or the _f_q_d_n option is set) - collaped into a single % character + %% two consecutive % characters are col­ + laped into a single % character The default value is Password:. @@ -707,28 +718,29 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) never Never lecture the user. - once Only lecture the user the first time - they run ssuuddoo. - always Always lecture the user. - The default value is _o_n_c_e. - lecture_file - Path to a file containing an alternate sudo - lecture that will be used in place of the - standard lecture if the named file exists. +1.6.9 September 30, 2004 11 -1.6.8 September 6, 2004 11 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + once Only lecture the user the first time + they run ssuuddoo. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + always Always lecture the user. + + The default value is _o_n_c_e. + lecture_file + Path to a file containing an alternate sudo + lecture that will be used in place of the + standard lecture if the named file exists. logfile Path to the ssuuddoo log file (not the syslog log file). Setting a path turns on logging to a @@ -772,29 +784,29 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) to use the --vv flag. always The user must always enter a password - to use the --vv flag. - The default value is `all'. - listpw This option controls when a password will be - required when a user runs ssuuddoo with the --ll - flag. It has the following possible values: - all All the user's _s_u_d_o_e_r_s entries for the - current host must have the NOPASSWD - flag set to avoid entering a password. +1.6.9 September 30, 2004 12 -1.6.8 September 6, 2004 12 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + to use the --vv flag. + The default value is `all'. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + listpw This option controls when a password will be + required when a user runs ssuuddoo with the --ll + flag. It has the following possible values: + all All the user's _s_u_d_o_e_r_s entries for the + current host must have the NOPASSWD + flag set to avoid entering a password. any At least one of the user's _s_u_d_o_e_r_s entries for the current host must have @@ -838,6 +850,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) dangerous variables from the environment of any setuid process (such as ssuuddoo). + + + +1.6.9 September 30, 2004 13 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + env_keep Environment variables to be preserved in the user's environment when the _e_n_v___r_e_s_e_t option is in effect. This allows fine-grained con­ @@ -850,18 +874,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) respectively. This list has no default mem­ bers. - - - -1.6.8 September 6, 2004 13 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following values for the syslog facility (the value of the ssyysslloogg Parameter): aauutthhpprriivv (if your OS supports it), aauutthh, ddaaee­­ @@ -882,7 +894,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Runas_Spec ::= '(' Runas_List ')' - Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:') + Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | + 'TRACE' | 'NOTRACE') A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as what user) on specified hosts. By default, @@ -903,39 +916,38 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m - -- but only as ooppeerraattoorr. E.g., - $ sudo -u operator /bin/ls. - It is also possible to override a Runas_Spec later on in - an entry. If we modify the entry like so: - dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm +1.6.9 September 30, 2004 14 - Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, - but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. - -1.6.8 September 6, 2004 14 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + -- but only as ooppeerraattoorr. E.g., + $ sudo -u operator /bin/ls. + It is also possible to override a Runas_Spec later on in + an entry. If we modify the entry like so: -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm + Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, + but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. TTaagg__SSppeecc A command may have zero or more tags associated with it. There are four possible tag values, NOPASSWD, PASSWD, - NOEXEC, EXEC. Once a tag is set on a Cmnd, subsequent - Cmnds in the Cmnd_Spec_List, inherit the tag unless it is - overridden by the opposite tag (ie: PASSWD overrides - NOPASSWD and EXEC overrides NOEXEC). + NOEXEC, EXEC, TRACE and NOTRACE. Once a tag is set on a + Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the + tag unless it is overridden by the opposite tag (ie: + PASSWD overrides NOPASSWD and NOTRACE overrides TRACE). _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D @@ -969,10 +981,22 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) _N_O_E_X_E_C _a_n_d _E_X_E_C - If sudo has been compiled with _n_o_e_x_e_c support and the - underlying operating system support it, the NOEXEC tag can - be used to prevent a dynamically-linked executable from - running further commands itself. + If ssuuddoo has been compiled with _n_o_e_x_e_c support and the + + + +1.6.9 September 30, 2004 15 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + + underlying operating system supports it, the NOEXEC tag + can be used to prevent a dynamically-linked executable + from running further commands itself. In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. @@ -980,19 +1004,27 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi See the "PREVENTING SHELL ESCAPES" section below for more - details on how _n_o_e_x_e_c works and whether or not it will + details on how NOEXEC works and whether or not it will work on your system. + _T_R_A_C_E _a_n_d _N_O_T_R_A_C_E + If ssuuddoo has been configured with the --with-systrace + option, the TRACE tag can be used to cause programs + spawned by a command to be checked against _s_u_d_o_e_r_s and + logged just like they would be if run through ssuuddoo + directly. This is useful in conjunction with commands + that allow shell escapes such as editors, shells and pagi­ + nators. -1.6.8 September 6, 2004 15 - - - + In the following example, user cchhuucckk may run any command + on the machine research with tracing enabled. + chuck research = TRACE: ALL -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - + See the "PREVENTING SHELL ESCAPES" section below for more + details on how TRACE works and whether or not it will work + on your system. WWiillddccaarrddss @@ -1016,6 +1048,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Note that a forward slash ('/') will nnoott be matched by wildcards used in the pathname. When matching the command + + + +1.6.9 September 30, 2004 16 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + line arguments, however, a slash ddooeess get matched by wild­ cards. This is to make a path like: @@ -1047,34 +1091,56 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) This limitation will be removed in a future version of ssuuddoo. + EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess + The following exceptions apply to the above rules: + "" If the empty string "" is the only command line + argument in the _s_u_d_o_e_r_s entry it means that com­ + mand is not allowed to be run with aannyy arguments. + IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss -1.6.8 September 6, 2004 16 + It is possible to include other _s_u_d_o_e_r_s files from within + the _s_u_d_o_e_r_s file currently being parsed using the #include + directive, similar to the one used by the C preprocessor. + This is useful, for example, for keeping a site-wide _s_u_d_o_­ + _e_r_s file in addition to a per-machine local one. For the + sake of this example the site-wide _s_u_d_o_e_r_s will be + _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be _/_e_t_c_/_s_u_d_o_­ + _e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from _/_e_t_c_/_s_u_d_o_­ + _e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: + #include /etc/sudoers.local + When ssuuddoo reaches this line it will suspend processing of -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +1.6.9 September 30, 2004 17 - EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess - The following exceptions apply to the above rules: - "" If the empty string "" is the only command line - argument in the _s_u_d_o_e_r_s entry it means that com­ - mand is not allowed to be run with aannyy arguments. + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + + the current file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_­ + _e_r_s_._l_o_c_a_l. Upon reaching the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, + the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed. Files that + are included may themselves include other files. A hard + limit of 128 nested include files is enforced to prevent + include file loops. OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss The pound sign ('#') is used to indicate a comment (unless - it occurs in the context of a user name and is followed by - one or more digits, in which case it is treated as a uid). - Both the comment character and any text after it, up to - the end of the line, are ignored. + it is part of a #include directive or unless it occurs in + the context of a user name and is followed by one or more + digits, in which case it is treated as a uid). Both the + comment character and any text after it, up to the end of + the line, are ignored. The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to succeed. It can be used wherever one @@ -1117,7 +1183,7 @@ EEXXAAMMPPLLEESS -1.6.8 September 6, 2004 17 +1.6.9 September 30, 2004 18 @@ -1183,7 +1249,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 September 6, 2004 18 +1.6.9 September 30, 2004 19 @@ -1249,7 +1315,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 September 6, 2004 19 +1.6.9 September 30, 2004 20 @@ -1315,7 +1381,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 September 6, 2004 20 +1.6.9 September 30, 2004 21 @@ -1359,29 +1425,29 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS whatever it pleases, including run other programs. This can be a security issue since it is not uncommon for a program to allow shell escapes, which lets a user bypass - ssuuddoo's restrictions. Common programs that permit shell - escapes include shells (obviously), editors, paginators, - mail and terminal programs. - - Many systems that support shared libraries have the abil­ - ity to override default library functions by pointing an - environment variable (usually LD_PRELOAD) to an alternate - shared library. On such systems, ssuuddoo's _n_o_e_x_e_c function­ - ality can be used to prevent a program run by sudo from - executing any other programs. Note, however, that this - applies only to native dynamically-linked executables. - Statically-linked executables and foreign executables run­ - ning under binary emulation are not affected. + ssuuddoo's access control and logging. Common programs that + permit shell escapes include shells (obviously), editors, + paginators, mail and terminal programs. - To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run - the following as root: + There are three basic approaches to this problem: - sudo -V | grep "dummy exec" + restrict Avoid giving users access to commands that allow + the user to run arbitrary commands. Many edi­ + tors have a restricted mode where shell escapes + are disabled, though ssuuddooeeddiitt is a better solu­ + tion to running editors via sudo. Due to the + large number of programs that offer shell + escapes, restricting users to the set of pro­ + grams that do not if often unworkable. + noexec Many systems that support shared libraries have + the ability to override default library func­ + tions by pointing an environment variable (usu­ + ally LD_PRELOAD) to an alternate shared library. -1.6.8 September 6, 2004 21 +1.6.9 September 30, 2004 22 @@ -1390,38 +1456,95 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - If the resulting output contains a line that begins with: + On such systems, ssuuddoo's _n_o_e_x_e_c functionality can + be used to prevent a program run by sudo from + executing any other programs. Note, however, + that this applies only to native dynamically- + linked executables. Statically-linked executa­ + bles and foreign executables running under + binary emulation are not affected. - File containing dummy exec functions: + To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you + can run the following as root: - then ssuuddoo may be able to replace the exec family of func­ - tions in the standard library with its own that simply - return an error. Unfortunately, there is no foolproof way - to know whether or not _n_o_e_x_e_c will work at compile-time. - _N_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX, - Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known nnoott to - work on AIX and UnixWare. _N_o_e_x_e_c is expected to work on - most operating systems that support the LD_PRELOAD envi­ - ronment variable. Check your operating system's manual - pages for the dynamic linker (usually ld.so, ld.so.1, - dyld, dld.sl, rld, or loader) to see if LD_PRELOAD is sup­ - ported. + sudo -V | grep "dummy exec" - To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as doc­ - umented in the User Specification section above. Here is - that example again: + If the resulting output contains a line that + begins with: - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + File containing dummy exec functions: + + then ssuuddoo may be able to replace the exec family + of functions in the standard library with its + own that simply return an error. Unfortunately, + there is no foolproof way to know whether or not + _n_o_e_x_e_c will work at compile-time. _N_o_e_x_e_c should + work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 + UNIX, MacOS X, and HP-UX 11.x. It is known nnoott + to work on AIX and UnixWare. _N_o_e_x_e_c is expected + to work on most operating systems that support + the LD_PRELOAD environment variable. Check your + operating system's manual pages for the dynamic + linker (usually ld.so, ld.so.1, dyld, dld.sl, + rld, or loader) to see if LD_PRELOAD is sup­ + ported. + + To enable _n_o_e_x_e_c for a command, use the NOEXEC + tag as documented in the User Specification sec­ + tion above. Here is that example again: + + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + + This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and + _/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will pre­ + vent those two commands from executing other + commands (such as a shell). If you are unsure + whether or not your system is capable of sup­ + porting _n_o_e_x_e_c you can always just try it out + and see if it works. + + tracing On operating systems that support the ssyyssttrraaccee + pseudo-device, the --with-systrace configure + option can be used to compile support for com­ + mand tracing in ssuuddoo. With ssyyssttrraaccee support + ssuuddoo can transparently intercept a new command, + allow or deny it based on _s_u_d_o_e_r_s, and log the + result. This does require that ssuuddoo become a + + + +1.6.9 September 30, 2004 23 - This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and - _/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will prevent those - two commands from executing other commands (such as a - shell). If you are unsure whether or not your system is - capable of supporting _n_o_e_x_e_c you can always just try it - out and see if it works. - Note that disabling shell escapes is not a panacea. Pro­ - grams running as root are still capable of many poten­ + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + + daemon that persists until the command and all + its descendents have finished. + + To enable tracing on a per-command basis, use + the TRACE tag as documented in the User Specifi­ + cation section above. Here is that example + again: + + chuck research = TRACE: ALL + + This allows user cchhuucckk to run any command on the + machine research with tracing enabled. Any com­ + mands run via shell escapes will be logged by + sudo. + + At the time of this writing the ssyyssttrraaccee pseudo- + device comes standard with OpenBSD and NetBSD + and is available as patches to FreeBSD, MacOS X + and Linux. See for + more information. + + Note that restricting shell escapes is not a panacea. + Programs running as root are still capable of many poten­ tially hazardous operations (such as changing or overwrit­ ing files) that could lead to unintended privilege escala­ tion. In the specific case of an editor, a safer approach @@ -1443,31 +1566,30 @@ CCAAVVEEAATTSS hostname be fully qualified as returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. +BBUUGGSS + If you feel you have found a bug in ssuuddoo, please submit a + bug report at http://www.sudo.ws/sudo/bugs/ +SSUUPPPPOORRTT + Commercial support is available for ssuuddoo, see + http://www.sudo.ws/sudo/support.html for details. + Limited free support is available via the sudo-users mail­ + ing list, see -1.6.8 September 6, 2004 22 - +1.6.9 September 30, 2004 24 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a - bug report at http://www.sudo.ws/sudo/bugs/ +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SSUUPPPPOORRTT - Commercial support is available for ssuuddoo, see - http://www.sudo.ws/sudo/support.html for details. - Limited free support is available via the sudo-users mail­ - ing list, see http://www.sudo.ws/mail­ - man/listinfo/sudo-users to subscribe or search the - archives. + http://www.sudo.ws/mailman/listinfo/sudo-users to sub­ + scribe or search the archives. DDIISSCCLLAAIIMMEERR SSuuddoo is provided ``AS IS'' and any express or implied war­ @@ -1513,6 +1635,16 @@ DDIISSCCLLAAIIMMEERR -1.6.8 September 6, 2004 23 + + + + + + + + + + +1.6.9 September 30, 2004 25 diff --git a/sudoers.man.in b/sudoers.man.in index d105e31f5..b0a10a6ee 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "September 30, 2004" "1.6.9" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" @@ -589,6 +589,14 @@ the \-\-with\-logincap option. This flag is \fIoff\fR by default. If set, all commands run via sudo will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default. +.IP "trace" 12 +.IX Item "trace" +If set, all commands run via sudo will behave as if the \f(CW\*(C`TRACE\*(C'\fR +tag has been set, unless overridden by a \f(CW\*(C`NOTRACE\*(C'\fR tag. See the +description of \fI\s-1TRACE\s0 and \s-1NOTRACE\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. Be aware that +tracing is only supported on certain operating systems. On systems +where it is not supported this flag will have no effect. +This flag is \fIoff\fR by default. .IP "ignore_local_sudoers" 12 .IX Item "ignore_local_sudoers" If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped. @@ -867,8 +875,9 @@ supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo \& Runas_Spec ::= '(' Runas_List ')' .Ve .PP -.Vb 1 -\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:') +.Vb 2 +\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | +\& 'TRACE' | 'NOTRACE') .Ve .PP A \fBuser specification\fR determines which commands a user may run @@ -907,11 +916,12 @@ but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR. .Sh "Tag_Spec" .IX Subsection "Tag_Spec" A command may have zero or more tags associated with it. There are -four possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR. +four possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR, +\&\f(CW\*(C`TRACE\*(C'\fR and \f(CW\*(C`NOTRACE\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the -opposite tag (ie: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`EXEC\*(C'\fR -overrides \f(CW\*(C`NOEXEC\*(C'\fR). +opposite tag (ie: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOTRACE\*(C'\fR +overrides \f(CW\*(C`TRACE\*(C'\fR). .PP \fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR .IX Subsection "NOPASSWD and PASSWD" @@ -949,8 +959,8 @@ This behavior may be overridden via the verifypw and listpw options. \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR .IX Subsection "NOEXEC and EXEC" .PP -If sudo has been compiled with \fInoexec\fR support and the underlying -operating system support it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent +If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying +operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent a dynamically-linked executable from running further commands itself. .PP In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR @@ -961,7 +971,27 @@ and \fI/usr/bin/vi\fR but shell escapes will be disabled. .Ve .PP See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details -on how \fInoexec\fR works and whether or not it will work on your system. +on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system. +.PP +\fI\s-1TRACE\s0 and \s-1NOTRACE\s0\fR +.IX Subsection "TRACE and NOTRACE" +.PP +If \fBsudo\fR has been configured with the \f(CW\*(C`\-\-with\-systrace\*(C'\fR option, +the \f(CW\*(C`TRACE\*(C'\fR tag can be used to cause programs spawned by a command +to be checked against \fIsudoers\fR and logged just like they would +be if run through \fBsudo\fR directly. This is useful in conjunction +with commands that allow shell escapes such as editors, shells and +paginators. +.PP +In the following example, user \fBchuck\fR may run any command on the +machine research with tracing enabled. +.PP +.Vb 1 +\& chuck research = TRACE: ALL +.Ve +.PP +See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details +on how \f(CW\*(C`TRACE\*(C'\fR works and whether or not it will work on your system. .Sh "Wildcards" .IX Subsection "Wildcards" \&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters) @@ -1037,13 +1067,34 @@ The following exceptions apply to the above rules: If the empty string \f(CW""\fR is the only command line argument in the \&\fIsudoers\fR entry it means that command is not allowed to be run with \fBany\fR arguments. +.Sh "Including other files from within sudoers" +.IX Subsection "Including other files from within sudoers" +It is possible to include other \fIsudoers\fR files from within the +\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR +directive, similar to the one used by the C preprocessor. This is +useful, for example, for keeping a site-wide \fIsudoers\fR file in +addition to a per-machine local one. For the sake of this example +the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the per-machine +one will be \fI/etc/sudoers.local\fR. To include \fI/etc/sudoers.local\fR +from \fI/etc/sudoers\fR we would use the following line in \fI/etc/sudoers\fR: +.PP +.Vb 1 +\& #include /etc/sudoers.local +.Ve +.PP +When \fBsudo\fR reaches this line it will suspend processing of the +current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR. +Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of +\&\fI/etc/sudoers\fR will be processed. Files that are included may +themselves include other files. A hard limit of 128 nested include +files is enforced to prevent include file loops. .Sh "Other special characters and reserved words" .IX Subsection "Other special characters and reserved words" -The pound sign ('#') is used to indicate a comment (unless it -occurs in the context of a user name and is followed by one or -more digits, in which case it is treated as a uid). Both the -comment character and any text after it, up to the end of the line, -are ignored. +The pound sign ('#') is used to indicate a comment (unless it is +part of a #include directive or unless it occurs in the context of +a user name and is followed by one or more digits, in which case +it is treated as a uid). Both the comment character and any text +after it, up to the end of the line, are ignored. .PP The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes a match to succeed. It can be used wherever one might otherwise @@ -1318,10 +1369,21 @@ advisory at best (and reinforced by policy). Once \fBsudo\fR executes a program, that program is free to do whatever it pleases, including run other programs. This can be a security issue since it is not uncommon for a program to allow shell escapes, -which lets a user bypass \fBsudo\fR's restrictions. Common programs -that permit shell escapes include shells (obviously), editors, -paginators, mail and terminal programs. -.PP +which lets a user bypass \fBsudo\fR's access control and logging. +Common programs that permit shell escapes include shells (obviously), +editors, paginators, mail and terminal programs. +.PP +There are three basic approaches to this problem: +.IP "restrict" 10 +.IX Item "restrict" +Avoid giving users access to commands that allow the user to run +arbitrary commands. Many editors have a restricted mode where shell +escapes are disabled, though \fBsudoedit\fR is a better solution to +running editors via sudo. Due to the large number of programs that +offer shell escapes, restricting users to the set of programs that +do not if often unworkable. +.IP "noexec" 10 +.IX Item "noexec" Many systems that support shared libraries have the ability to override default library functions by pointing an environment variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library. @@ -1330,20 +1392,20 @@ prevent a program run by sudo from executing any other programs. Note, however, that this applies only to native dynamically-linked executables. Statically-linked executables and foreign executables running under binary emulation are not affected. -.PP +.Sp To tell whether or not \fBsudo\fR supports \fInoexec\fR, you can run the following as root: -.PP +.Sp .Vb 1 \& sudo -V | grep "dummy exec" .Ve -.PP +.Sp If the resulting output contains a line that begins with: -.PP +.Sp .Vb 1 \& File containing dummy exec functions: .Ve -.PP +.Sp then \fBsudo\fR may be able to replace the exec family of functions in the standard library with its own that simply return an error. Unfortunately, there is no foolproof way to know whether or not @@ -1354,25 +1416,52 @@ is expected to work on most operating systems that support the \&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported. -.PP +.Sp To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented in the User Specification section above. Here is that example again: -.PP +.Sp .Vb 1 \& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi .Ve -.PP +.Sp This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR with \fInoexec\fR enabled. This will prevent those two commands from executing other commands (such as a shell). If you are unsure whether or not your system is capable of supporting \fInoexec\fR you can always just try it out and see if it works. -.PP -Note that disabling shell escapes is not a panacea. Programs running -as root are still capable of many potentially hazardous operations -(such as changing or overwriting files) that could lead to unintended -privilege escalation. In the specific case of an editor, a safer -approach is to give the user permission to run \fBsudoedit\fR. +.IP "tracing" 10 +.IX Item "tracing" +On operating systems that support the \fBsystrace\fR pseudo\-device, +the \f(CW\*(C`\-\-with\-systrace\*(C'\fR configure option can be used to compile +support for command tracing in \fBsudo\fR. With \fBsystrace\fR support +\&\fBsudo\fR can transparently intercept a new command, allow or deny +it based on \fIsudoers\fR, and log the result. This does require that +\&\fBsudo\fR become a daemon that persists until the command and all its +descendents have finished. +.Sp +To enable tracing on a per-command basis, use the \f(CW\*(C`TRACE\*(C'\fR tag as +documented in the User Specification section above. Here is that +example again: +.Sp +.Vb 1 +\& chuck research = TRACE: ALL +.Ve +.Sp +This allows user \fBchuck\fR to run any command on the machine research +with tracing enabled. Any commands run via shell escapes will be +logged by sudo. +.Sp +At the time of this writing the \fBsystrace\fR pseudo-device comes +standard with OpenBSD and NetBSD and is available as patches to +FreeBSD, MacOS X and Linux. See for +more information. +.PP +Note that restricting shell escapes is not a panacea. Programs +running as root are still capable of many potentially hazardous +operations (such as changing or overwriting files) that could lead +to unintended privilege escalation. In the specific case of an +editor, a safer approach is to give the user permission to run +\&\fBsudoedit\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(@mansectsu@), visudo(@mansectsu@) diff --git a/visudo.cat b/visudo.cat index bdf817d2e..a5e011073 100644 --- a/visudo.cat +++ b/visudo.cat @@ -61,7 +61,7 @@ OOPPTTIIOONNSS -1.6.8 September 6, 2004 1 +1.6.8p1 September 27, 2004 1 @@ -127,7 +127,7 @@ DDIIAAGGNNOOSSTTIICCSS -1.6.8 September 6, 2004 2 +1.6.8p1 September 27, 2004 2 @@ -193,6 +193,6 @@ DDIISSCCLLAAIIMMEERR -1.6.8 September 6, 2004 3 +1.6.8p1 September 27, 2004 3 diff --git a/visudo.man.in b/visudo.man.in index b00424c9d..05bc49235 100644 --- a/visudo.man.in +++ b/visudo.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "September 27, 2004" "1.6.8p1" "MAINTENANCE COMMANDS" .SH "NAME" visudo \- edit the sudoers file .SH "SYNOPSIS"