From: Todd C. Miller Date: Sun, 24 Jun 2007 00:00:41 +0000 (+0000) Subject: regen X-Git-Tag: SUDO_1_7_0~523 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b3b905ba5e91a7fd3947171cdf630fded0abdb28;p=sudo regen --- diff --git a/sudo.cat b/sudo.cat index 83a06fbb9..4f953eacb 100644 --- a/sudo.cat +++ b/sudo.cat @@ -8,14 +8,15 @@ NNAAMMEE sudo, sudoedit - execute a command as another user SSYYNNOOPPSSIISS - ssuuddoo --KK | --LL | --VV | --hh | --kk | --vv + ssuuddoo --KK | --kk | --hh | --LL | --VV | --vv - ssuuddoo [--UU _u_s_e_r_n_a_m_e] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] --ll [_c_o_m_m_a_n_d] + ssuuddoo --ll [--UU _u_s_e_r_n_a_m_e] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d] - ssuuddoo [--HHPPSSbb] [--aa _a_u_t_h___t_y_p_e] [--cc _c_l_a_s_s|_-] [--pp _p_r_o_m_p_t] - [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] {--ee file [...] | --ii | --ss | _c_o_m_m_a_n_d} + ssuuddoo [--bbEEHHPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] + [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] + {--ee file [...] | --ii | --ss | _c_o_m_m_a_n_d} - ssuuddooeeddiitt [--SS] [--aa _a_u_t_h___t_y_p_e] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_­ + ssuuddooeeddiitt [--aa _a_u_t_h___t_y_p_e] [--pp _p_r_o_m_p_t] [--SS] [--uu _u_s_e_r_­ _n_a_m_e|_#_u_i_d] file [...] DDEESSCCRRIIPPTTIIOONN @@ -57,11 +58,10 @@ DDEESSCCRRIIPPTTIIOONN actual user is. This can be used by a user to log com­ mands through sudo even when a root shell has been invoked. It also allows the --ee flag to remain useful even - when being run via a sudo-run script or program. Note -1.6.9 November 24, 2004 1 +1.7 June 23, 2007 1 @@ -70,6 +70,7 @@ DDEESSCCRRIIPPTTIIOONN SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + when being run via a sudo-run script or program. Note however, that the sudoers lookup is still done for root, not the user specified by SUDO_USER. @@ -81,61 +82,12 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) OOPPTTIIOONNSS ssuuddoo accepts the following command line options: - -H The --HH (_H_O_M_E) option sets the HOME environment vari­ - able to the homedir of the target user (root by - default) as specified in passwd(4). By default, ssuuddoo - does not modify HOME (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e - in sudoers(4)). - - -K The --KK (sure _k_i_l_l) option is like --kk except that it - removes the user's timestamp entirely. Like --kk, this - option does not require a password. - - -L The --LL (_l_i_s_t defaults) option will list out the param­ - eters that may be set in a _D_e_f_a_u_l_t_s line along with a - short description for each. This option is useful in - conjunction with _g_r_e_p(1). - - -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to - preserve the invoking user's group vector unaltered. - By default, ssuuddoo will initialize the group vector to - the list of groups the target user is in. The real - and effective group IDs, however, are still set to - match the target user. - - -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password - from the standard input instead of the terminal - device. - - -U The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with - the --ll option to specify the user whose privileges - should be listed. Only root or a user with ssuuddoo ALL - on the current host may use this option. - - -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the ver­ - sion number and exit. If the invoking user is already - root the --VV option will print out a list of the - defaults ssuuddoo was compiled with as well as the - machine's local network addresses. - -a The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the specified authentication type when validating the user, as allowed by /etc/login.conf. The system administrator may specify a list of sudo-specific authentication methods by adding an "auth-sudo" entry in /etc/login.conf. This option is only available on - - - -1.6.9 November 24, 2004 2 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - systems that support BSD authentication where ssuuddoo has been configured with the --with-bsdauth option. @@ -144,6 +96,16 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) --bb option you cannot use shell job control to manipu­ late the process. + -C fd + Normally, ssuuddoo will close all open file descriptors + other than standard input, standard output and stan­ + dard error. The --CC (_c_l_o_s_e _f_r_o_m) option allows the + user to specify a starting point above the standard + error (file descriptor three). Values less than three + are not permitted. This option is only available if + the administrator has enabled the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e + option in sudoers(4). + -c The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified command with resources limited by the specified login class. The _c_l_a_s_s argument can be either a class name @@ -158,6 +120,22 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) classes where ssuuddoo has been configured with the --with-logincap option. + -E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the + _e_n_v___r_e_s_e_t option in sudoers(4)). It is only available + when either the matching command has the SETENV tag or + the _s_e_t_e_n_v option is set in sudoers(4). + + + +1.7 June 23, 2007 2 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + + -e The --ee (_e_d_i_t) option indicates that, instead of run­ ning a command, the user wishes to edit one or more files. In lieu of a command, the string "sudoedit" is @@ -186,38 +164,54 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) receive a warning and the edited copy will remain in a temporary file. + -H The --HH (_H_O_M_E) option sets the HOME environment vari­ + able to the homedir of the target user (root by + default) as specified in passwd(4). By default, ssuuddoo + does not modify HOME (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e + in sudoers(4)). + -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage mes­ sage and exit. -i The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell + specified in the passwd(4) entry of the user that the + command is being run as. The command name argument + given to the shell begins with a `-' to tell the shell + to run as a login shell. ssuuddoo attempts to change to + that user's home directory before running the shell. + It also initializes the environment, leaving _D_I_S_P_L_A_Y + and _T_E_R_M unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_­ + _N_A_M_E, and _P_A_T_H, and unsetting all other environment + variables. + -K The --KK (sure _k_i_l_l) option is like --kk except that it + removes the user's timestamp entirely. Like --kk, this + option does not require a password. + -k The --kk (_k_i_l_l) option to ssuuddoo invalidates the user's + timestamp by setting the time on it to the Epoch. The -1.6.9 November 24, 2004 3 +1.7 June 23, 2007 3 -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - specified in the passwd(4) entry of the user that the - command is being run as. The command name argument - given to the shell begins with a `-' to tell the shell - to run as a login shell. ssuuddoo attempts to change to - that user's home directory before running the shell. - It also initializes the environment, leaving _T_E_R_M - unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and - _P_A_T_H, and unsetting all other environment variables. +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + - -k The --kk (_k_i_l_l) option to ssuuddoo invalidates the user's - timestamp by setting the time on it to the Epoch. The next time ssuuddoo is run a password will be required. This option does not require a password and was added to allow a user to revoke ssuuddoo permissions from a .logout file. + -L The --LL (_l_i_s_t defaults) option will list out the param­ + eters that may be set in a _D_e_f_a_u_l_t_s line along with a + short description for each. This option is useful in + conjunction with _g_r_e_p(1). + -l [_c_o_m_m_a_n_d] If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list the allowed (and forbidden) commands for the @@ -228,6 +222,13 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) ments. If _c_o_m_m_a_n_d is not allowed, ssuuddoo will exit with a return value of 1. + -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to + preserve the invoking user's group vector unaltered. + By default, ssuuddoo will initialize the group vector to + the list of groups the target user is in. The real + and effective group IDs, however, are still set to + match the target user. + -p The --pp (_p_r_o_m_p_t) option allows you to override the default password prompt and use a custom one. The following percent (`%') escapes are supported: @@ -242,24 +243,23 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) %H expanded to the local hostname including the domain name (on if the machine's hostname is - fully qualified or the _f_q_d_n sudoers option is + fully qualified or the _f_q_d_n _s_u_d_o_e_r_s option is set) %% two consecutive % characters are collapsed into a single % character + -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password + from the standard input instead of the terminal + device. + -s The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L environment variable if it is set or the shell as specified in passwd(4). - -u The --uu (_u_s_e_r) option causes ssuuddoo to run the specified - command as a user other than _r_o_o_t. To specify a _u_i_d - instead of a _u_s_e_r_n_a_m_e, use _#_u_i_d. Note that if the - _t_a_r_g_e_t_p_w Defaults option is set (see sudoers(4)) it is - -1.6.9 November 24, 2004 4 +1.7 June 23, 2007 4 @@ -268,9 +268,24 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + -U The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with + the --ll option to specify the user whose privileges + should be listed. Only root or a user with ssuuddoo ALL + on the current host may use this option. + + -u The --uu (_u_s_e_r) option causes ssuuddoo to run the specified + command as a user other than _r_o_o_t. To specify a _u_i_d + instead of a _u_s_e_r_n_a_m_e, use _#_u_i_d. Note that if the + _t_a_r_g_e_t_p_w Defaults option is set (see sudoers(4)) it is not possible to run commands with a uid not listed in the password database. + -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the ver­ + sion number and exit. If the invoking user is already + root the --VV option will print out a list of the + defaults ssuuddoo was compiled with as well as the + machine's local network addresses. + -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the user's timestamp, prompting for the user's pass­ word if necessary. This extends the ssuuddoo timeout for @@ -281,6 +296,13 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) command line arguments. It is most useful in conjunc­ tion with the --ss flag. + Environment variables to be set for the command may also + be passed on the command line in the form of VVAARR=_v_a_l_u_e, + e.g. LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. This is only + permitted when the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s or the + command to be run has the SETENV tag set. See sudoers(4) + for more information. + RREETTUURRNN VVAALLUUEESS Upon successful execution of a program, the return value from ssuuddoo will simply be the return value of the program @@ -299,6 +321,19 @@ RREETTUURRNN VVAALLUUEESS and one of the directories in your PATH is on a machine that is currently unreachable. + + + + +1.7 June 23, 2007 5 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + + SSEECCUURRIITTYY NNOOTTEESS ssuuddoo tries to be safe when executing external commands. Variables that control how dynamic loading and binding is @@ -322,18 +357,6 @@ SSEECCUURRIITTYY NNOOTTEESS as root. To prevent command spoofing, ssuuddoo checks "." and "" (both - - - -1.6.9 November 24, 2004 5 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - denoting current directory) last when searching for a com­ mand in the user's PATH (if one or both are in the PATH). Note, however, that the actual PATH environment variable @@ -348,22 +371,34 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) ssuuddoo will check the ownership of its timestamp directory (_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con­ - tents if it is not owned by root and only writable by - root. On systems that allow non-root users to give away - files via _c_h_o_w_n(2), if the timestamp directory is located - in a directory writable by anyone (e.g.: _/_t_m_p), it is pos­ - sible for a user to create the timestamp directory before - ssuuddoo is run. However, because ssuuddoo checks the ownership - and mode of the directory and its contents, the only dam­ - age that can be done is to "hide" files by putting them in - the timestamp dir. This is unlikely to happen since once - the timestamp dir is owned by root and inaccessible by any - other user the user placing files there would be unable to - get them back out. To get around this issue you can use a - directory that is not world-writable for the timestamps - (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance) or create _/_v_a_r_/_r_u_n_/_s_u_d_o with - the appropriate owner (root) and permissions (0700) in the - system startup files. + tents if it is not owned by root or if it is writable by a + user other than root. On systems that allow non-root + users to give away files via _c_h_o_w_n(2), if the timestamp + directory is located in a directory writable by anyone + (e.g., _/_t_m_p), it is possible for a user to create the + timestamp directory before ssuuddoo is run. However, because + ssuuddoo checks the ownership and mode of the directory and + its contents, the only damage that can be done is to + "hide" files by putting them in the timestamp dir. This + is unlikely to happen since once the timestamp dir is + owned by root and inaccessible by any other user, the user + placing files there would be unable to get them back out. + To get around this issue you can use a directory that is + not world-writable for the timestamps (_/_v_a_r_/_a_d_m_/_s_u_d_o for + instance) or create _/_v_a_r_/_r_u_n_/_s_u_d_o with the appropriate + owner (root) and permissions (0700) in the system startup + files. + + + +1.7 June 23, 2007 6 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + ssuuddoo will not honor timestamps set far in the future. Timestamps with a date greater than current_time + 2 * @@ -387,19 +422,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) EENNVVIIRROONNMMEENNTT ssuuddoo utilizes the following environment variables: - - - - -1.6.9 November 24, 2004 6 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - EDITOR Default editor to use in -e (sudoedit) mode if VISUAL is not set @@ -433,6 +455,17 @@ FFIILLEESS /etc/sudoers List of who can run what /var/run/sudo Directory containing timestamps + + +1.7 June 23, 2007 7 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + + EEXXAAMMPPLLEESS Note: the following examples assume suitable sudoers(4) entries. @@ -455,17 +488,6 @@ EEXXAAMMPPLLEESS $ sudo shutdown -r +15 "quick reboot" - - -1.6.9 November 24, 2004 7 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - To make a usage listing of the directories in the /home partition. Note that this runs the commands in a sub- shell to make the cd and file redirection work. @@ -480,8 +502,7 @@ AAUUTTHHOORRSS Many people have worked on ssuuddoo over the years; this ver­ sion consists of code written primarily by: - Todd Miller - Chris Jepeway + Todd C. Miller See the HISTORY file in the ssuuddoo distribution or visit http://www.sudo.ws/sudo/history.html for a short history @@ -497,11 +518,23 @@ CCAAVVEEAATTSS See the sudoers(4) manual for details. It is not meaningful to run the cd command directly via - sudo, e.g. + sudo, e.g., + + + + +1.7 June 23, 2007 8 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + $ sudo cd /usr/local/protected - since when whe command exits the parent process (your + since when the command exits the parent process (your shell) will still be the same. Please see the EXAMPLES section for more information. @@ -519,23 +552,7 @@ BBUUGGSS If you feel you have found a bug in ssuuddoo, please submit a bug report at http://www.sudo.ws/sudo/bugs/ - - - - -1.6.9 November 24, 2004 8 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - SSUUPPPPOORRTT - Commercial support is available for ssuuddoo, see - http://www.sudo.ws/sudo/support.html for details. - Limited free support is available via the sudo-users mail­ ing list, see http://www.sudo.ws/mail­ man/listinfo/sudo-users to subscribe or search the @@ -572,23 +589,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - - - - - - - - -1.6.9 November 24, 2004 9 +1.7 June 23, 2007 9 diff --git a/sudo.man.in b/sudo.man.in index c6e6f468e..42e6c7926 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -1,4 +1,5 @@ -.\" Copyright (c) 1994-1996,1998-2003 Todd C. Miller +.\" Copyright (c) 1994-1996, 1998-2005, 2007 +.\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -18,7 +19,7 @@ .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" .\" $Sudo$ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -149,21 +150,21 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "November 24, 2004" "1.6.9" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "June 23, 2007" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" .IX Header "SYNOPSIS" -\&\fBsudo\fR \fB\-K\fR | \fB\-L\fR | \fB\-V\fR | \fB\-h\fR | \fB\-k\fR | \fB\-v\fR +\&\fBsudo\fR \fB\-K\fR | \fB\-k\fR | \fB\-h\fR | \fB\-L\fR | \fB\-V\fR | \fB\-v\fR .PP -\&\fBsudo\fR [\fB\-U\fR\ \fIusername\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] \fB\-l\fR [\fIcommand\fR] +\&\fBsudo\fR \fB\-l\fR [\fB\-U\fR\ \fIusername\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR] .PP -\&\fBsudo\fR [\fB\-HPSb\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] -[\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] -{\fB\-e\fR\ file\ [...]\ |\ \fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR} +\&\fBsudo\fR [\fB\-bEHPS\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] +[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] +[\fB\s-1VAR\s0\fR=\fIvalue\fR] {\fB\-e\fR\ file\ [...]\ |\ \fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR} .PP -\&\fBsudoedit\fR [\fB\-S\fR] [\fB\-a\fR\ \fIauth_type\fR] -[\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] +\&\fBsudoedit\fR [\fB\-a\fR\ \fIauth_type\fR] +[\fB\-p\fR\ \fIprompt\fR] [\fB\-S\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] file [...] .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -214,45 +215,6 @@ or via the \fIsudoers\fR file. .SH "OPTIONS" .IX Header "OPTIONS" \&\fBsudo\fR accepts the following command line options: -.IP "\-H" 4 -.IX Item "-H" -The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable -to the homedir of the target user (root by default) as specified -in passwd(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR -(see \fIset_home\fR and \fIalways_set_home\fR in sudoers(@mansectform@)). -.IP "\-K" 4 -.IX Item "-K" -The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes -the user's timestamp entirely. Like \fB\-k\fR, this option does not -require a password. -.IP "\-L" 4 -.IX Item "-L" -The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters -that may be set in a \fIDefaults\fR line along with a short description -for each. This option is useful in conjunction with \fIgrep\fR\|(1). -.IP "\-P" 4 -.IX Item "-P" -The \fB\-P\fR (\fIpreserve group vector\fR) option causes \fBsudo\fR to -preserve the invoking user's group vector unaltered. By default, -\&\fBsudo\fR will initialize the group vector to the list of groups the -target user is in. The real and effective group IDs, however, are -still set to match the target user. -.IP "\-S" 4 -.IX Item "-S" -The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from -the standard input instead of the terminal device. -.IP "\-U" 4 -.IX Item "-U" -The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR -option to specify the user whose privileges should be listed. Only -root or a user with \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host may use this -option. -.IP "\-V" 4 -.IX Item "-V" -The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version -number and exit. If the invoking user is already root the \fB\-V\fR -option will print out a list of the defaults \fBsudo\fR was compiled -with as well as the machine's local network addresses. .IP "\-a" 4 .IX Item "-a" The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the @@ -267,6 +229,15 @@ with the \-\-with\-bsdauth option. The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given command in the background. Note that if you use the \fB\-b\fR option you cannot use shell job control to manipulate the process. +.IP "\-C fd" 4 +.IX Item "-C fd" +Normally, \fBsudo\fR will close all open file descriptors other than +standard input, standard output and standard error. The \fB\-C\fR +(\fIclose from\fR) option allows the user to specify a starting point +above the standard error (file descriptor three). Values less than +three are not permitted. This option is only available if the +administrator has enabled the \fIclosefrom_override\fR option in +sudoers(@mansectform@). .IP "\-c" 4 .IX Item "-c" The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command @@ -279,6 +250,12 @@ argument specifies an existing user class, the command must be run as root, or the \fBsudo\fR command must be run from a shell that is already root. This option is only available on systems with \s-1BSD\s0 login classes where \fBsudo\fR has been configured with the \-\-with\-logincap option. +.IP "\-E" 4 +.IX Item "-E" +The \fB\-E\fR (\fIpreserve environment\fR) option will override the +\&\fIenv_reset\fR option in sudoers(@mansectform@)). It is only +available when either the matching command has the \f(CW\*(C`SETENV\*(C'\fR tag +or the \fIsetenv\fR option is set in sudoers(@mansectform@). .IP "\-e" 4 .IX Item "-e" The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running @@ -308,6 +285,12 @@ the invoking user's environment unmodified. If, for some reason, user will receive a warning and the edited copy will remain in a temporary file. .RE +.IP "\-H" 4 +.IX Item "-H" +The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable +to the homedir of the target user (root by default) as specified +in passwd(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR +(see \fIset_home\fR and \fIalways_set_home\fR in sudoers(@mansectform@)). .IP "\-h" 4 .IX Item "-h" The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit. @@ -318,9 +301,14 @@ in the passwd(@mansectform@) entry of the user that the command is being run as. The command name argument given to the shell begins with a `\f(CW\*(C`\-\*(C'\fR' to tell the shell to run as a login shell. \fBsudo\fR attempts to change to that user's home directory before running the -shell. It also initializes the environment, leaving \fI\s-1TERM\s0\fR -unchanged, setting \fI\s-1HOME\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, \fI\s-1LOGNAME\s0\fR, and +shell. It also initializes the environment, leaving \fI\s-1DISPLAY\s0\fR +and \fI\s-1TERM\s0\fR unchanged, setting \fI\s-1HOME\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, \fI\s-1LOGNAME\s0\fR, and \&\fI\s-1PATH\s0\fR, and unsetting all other environment variables. +.IP "\-K" 4 +.IX Item "-K" +The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes +the user's timestamp entirely. Like \fB\-k\fR, this option does not +require a password. .IP "\-k" 4 .IX Item "-k" The \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates the user's timestamp @@ -328,6 +316,11 @@ by setting the time on it to the Epoch. The next time \fBsudo\fR is run a password will be required. This option does not require a password and was added to allow a user to revoke \fBsudo\fR permissions from a .logout file. +.IP "\-L" 4 +.IX Item "-L" +The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters +that may be set in a \fIDefaults\fR line along with a short description +for each. This option is useful in conjunction with \fIgrep\fR\|(1). .IP "\-l [\fIcommand\fR]" 4 .IX Item "-l [command]" If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list @@ -337,6 +330,13 @@ user specified by the \fB\-U\fR option) on the current host. If a fully-qualified path to the command is displayed along with any command line arguments. If \fIcommand\fR is not allowed, \fBsudo\fR will exit with a return value of 1. +.IP "\-P" 4 +.IX Item "-P" +The \fB\-P\fR (\fIpreserve group vector\fR) option causes \fBsudo\fR to +preserve the invoking user's group vector unaltered. By default, +\&\fBsudo\fR will initialize the group vector to the list of groups the +target user is in. The real and effective group IDs, however, are +still set to match the target user. .IP "\-p" 4 .IX Item "-p" The \fB\-p\fR (\fIprompt\fR) option allows you to override the default @@ -361,7 +361,7 @@ expanded to the local hostname without the domain name .IX Item "%H" expanded to the local hostname including the domain name (on if the machine's hostname is fully qualified or the \fIfqdn\fR -sudoers option is set) +\&\fIsudoers\fR option is set) .ie n .IP "\*(C`%%\*(C'" 8 .el .IP "\f(CW\*(C`%%\*(C'\fR" 8 .IX Item "%%" @@ -369,11 +369,21 @@ two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW .RE .RS 4 .RE +.IP "\-S" 4 +.IX Item "-S" +The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from +the standard input instead of the terminal device. .IP "\-s" 4 .IX Item "-s" The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR environment variable if it is set or the shell as specified in passwd(@mansectform@). +.IP "\-U" 4 +.IX Item "-U" +The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR +option to specify the user whose privileges should be listed. Only +root or a user with \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host may use this +option. .IP "\-u" 4 .IX Item "-u" The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified command @@ -381,6 +391,12 @@ as a user other than \fIroot\fR. To specify a \fIuid\fR instead of a \&\fIusername\fR, use \fI#uid\fR. Note that if the \fItargetpw\fR Defaults option is set (see sudoers(@mansectform@)) it is not possible to run commands with a uid not listed in the password database. +.IP "\-V" 4 +.IX Item "-V" +The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version +number and exit. If the invoking user is already root the \fB\-V\fR +option will print out a list of the defaults \fBsudo\fR was compiled +with as well as the machine's local network addresses. .IP "\-v" 4 .IX Item "-v" If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the @@ -391,6 +407,13 @@ a command. .IP "\-\-" 4 The \fB\-\-\fR flag indicates that \fBsudo\fR should stop processing command line arguments. It is most useful in conjunction with the \fB\-s\fR flag. +.PP +Environment variables to be set for the command may also be passed +on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g. +\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. This is only permitted +when the \fIsetenv\fR option is set in \fIsudoers\fR or the command to +be run has the \f(CW\*(C`SETENV\*(C'\fR tag set. See sudoers(@mansectform@) +for more information. .SH "RETURN VALUES" .IX Header "RETURN VALUES" Upon successful execution of a program, the return value from \fBsudo\fR @@ -442,20 +465,20 @@ behavior or link \fBsudo\fR statically. .PP \&\fBsudo\fR will check the ownership of its timestamp directory (\fI@timedir@\fR by default) and ignore the directory's contents if -it is not owned by root and only writable by root. On systems that -allow non-root users to give away files via \fIchown\fR\|(2), if the timestamp -directory is located in a directory writable by anyone (e.g.: \fI/tmp\fR), -it is possible for a user to create the timestamp directory before -\&\fBsudo\fR is run. However, because \fBsudo\fR checks the ownership and -mode of the directory and its contents, the only damage that can -be done is to \*(L"hide\*(R" files by putting them in the timestamp dir. -This is unlikely to happen since once the timestamp dir is owned -by root and inaccessible by any other user the user placing files -there would be unable to get them back out. To get around this -issue you can use a directory that is not world-writable for the -timestamps (\fI/var/adm/sudo\fR for instance) or create \fI@timedir@\fR -with the appropriate owner (root) and permissions (0700) in the -system startup files. +it is not owned by root or if it is writable by a user other than +root. On systems that allow non-root users to give away files via +\&\fIchown\fR\|(2), if the timestamp directory is located in a directory +writable by anyone (e.g., \fI/tmp\fR), it is possible for a user to +create the timestamp directory before \fBsudo\fR is run. However, +because \fBsudo\fR checks the ownership and mode of the directory and +its contents, the only damage that can be done is to \*(L"hide\*(R" files +by putting them in the timestamp dir. This is unlikely to happen +since once the timestamp dir is owned by root and inaccessible by +any other user, the user placing files there would be unable to get +them back out. To get around this issue you can use a directory +that is not world-writable for the timestamps (\fI/var/adm/sudo\fR for +instance) or create \fI@timedir@\fR with the appropriate owner (root) +and permissions (0700) in the system startup files. .PP \&\fBsudo\fR will not honor timestamps set far in the future. Timestamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR @@ -580,9 +603,8 @@ passwd(@mansectform@), visudo(@mansectsu@) Many people have worked on \fBsudo\fR over the years; this version consists of code written primarily by: .PP -.Vb 2 -\& Todd Miller -\& Chris Jepeway +.Vb 1 +\& Todd C. Miller .Ve .PP See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit @@ -598,13 +620,13 @@ most systems it is possible to prevent shell escapes with \fBsudo\fR's \&\fInoexec\fR functionality. See the sudoers(@mansectform@) manual for details. .PP -It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g. +It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g., .PP .Vb 1 \& $ sudo cd /usr/local/protected .Ve .PP -since when whe command exits the parent process (your shell) will +since when the command exits the parent process (your shell) will still be the same. Please see the \s-1EXAMPLES\s0 section for more information. .PP If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from @@ -620,9 +642,6 @@ If you feel you have found a bug in \fBsudo\fR, please submit a bug report at http://www.sudo.ws/sudo/bugs/ .SH "SUPPORT" .IX Header "SUPPORT" -Commercial support is available for \fBsudo\fR, see -http://www.sudo.ws/sudo/support.html for details. -.PP Limited free support is available via the sudo-users mailing list, see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or search the archives. diff --git a/sudoers.cat b/sudoers.cat index c52c8ef2b..d00da61ef 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.6.9 November 28, 2004 1 +1.7 June 23, 2007 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 November 28, 2004 2 +1.7 June 23, 2007 2 @@ -158,10 +158,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) addresses, network numbers, netgroups (prefixed with '+') and other aliases. Again, the value of an item may be negated with the '!' operator. If you do not specify a - netmask with a network number, the netmask of the host's - ethernet interface(s) will be used when matching. The + netmask along with the network number, ssuuddoo will query + each of the local host's network interfaces and, if the + network number corresponds to one of the hosts's network + interfaces, the corresponding netmask will be used. The netmask may be specified either in dotted quad notation - (e.g. 255.255.255.0) or CIDR notation (number of bits, + (e.g. 255.255.255.0) or CIDR notation (number of bits, e.g. 24). A hostname may include shell-style wildcards (see the Wildcards section below), but unless the hostname command on your machine returns the fully qualified host­ @@ -188,12 +190,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify "" to indicate that the command may only be run - wwiitthhoouutt command line arguments. A directory is a fully - qualified pathname ending in a '/'. When you specify a -1.6.9 November 28, 2004 3 +1.7 June 23, 2007 3 @@ -202,6 +202,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + wwiitthhoouutt command line arguments. A directory is a fully + qualified pathname ending in a '/'. When you specify a directory in a Cmnd_List, the user will be able to run any file within that directory (but not in any subdirectories therein). @@ -254,12 +256,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Lists have two additional assignment operators, += and -=. These operators are used to add to and delete from a list respectively. It is not an error to use the -= operator - to remove an element that does not exist in a list. - -1.6.9 November 28, 2004 4 +1.7 June 23, 2007 4 @@ -268,6 +268,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + to remove an element that does not exist in a list. + FFllaaggss: long_otp_prompt @@ -320,12 +322,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) authenticate If set, users must authenticate themselves via - a password (or other means of authentication) - before they may run commands. This default -1.6.9 November 28, 2004 5 +1.7 June 23, 2007 5 @@ -334,6 +334,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + a password (or other means of authentication) + before they may run commands. This default may be overridden via the PASSWD and NOPASSWD tags. This flag is _o_n by default. @@ -386,12 +388,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) on the location of executables that the normal user does not have access to. The disadvan­ tage is that if the executable is simply not - in the user's PATH, ssuuddoo will tell the user - that they are not allowed to run it, which can -1.6.9 November 28, 2004 6 +1.7 June 23, 2007 6 @@ -400,6 +400,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + in the user's PATH, ssuuddoo will tell the user + that they are not allowed to run it, which can be confusing. This flag is _o_f_f by default. preserve_groups @@ -438,7 +440,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) things like "rsh somehost sudo ls" since _r_s_h(1) does not allocate a tty. Because it is not possible to turn off echo when there is no - tty present, some sites may with to set this + tty present, some sites may wish to set this flag to prevent a user from entering a visible password. This flag is _o_f_f by default. @@ -452,12 +454,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) in the editor variable. vviissuuddoo will then only use the EDITOR or VISUAL if they match a value specified in editor. This flag is off by - default. - -1.6.9 November 28, 2004 7 +1.7 June 23, 2007 7 @@ -466,6 +466,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + default. + rootpw If set, ssuuddoo will prompt for the root password instead of the password of the invoking user. This flag is _o_f_f by default. @@ -484,15 +486,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) argument to the --uu flag. This flag is _o_f_f by default. - set_logname Normally, ssuuddoo will set the LOGNAME and USER - environment variables to the name of the tar­ - get user (usually root unless the --uu flag is - given). However, since some programs (includ­ - ing the RCS revision control system) use LOG­ - NAME to determine the real identity of the - user, it may be desirable to change this + set_logname Normally, ssuuddoo will set the LOGNAME, USER and + USERNAME environment variables to the name of + the target user (usually root unless the --uu + flag is given). However, since some programs + (including the RCS revision control system) + use LOGNAME to determine the real identity of + the user, it may be desirable to change this behavior. This can be done by negating the - set_logname option. + set_logname option. Note that if the + _e_n_v___r_e_s_e_t option has not been disabled, + entries in the _e_n_v___k_e_e_p list will override the + value of _s_e_t___l_o_g_n_a_m_e. stay_setuid Normally, when ssuuddoo executes a command the real and effective UIDs are set to the target @@ -507,23 +512,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. env_reset If set, ssuuddoo will reset the environment to - only contain the following variables: HOME, - LOGNAME, PATH, SHELL, TERM, and USER (in addi­ - tion to the SUDO_* variables). Of these, only - TERM is copied unaltered from the old environ­ - ment. The other variables are set to default - values (possibly modified by the value of the - _s_e_t___l_o_g_n_a_m_e option). If the _s_e_c_u_r_e___p_a_t_h - option is set, its value will be used for the - PATH environment variable. Other variables - may be preserved with the _e_n_v___k_e_e_p option. - - use_loginclass - If set, ssuuddoo will apply the defaults specified + only contain the LOGNAME, SHELL, USER, USER­ + NAME and the SUDO_* variables. Any variables + in the caller's environment that match the + env_keep and env_check lists are then added. + The default contents of the env_keep and + env_check lists are displayed when ssuuddoo is run + by root with the _-_V option. If the + _s_e_c_u_r_e___p_a_t_h option is set, its -value will be -1.6.9 November 28, 2004 8 +1.7 June 23, 2007 8 @@ -532,6 +532,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + used for the PATH environment variable. This + flag is _o_n by default. + + use_loginclass + If set, ssuuddoo will apply the defaults specified for the target user's login class if one exists. Only available if ssuuddoo is configured with the --with-logincap option. This flag is @@ -557,7 +562,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ignore_local_sudoers If set via LDAP, parsing of @sysconfdir@/sudo­ - ers will be skipped. This is intended for an + ers will be skipped. This is intended for Enterprises that wish to prevent the usage of local sudoers files so that only LDAP is used. This thwarts the efforts of rogue operators @@ -570,33 +575,39 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) meaningful for the cn=defaults section. This flag is _o_f_f by default. + closefrom_override + If set, the user may use ssuuddoo's --CC option + which overrides the default starting point at + which ssuuddoo begins closing open file descrip­ + tors. This flag is _o_f_f by default. + IInntteeggeerrss: passwd_tries The number of tries a user gets to enter his/her password before ssuuddoo logs the failure - and exits. The default is 3. - IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - loglinelen Number of characters per line for the file - log. This value is used to decide when to - wrap lines for nicer log files. This has no - effect on the syslog log file, only the file - log. The default is 80 (use 0 or negate the - option to disable word wrap). +1.7 June 23, 2007 9 -1.6.9 November 28, 2004 9 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + and exits. The default is 3. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + loglinelen Number of characters per line for the file + log. This value is used to decide when to + wrap lines for nicer log files. This has no + effect on the syslog log file, only the file + log. The default is 80 (use 0 or negate the + option to disable word wrap). timestamp_timeout Number of minutes that can elapse before ssuuddoo @@ -617,6 +628,22 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) this option or set it to 0777 to preserve the user's umask. The default is 0022. + closefrom Before it executes a command, ssuuddoo will close + all open file descriptors other than standard + input, standard output and standard error (ie: + file descriptors 0-2). The _c_l_o_s_e_f_r_o_m option + can be used to specify a different file + descriptor at which to start closing. The + default is 3. + + setenv Allow the user to set additional environment + variables from the command line. Note that + variables set this way are not subject to the + restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, + or _e_n_v___r_e_s_e_t. As such, only trusted users + should be allowed to set variables in this + manner. + SSttrriinnggss: mailsub Subject of the mail sent to the _m_a_i_l_t_o user. @@ -624,6 +651,19 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the machine. Default is *** SECURITY informa­ tion for %h ***. + + + + +1.7 June 23, 2007 10 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + badpass_message Message that is displayed if a user enters an incorrect password. The default is Sorry, try @@ -653,24 +693,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) %h expanded to the local hostname without the domain name - - -1.6.9 November 28, 2004 10 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - %H expanded to the local hostname includ­ ing the domain name (on if the machine's hostname is fully qualified or the _f_q_d_n option is set) %% two consecutive % characters are col­ - laped into a single % character + lapsed into a single % character The default value is Password:. @@ -689,12 +718,24 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Syslog priority to use when user authenticates unsuccessfully. Defaults to alert. + + + +1.7 June 23, 2007 11 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + editor A colon (':') separated list of editors allowed to be used with vviissuuddoo. vviissuuddoo will - choose the editor that matches the user's USER - environment variable if possible, or the first - editor in the list that exists and is exe­ - cutable. The default is the path to vi on + choose the editor that matches the user's EDI­ + TOR environment variable if possible, or the + first editor in the list that exists and is + executable. The default is the path to vi on your system. noexec_file Path to a shared library containing dummy ver­ @@ -703,7 +744,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) This is used to implement the _n_o_e_x_e_c function­ ality on systems that support LD_PRELOAD or its equivalent. Defaults to - _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. + _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c. SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: @@ -718,18 +759,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) always Always lecture the user. - - - -1.6.9 November 28, 2004 11 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - If no value is specified, a value of _o_n_c_e is implied. Negating the option results in a value of _n_e_v_e_r being used. The default value @@ -755,6 +784,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) mailerflags Flags to use when invoking mailer. Defaults to --tt. + + + +1.7 June 23, 2007 12 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + mailto Address to send warning and error mail to. The address should be enclosed in double quotes (") to protect against ssuuddoo interpret­ @@ -784,18 +825,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) any At least one of the user's _s_u_d_o_e_r_s entries for the current host must have - - - -1.6.9 November 28, 2004 12 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - the NOPASSWD flag set to avoid enter­ ing a password. @@ -820,8 +849,20 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) any At least one of the user's _s_u_d_o_e_r_s entries for the current host must have - the NOPASSWD flag set to avoid enter­ - ing a password. + the NOPASSWD flag set to avoid + + + +1.7 June 23, 2007 13 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + + entering a password. never The user need never enter a password to use the --ll flag. @@ -845,23 +886,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) rated list or a single value without dou­ ble-quotes. The list can be replaced, added to, deleted from, or disabled by using the =, - +=, -=, and ! operators respectively. The + +=, -=, and ! operators respectively. Regard­ + less of whether the env_reset option is + enabled or disabled, variables specified by + env_check will be preserved in the environment + if they pass the aforementioned check. The default list of environment variables to check - is printed when ssuuddoo is run by root with the + is displayed when ssuuddoo is run by root with the _-_V option. - - - -1.6.9 November 28, 2004 13 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - env_delete Environment variables to be removed from the user's environment. The argument may be a double-quoted, space-separated list or a sin­ @@ -869,7 +902,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) be replaced, added to, deleted from, or dis­ abled by using the =, +=, -=, and ! operators respectively. The default list of environment - variables to remove is printed when ssuuddoo is + variables to remove is displayed when ssuuddoo is run by root with the _-_V option. Note that many operating systems will remove potentially dangerous variables from the environment of @@ -882,10 +915,23 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) cesses will receive. The argument may be a double-quoted, space-separated list or a sin­ gle value without double-quotes. The list can - be replaced, added to, deleted from, or dis­ - abled by using the =, +=, -=, and ! operators - respectively. This list has no default mem­ - bers. + be replaced, added to, deleted from, or + + + +1.7 June 23, 2007 14 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + + disabled by using the =, +=, -=, and ! opera­ + tors respectively. The default list of vari­ + ables to keep is displayed when ssuuddoo is run by + root with the _-_V option. When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following values for the syslog facility (the value of the ssyysslloogg @@ -908,7 +954,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Runas_Spec ::= '(' Runas_List ')' Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | - 'MONITOR' | 'NOMONITOR') + 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:') A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as what user) on specified hosts. By default, @@ -917,17 +963,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Let's break that down into its constituent parts: - - -1.6.9 November 28, 2004 14 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - RRuunnaass__SSppeecc A Runas_Spec is simply a Runas_List (as defined above) @@ -947,6 +982,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) It is also possible to override a Runas_Spec later on in an entry. If we modify the entry like so: + + + +1.7 June 23, 2007 15 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, @@ -955,12 +1002,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) TTaagg__SSppeecc A command may have zero or more tags associated with it. - There are four possible tag values, NOPASSWD, PASSWD, - NOEXEC, EXEC, MONITOR and NOMONITOR. Once a tag is set on - a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit - the tag unless it is overridden by the opposite tag (ie: - PASSWD overrides NOPASSWD and NOMONITOR overrides MONI­ - TOR). + There are eight possible tag values, NOPASSWD, PASSWD, + NOEXEC, EXEC, SETENV, NOSETENV, MONITOR and NOMONITOR. + Once a tag is set on a Cmnd, subsequent Cmnds in the + Cmnd_Spec_List, inherit the tag unless it is overridden by + the opposite tag (i.e.: PASSWD overrides NOPASSWD and + NOEXEC overrides EXEC). _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D @@ -982,18 +1029,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm Note, however, that the PASSWD tag has no effect on users - - - -1.6.9 November 28, 2004 15 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - who are in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. By default, if the NOPASSWD tag is applied to any of the @@ -1014,12 +1049,32 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. + + +1.7 June 23, 2007 16 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi See the "PREVENTING SHELL ESCAPES" section below for more details on how NOEXEC works and whether or not it will work on your system. + _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V + + These tags override the value of the _s_e_t_e_n_v option on a + per-command basis. Note that environment variables set on + the command line way are not subject to the restrictions + imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___r_e_s_e_t. As such, + only trusted users should be allowed to set variables in + this manner. + _M_O_N_I_T_O_R _a_n_d _N_O_M_O_N_I_T_O_R If ssuuddoo has been configured with the --with-systrace @@ -1049,26 +1104,27 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) * Matches any set of zero or more characters. + ? Matches any single character. + + [...] Matches any character in the specified range. + [!...] Matches any character nnoott in the specified range. -1.6.9 November 28, 2004 16 + \x For any character "x", evaluates to "x". This is + used to escape special characters such as: "*", + "?", "[", and "}". +1.7 June 23, 2007 17 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - ? Matches any single character. - [...] Matches any character in the specified range. - [!...] Matches any character nnoott in the specified range. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - \x For any character "x", evaluates to "x". This is - used to escape special characters such as: "*", - "?", "[", and "}". Note that a forward slash ('/') will nnoott be matched by wildcards used in the pathname. When matching the command @@ -1114,28 +1170,28 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The pound sign ('#') is used to indicate a comment (unless it is part of a #include directive or unless it occurs in the context of a user name and is followed by one or more + digits, in which case it is treated as a uid). Both the + comment character and any text after it, up to the end of + the line, are ignored. + The reserved word AALLLL is a built-in _a_l_i_a_s that always + causes a match to succeed. It can be used wherever one + might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, + or Host_Alias. You should not try to define your own + _a_l_i_a_s called AALLLL as the built-in alias will be used in + preference to your own. Please note that using AALLLL can be -1.6.9 November 28, 2004 17 +1.7 June 23, 2007 18 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - digits, in which case it is treated as a uid). Both the - comment character and any text after it, up to the end of - the line, are ignored. - The reserved word AALLLL is a built-in _a_l_i_a_s that always - causes a match to succeed. It can be used wherever one - might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, - or Host_Alias. You should not try to define your own - _a_l_i_a_s called AALLLL as the built-in alias will be used in - preference to your own. Please note that using AALLLL can be dangerous since in a command context, it allows the user to run aannyy command on the system. @@ -1175,6 +1231,16 @@ EEXXAAMMPPLLEESS Runas_Alias OP = root, operator Runas_Alias DB = oracle, sybase + # Host alias specification + Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ + SGI = grolsch, dandelion, black :\ + ALPHA = widget, thalamus, foobar :\ + HPPA = boa, nag, python + Host_Alias CUNETS = 128.138.0.0/255.255.0.0 + Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 + Host_Alias SERVERS = master, mail, www, ns + Host_Alias CDROM = orion, perseus, hercules + @@ -1183,7 +1249,7 @@ EEXXAAMMPPLLEESS -1.6.9 November 28, 2004 18 +1.7 June 23, 2007 19 @@ -1192,16 +1258,6 @@ EEXXAAMMPPLLEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - # Host alias specification - Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ - SGI = grolsch, dandelion, black :\ - ALPHA = widget, thalamus, foobar :\ - HPPA = boa, nag, python - Host_Alias CUNETS = 128.138.0.0/255.255.0.0 - Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 - Host_Alias SERVERS = master, mail, www, ns - Host_Alias CDROM = orion, perseus, hercules - # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore @@ -1220,14 +1276,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) We want ssuuddoo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt need not give a - password, and we don't want to reset the LOGNAME or USER - environment variables when running commands as root. - Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, - we keep an additional local log file and make sure we log - the year in each log line since the log entries will be - kept around for several years. Lastly, we disable shell - escapes for the commands in the PAGERS Cmnd_Alias - (/usr/bin/more, /usr/bin/pg and /usr/bin/less). + password, and we don't want to reset the LOGNAME, USER or + USERNAME environment variables when running commands as + root. Additionally, on the machines in the _S_E_R_V_E_R_S + Host_Alias, we keep an additional local log file and make + sure we log the year in each log line since the log + entries will be kept around for several years. Lastly, we + disable shell escapes for the commands in the PAGERS + Cmnd_Alias (/usr/bin/more, /usr/bin/pg and /usr/bin/less). # Override built-in defaults Defaults syslog=auth @@ -1246,28 +1302,27 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) We let rroooott and any user in group wwhheeeell run any command on any host as any user. + FULLTIMERS ALL = NOPASSWD: ALL + Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run + any command on any host without authenticating themselves. + PARTTIMERS ALL = ALL -1.6.9 November 28, 2004 19 - + Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run + any command on any host but they must authenticate them­ + selves first (since the entry lacks the NOPASSWD tag). +1.7 June 23, 2007 20 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - FULLTIMERS ALL = NOPASSWD: ALL - Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run - any command on any host without authenticating themselves. - PARTTIMERS ALL = ALL +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run - any command on any host but they must authenticate them­ - selves first (since the entry lacks the NOPASSWD tag). jack CSNETS = ALL @@ -1312,29 +1367,29 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. SSuuddoo knows that "biglab" is a netgroup due to + the '+' prefix. + +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser + Users in the sseeccrreettaarriieess netgroup need to help manage the + printers as well as add and remove users, so they are + allowed to run those commands on all machines. -1.6.9 November 28, 2004 20 + fred ALL = (DB) NOPASSWD: ALL + The user ffrreedd can run commands as any user in the _D_B +1.7 June 23, 2007 21 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - the '+' prefix. - +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser - Users in the sseeccrreettaarriieess netgroup need to help manage the - printers as well as add and remove users, so they are - allowed to run those commands on all machines. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - fred ALL = (DB) NOPASSWD: ALL - The user ffrreedd can run commands as any user in the _D_B Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password. john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* @@ -1379,29 +1434,30 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) type, so it is a prime candidate for encapsulating in a shell script. +SSEECCUURRIITTYY NNOOTTEESS + It is generally not effective to "subtract" commands from + ALL using the '!' operator. A user can trivially circum­ + vent this by copying the desired command to a different + name and then executing that. For example: + + bill ALL = ALL, !SU, !SHELLS + Doesn't really prevent bbiillll from running the commands + listed in _S_U or _S_H_E_L_L_S since he can simply copy those -1.6.9 November 28, 2004 21 +1.7 June 23, 2007 22 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SSEECCUURRIITTYY NNOOTTEESS - It is generally not effective to "subtract" commands from - ALL using the '!' operator. A user can trivially circum­ - vent this by copying the desired command to a different - name and then executing that. For example: +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - bill ALL = ALL, !SU, !SHELLS - Doesn't really prevent bbiillll from running the commands - listed in _S_U or _S_H_E_L_L_S since he can simply copy those com­ - mands to a different name, or use a shell escape from an - editor or other program. Therefore, these kind of + commands to a different name, or use a shell escape from + an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). @@ -1445,26 +1501,27 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS If the resulting output contains a line that begins with: + File containing dummy exec functions: + then ssuuddoo may be able to replace the exec family + of functions in the standard library with its + own that simply return an error. Unfortunately, + there is no foolproof way to know whether or not + _n_o_e_x_e_c will work at compile-time. _N_o_e_x_e_c should + work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 + UNIX, MacOS X, and HP-UX 11.x. It is known nnoott -1.6.9 November 28, 2004 22 +1.7 June 23, 2007 23 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - File containing dummy exec functions: +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + - then ssuuddoo may be able to replace the exec family - of functions in the standard library with its - own that simply return an error. Unfortunately, - there is no foolproof way to know whether or not - _n_o_e_x_e_c will work at compile-time. _N_o_e_x_e_c should - work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 - UNIX, MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and UnixWare. _N_o_e_x_e_c is expected to work on most operating systems that support the LD_PRELOAD environment variable. Check your @@ -1510,10 +1567,19 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) At the time of this writing the ssyyssttrraaccee pseudo- device comes standard with OpenBSD and NetBSD + and is available as patches to FreeBSD, MacOS X + and Linux. See for + more information. + Note that restricting shell escapes is not a panacea. + Programs running as root are still capable of many poten­ + tially hazardous operations (such as changing or overwrit­ + ing files) that could lead to unintended privilege escala­ + tion. In the specific case of an editor, a safer approach -1.6.9 November 28, 2004 23 + +1.7 June 23, 2007 24 @@ -1522,15 +1588,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - and is available as patches to FreeBSD, MacOS X - and Linux. See for - more information. - - Note that restricting shell escapes is not a panacea. - Programs running as root are still capable of many poten­ - tially hazardous operations (such as changing or overwrit­ - ing files) that could lead to unintended privilege escala­ - tion. In the specific case of an editor, a safer approach is to give the user permission to run ssuuddooeeddiitt. SSEEEE AALLSSOO @@ -1554,9 +1611,6 @@ BBUUGGSS bug report at http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Commercial support is available for ssuuddoo, see - http://www.sudo.ws/sudo/support.html for details. - Limited free support is available via the sudo-users mail­ ing list, see http://www.sudo.ws/mail­ man/listinfo/sudo-users to subscribe or search the @@ -1579,6 +1633,18 @@ DDIISSCCLLAAIIMMEERR -1.6.9 November 28, 2004 24 + + + + + + + + + + + + +1.7 June 23, 2007 25 diff --git a/sudoers.man.in b/sudoers.man.in index be4fb04af..c03b226dd 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -1,4 +1,4 @@ -.\" Copyright (c) 1994-1996,1998-2004 Todd C. Miller +.\" Copyright (c) 1994-1996,1998-2005 Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -18,7 +18,7 @@ .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" .\" $Sudo$ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "November 28, 2004" "1.6.9" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "June 23, 2007" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" @@ -284,7 +284,7 @@ also contain uids (prefixed with '#') and instead of \f(CW\*(C`User_Alias\*(C'\f it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that usernames and groups are matched as strings. In other words, two users (groups) with the same uid (gid) are considered to be distinct. If you wish to -match all usernames with the same uid (e.g. root and toor), you +match all usernames with the same uid (e.g.\ root and toor), you can use a uid instead (#0 in the example given). .PP .Vb 2 @@ -303,14 +303,16 @@ can use a uid instead (#0 in the example given). A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more hostnames, \s-1IP\s0 addresses, network numbers, netgroups (prefixed with '+') and other aliases. Again, the value of an item may be negated with the '!' operator. -If you do not specify a netmask with a network number, the netmask -of the host's ethernet interface(s) will be used when matching. -The netmask may be specified either in dotted quad notation (e.g. -255.255.255.0) or \s-1CIDR\s0 notation (number of bits, e.g. 24). A hostname -may include shell-style wildcards (see the Wildcards section below), +If you do not specify a netmask along with the network number, +\&\fBsudo\fR will query each of the local host's network interfaces and, +if the network number corresponds to one of the hosts's network +interfaces, the corresponding netmask will be used. The netmask +may be specified either in dotted quad notation (e.g.\ 255.255.255.0) +or \s-1CIDR\s0 notation (number of bits, e.g.\ 24). A hostname may +include shell-style wildcards (see the Wildcards section below), but unless the \f(CW\*(C`hostname\*(C'\fR command on your machine returns the fully -qualified hostname, you'll need to use the \fIfqdn\fR option for wildcards -to be useful. +qualified hostname, you'll need to use the \fIfqdn\fR option for +wildcards to be useful. .PP .Vb 2 \& Cmnd_List ::= Cmnd | @@ -521,7 +523,7 @@ password. This flag is \fI@insults@\fR by default. If set, \fBsudo\fR will only run when the user is logged in to a real tty. This will disallow things like \f(CW"rsh somehost sudo ls"\fR since \&\fIrsh\fR\|(1) does not allocate a tty. Because it is not possible to turn -off echo when there is no tty present, some sites may with to set +off echo when there is no tty present, some sites may wish to set this flag to prevent a user from entering a visible password. This flag is \fIoff\fR by default. .IP "env_editor" 12 @@ -552,11 +554,15 @@ in the passwd database as an argument to the \fB\-u\fR flag. This flag is \fIoff\fR by default. .IP "set_logname" 12 .IX Item "set_logname" -Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR and \f(CW\*(C`USER\*(C'\fR environment variables -to the name of the target user (usually root unless the \fB\-u\fR flag is given). -However, since some programs (including the \s-1RCS\s0 revision control system) -use \f(CW\*(C`LOGNAME\*(C'\fR to determine the real identity of the user, it may be desirable -to change this behavior. This can be done by negating the set_logname option. +Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR +environment variables to the name of the target user (usually root +unless the \fB\-u\fR flag is given). However, since some programs +(including the \s-1RCS\s0 revision control system) use \f(CW\*(C`LOGNAME\*(C'\fR to +determine the real identity of the user, it may be desirable to +change this behavior. This can be done by negating the set_logname +option. Note that if the \fIenv_reset\fR option has not been disabled, +entries in the \fIenv_keep\fR list will override the value of +\&\fIset_logname\fR. .IP "stay_setuid" 12 .IX Item "stay_setuid" Normally, when \fBsudo\fR executes a command the real and effective @@ -570,13 +576,13 @@ function. .IP "env_reset" 12 .IX Item "env_reset" If set, \fBsudo\fR will reset the environment to only contain the -following variables: \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`TERM\*(C'\fR, -and \f(CW\*(C`USER\*(C'\fR (in addition to the \f(CW\*(C`SUDO_*\*(C'\fR variables). -Of these, only \f(CW\*(C`TERM\*(C'\fR is copied unaltered from the old environment. -The other variables are set to default values (possibly modified -by the value of the \fIset_logname\fR option). If the \fIsecure_path\fR -option is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable. -Other variables may be preserved with the \fIenv_keep\fR option. +\&\s-1LOGNAME\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any +variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR +and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the +\&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is +run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option +is set, its \-value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable. +This flag is \fIon\fR by default. .IP "use_loginclass" 12 .IX Item "use_loginclass" If set, \fBsudo\fR will apply the defaults specified for the target user's @@ -598,13 +604,18 @@ This flag is \fIoff\fR by default. .IP "ignore_local_sudoers" 12 .IX Item "ignore_local_sudoers" If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped. -This is intended for an Enterprises that wish to prevent the usage of local +This is intended for Enterprises that wish to prevent the usage of local sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers. When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0 entries have been matched, this sudoOption is only meaningful for the cn=defaults section. This flag is \fIoff\fR by default. +.IP "closefrom_override" 12 +.IX Item "closefrom_override" +If set, the user may use \fBsudo\fR's \fB\-C\fR option which +overrides the default starting point at which \fBsudo\fR begins +closing open file descriptors. This flag is \fIoff\fR by default. .PP \&\fBIntegers\fR: .IP "passwd_tries" 12 @@ -635,6 +646,20 @@ The default is \f(CW\*(C`@password_timeout@\*(C'\fR, set this to \f(CW0\fR for n .IX Item "umask" Umask to use when running the command. Negate this option or set it to 0777 to preserve the user's umask. The default is \f(CW\*(C`@sudo_umask@\*(C'\fR. +.IP "closefrom" 12 +.IX Item "closefrom" +Before it executes a command, \fBsudo\fR will close all open file +descriptors other than standard input, standard output and standard +error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used +to specify a different file descriptor at which to start closing. +The default is 3. +.IP "setenv" 12 +.IX Item "setenv" +Allow the user to set additional environment variables from the +command line. Note that variables set this way are not subject to +the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or +\&\fIenv_reset\fR. As such, only trusted users should be allowed to set +variables in this manner. .PP \&\fBStrings\fR: .IP "mailsub" 12 @@ -682,7 +707,7 @@ option is set) .ie n .IP "\*(C`%%\*(C'" 8 .el .IP "\f(CW\*(C`%%\*(C'\fR" 8 .IX Item "%%" -two consecutive \f(CW\*(C`%\*(C'\fR characters are collaped into a single \f(CW\*(C`%\*(C'\fR character +two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character .RE .RS 12 .Sp @@ -706,7 +731,7 @@ Defaults to \f(CW\*(C`@badpri@\*(C'\fR. .IX Item "editor" A colon (':') separated list of editors allowed to be used with \&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's -\&\s-1USER\s0 environment variable if possible, or the first editor in the +\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the list that exists and is executable. The default is the path to vi on your system. .IP "noexec_file" 12 @@ -836,9 +861,12 @@ be used to guard against printf-style format vulnerabilities in poorly-written programs. The argument may be a double\-quoted, space-separated list or a single value without double\-quotes. The list can be replaced, added to, deleted from, or disabled by using -the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. The default -list of environment variables to check is printed when \fBsudo\fR is -run by root with the \fI\-V\fR option. +the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. Regardless +of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variables +specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if +they pass the aforementioned check. The default list of environment +variables to check is displayed when \fBsudo\fR is run by root with +the \fI\-V\fR option. .IP "env_delete" 12 .IX Item "env_delete" Environment variables to be removed from the user's environment. @@ -846,7 +874,7 @@ The argument may be a double\-quoted, space-separated list or a single value without double\-quotes. The list can be replaced, added to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of environment -variables to remove is printed when \fBsudo\fR is run by root with the +variables to remove is displayed when \fBsudo\fR is run by root with the \&\fI\-V\fR option. Note that many operating systems will remove potentially dangerous variables from the environment of any setuid process (such as \fBsudo\fR). @@ -858,7 +886,8 @@ control over the environment \fBsudo\fR\-spawned processes will receive. The argument may be a double\-quoted, space-separated list or a single value without double\-quotes. The list can be replaced, added to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and -\&\f(CW\*(C`!\*(C'\fR operators respectively. This list has no default members. +\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep +is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option. .PP When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values for the syslog facility (the value of the \fBsyslog\fR Parameter): @@ -889,7 +918,7 @@ supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo .PP .Vb 2 \& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | -\& 'MONITOR' | 'NOMONITOR') +\& 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:') .Ve .PP A \fBuser specification\fR determines which commands a user may run @@ -928,12 +957,12 @@ but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR. .Sh "Tag_Spec" .IX Subsection "Tag_Spec" A command may have zero or more tags associated with it. There are -four possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR, -\&\f(CW\*(C`MONITOR\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR. +eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR, +\&\f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`MONITOR\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the -opposite tag (ie: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR -overrides \f(CW\*(C`MONITOR\*(C'\fR). +opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR +overrides \f(CW\*(C`EXEC\*(C'\fR). .PP \fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR .IX Subsection "NOPASSWD and PASSWD" @@ -985,6 +1014,15 @@ and \fI/usr/bin/vi\fR but shell escapes will be disabled. See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system. .PP +\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR +.IX Subsection "SETENV and NOSETENV" +.PP +These tags override the value of the \fIsetenv\fR option on a per-command +basis. Note that environment variables set on the command line way +are not subject to the restrictions imposed by \fIenv_check\fR, +\&\fIenv_delete\fR, or \fIenv_reset\fR. As such, only trusted users should +be allowed to set variables in this manner. +.PP \fI\s-1MONITOR\s0 and \s-1NOMONITOR\s0\fR .IX Subsection "MONITOR and NOMONITOR" .PP @@ -1102,7 +1140,7 @@ Whitespace between elements in a list as well as special syntactic characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional. .PP The following characters must be escaped with a backslash ('\e') when -used as part of a word (e.g. a username or hostname): +used as part of a word (e.g.\ a username or hostname): \&'@', '!', '=', ':', ',', '(', ')', '\e'. .SH "FILES" .IX Header "FILES" @@ -1161,13 +1199,13 @@ Here we override some of the compiled in default values. We want \&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all cases. We don't want to subject the full time staff to the \fBsudo\fR lecture, user \fBmillert\fR need not give a password, and we don't -want to reset the \f(CW\*(C`LOGNAME\*(C'\fR or \f(CW\*(C`USER\*(C'\fR environment variables when -running commands as root. Additionally, on the machines in the -\&\fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional local log file and -make sure we log the year in each log line since the log entries -will be kept around for several years. Lastly, we disable shell -escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR (/usr/bin/more, -/usr/bin/pg and /usr/bin/less). +want to reset the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR or \f(CW\*(C`USERNAME\*(C'\fR environment +variables when running commands as root. Additionally, on the +machines in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional +local log file and make sure we log the year in each log line since +the log entries will be kept around for several years. Lastly, we +disable shell escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR +(/usr/bin/more, /usr/bin/pg and /usr/bin/less). .PP .Vb 7 \& # Override built-in defaults @@ -1464,9 +1502,6 @@ If you feel you have found a bug in \fBsudo\fR, please submit a bug report at http://www.sudo.ws/sudo/bugs/ .SH "SUPPORT" .IX Header "SUPPORT" -Commercial support is available for \fBsudo\fR, see -http://www.sudo.ws/sudo/support.html for details. -.PP Limited free support is available via the sudo-users mailing list, see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or search the archives. diff --git a/visudo.cat b/visudo.cat index 24f6c4fc6..89c76c5f3 100644 --- a/visudo.cat +++ b/visudo.cat @@ -25,11 +25,12 @@ DDEESSCCRRIIPPTTIIOONN script. Normally, vviissuuddoo does not honor the VISUAL or EDITOR environment variables unless they contain an editor in the aforementioned editors list. However, if vviissuuddoo is - configured with the _-_-_w_i_t_h_-_e_n_v_e_d_i_t_o_r flag or the _e_n_v_e_d_i_t_o_r - Default variable is set in _s_u_d_o_e_r_s, vviissuuddoo will use any - the editor defines by VISUAL or EDITOR. Note that this - can be a security hole since it allows the user to execute - any program they wish simply by setting VISUAL or EDITOR. + configured with the _-_-_w_i_t_h_-_e_n_v_e_d_i_t_o_r flag or the _e_n_v___e_d_i_­ + _t_o_r Default variable is set in _s_u_d_o_e_r_s, vviissuuddoo will use + any the editor defines by VISUAL or EDITOR. Note that + this can be a security hole since it allows the user to + execute any program they wish simply by setting VISUAL or + EDITOR. vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the changes if there is a syntax error. Upon finding @@ -57,11 +58,10 @@ OOPPTTIIOONNSS is encountered, vviissuuddoo will exit with a value of 1. -f Specify and alternate _s_u_d_o_e_r_s file location. With - this option vviissuuddoo will edit (or check) the _s_u_d_o_e_r_s -1.6.9 October 26, 2004 1 +1.7 June 23, 2007 1 @@ -70,6 +70,7 @@ OOPPTTIIOONNSS VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) + this option vviissuuddoo will edit (or check) the _s_u_d_o_e_r_s file of your choice, instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock file used is the specified _s_u_d_o_e_r_s file with ".tmp" appended to it. @@ -123,11 +124,10 @@ DDIIAAGGNNOOSSTTIICCSS The specified {User,Runas,Host,Cmnd}_Alias was defined but never used. You may wish to comment out or remove the unused alias. In --ss (strict) mode this is an - error, not a warning. -1.6.9 October 26, 2004 2 +1.7 June 23, 2007 2 @@ -136,6 +136,8 @@ DDIIAAGGNNOOSSTTIICCSS VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) + error, not a warning. + SSEEEE AALLSSOO _v_i(1), sudoers(4), sudo(1m), vipw(1m) @@ -157,9 +159,6 @@ BBUUGGSS a bug report at http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Commercial support is available for ssuuddoo, see - http://www.sudo.ws/sudo/support.html for details. - Limited free support is available via the sudo-users mail­ ing list, see http://www.sudo.ws/mail­ man/listinfo/sudo-users to subscribe or search the @@ -193,6 +192,7 @@ DDIISSCCLLAAIIMMEERR -1.6.9 October 26, 2004 3 + +1.7 June 23, 2007 3 diff --git a/visudo.man.in b/visudo.man.in index 7d5fb37ca..de434b528 100644 --- a/visudo.man.in +++ b/visudo.man.in @@ -1,4 +1,4 @@ -.\" Copyright (c) 1996,1998-2003 Todd C. Miller +.\" Copyright (c) 1996,1998-2004 Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -18,7 +18,7 @@ .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" .\" $Sudo$ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "October 26, 2004" "1.6.9" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "June 23, 2007" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" visudo \- edit the sudoers file .SH "SYNOPSIS" @@ -170,7 +170,7 @@ your system, as determined by the \fIconfigure\fR script. Normally, \&\fBvisudo\fR does not honor the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment variables unless they contain an editor in the aforementioned editors list. However, if \fBvisudo\fR is configured with the \fI\-\-with\-enveditor\fR -flag or the \fIenveditor\fR \f(CW\*(C`Default\*(C'\fR variable is set in \fIsudoers\fR, +flag or the \fIenv_editor\fR \f(CW\*(C`Default\*(C'\fR variable is set in \fIsudoers\fR, \&\fBvisudo\fR will use any the editor defines by \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR. Note that this can be a security hole since it allows the user to execute any program they wish simply by setting \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR. @@ -283,9 +283,6 @@ If you feel you have found a bug in \fBvisudo\fR, please submit a bug report at http://www.sudo.ws/sudo/bugs/ .SH "SUPPORT" .IX Header "SUPPORT" -Commercial support is available for \fBsudo\fR, see -http://www.sudo.ws/sudo/support.html for details. -.PP Limited free support is available via the sudo-users mailing list, see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or search the archives.