From: Todd C. Miller Date: Sun, 8 Jul 2007 14:27:40 +0000 (+0000) Subject: udpate to reality X-Git-Tag: SUDO_1_7_0~499 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b7927b2b34c519a5fb80bcfa5850692ad554d52f;p=sudo udpate to reality --- diff --git a/TODO b/TODO index 23981aba7..85a894b2a 100644 --- a/TODO +++ b/TODO @@ -5,125 +5,152 @@ TODO list (most will be addressed in sudo 2.0) 02) Add a SHELLS reserved word that checks against /etc/shells. -03) Make the sudoers file accessible via NIS, Hesiod, and maybe NetInfo. +03) Make the sudoers file accessible via NIS, NIS+. 04) Add a -h (?) flag to sudo for a history mechanism. -05) Add an option to set LD_LIBRARY_PATH? +05) Add Prog_Alias facility (Prog_Alias VI = /usr/secure/bin/vi +args). -06) Add Prog_Alias facility (Prog_Alias VI = /usr/secure/bin/vi +args). +06) Add generic STREAMS support for getting interfaces and netmasks. -07) Add generic STREAMS support for getting interfaces and netmasks. - -08) Add support for "safe scripts" by checking for shell script +07) Add support for "safe scripts" by checking for shell script cookie (first two bytes are "#!") and execing the shell outselves after doing the stat to guard against spoofing. This should avoid the race condition caused by going through namei() twice... -09) Make runas_user a struct "runas" with user and group components. +08) Make runas_user a struct "runas" with user and group components. (maybe uid and gid too???) -10) Add -g group/gid option. +09) Add -g group/gid option. -11) Should be able to mix Cmnd_Alias's and command args. Ie: +10) Should be able to mix Cmnd_Alias's and command args. Ie: pete ALL=PASSWD [A-z]*,!PASSWD root where PASSWD was defined to be /usr/bin/passwd. This requires the arg parsing to happen in the yacc grammer. At the very least, commands and args have to become separate tokens in the lexer. -12) Add a per-tty restriction? Ie: only can run foo from /dev/console. - -13) Add test for how to read ether interfaces in configure script - -14) Use strtol() and strtoul(), not atoi() +11) Add a per-tty restriction? Ie: only can run foo from /dev/console. -15) Make syslog stuff work on vanilla ultrix +12) Add test for how to read ether interfaces in configure script -16) Implement date_format and log_format options. +13) Use strtol() and strtoul(), not atoi() -17) Add support for: Default:user@host +14) Implement date_format and log_format options. -18) Make visudo rcs-aware +15) Add support for: Default:user@host -19) Some people want to be able to specify a special password in sudoers +16) Some people want to be able to specify a special password in sudoers in addition or instead of the normal one. The best argument for this so far is to be able to use separate passwords for the target users that are not the passwd file ones. -20) Add support for trusted users. E.g. allow user to run a certain +17) Add support for trusted users. E.g. allow user to run a certain command regardless of what dir it is in if it is owned by the trusted user. -21) Add a flag similar to '-l' but that spits out sudo commands in +18) Add a flag similar to '-l' but that spits out sudo commands in a format suitable for cut & paste into sudoers. -22) Someone wants a recursive version of the dir specifier. Ie: +19) Someone wants a recursive version of the dir specifier. Ie: SOME_MODIFIER:/usr/local/ to allow anything under /usr/local to be run. -23) An option to set the shell to the target user would make sense. +20) An option to set the shell to the target user would make sense. See other target user-related issues above. -24) Add an option (-D) to dump the defaults after the sudoers file +21) Add an option (-D) to dump the defaults after the sudoers file has been parsed. Should only be available to root and should allow a -u user modifier. Maybe dump all of sudoers? -25) For sudo 1.7 wipe out the environment by default. - -26) Allow /etc/sudoers to be a symlink but require the parent dir to +22) Allow /etc/sudoers to be a symlink but require the parent dir to be root-owned and not writable by anything else. Should really traverse the tree to the root doing this. -27) Improve interfaces.c STREAMS code (see ntpd's ntp_io.c for hints) - -28) Wildcard support for user and group names? (netgroup too?) +23) Improve interfaces.c STREAMS code (see ntpd's ntp_io.c for hints) -29) If root_sudo is off, still allow sudo -u to non-root users? +24) Wildcard support for user and group names? (netgroup too?) -30) Use proper links in .pod files +25) If root_sudo is off, still allow sudo -u to non-root users? -31) Parse gids like %#0 +26) Parse gids like %#0 -32) For AIX, call getuserattr() to get resource limits and set them - as appropriate, see: - http://nscp.upenn.edu/aix4.3html/libs/basetrf1/getuserattr.htm#A16691a89 +27) For AIX, use setpenv() and setpcred() if they exist + http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/basetrf2/setpenv.htm + http://publib16.boulder.ibm.com/pseries/en_US/libs/basetrf2/setpcred.htm -33) Add an insult_path variable that is intialized to "builtin" but that +28) Add an insult_path variable that is intialized to "builtin" but that can point to other files containing an insult count as the first line and that have a constant record length (sparse files) for easy seeking. -34) Some way of using a new pty for the program run via sudo would prevent +29) Some way of using a new pty for the program run via sudo would prevent access to the caller's /dev/tty (but probably makes job control tricky). -35) Maybe have a database of checksums that commands are verified against. +30) Maybe have a database of checksums that commands are verified against. Basically replace the st_ino/st_dev check with a checksum lookup. -36) Look into testing writability of a file via sudoedit *before* doing +31) Look into testing writability of a file via sudoedit *before* doing the edit; e.g., try opening with O_APPEND. -37) Add Makefile.in bits to autogenerate Solaris and Irix packages +32) Add Makefile.in bits to autogenerate Solaris and Irix packages -38) Add monitor support for Solaris using /proc/$$/ctl w/ PCSENTRY - (use PRSABORT flag to indicate failure). +33) Add monitor support for Solaris using /proc/$$/ctl w/ PCSENTRY + (use PRSABORT flag to indicate failure). Race-prone. -39) Add a session mode where sudo allocates a pty and logs everything +34) Add a session mode where sudo allocates a pty and logs everything that occurs ala script(1). -40) Use pam_open_session() and pam_close_session() (requires a persistent +35) Use pam_open_session() and pam_close_session() (requires a persistent sudo process to call pam_close_session()). Maybe add xauth support for the non-pam case? -41) Should "monitor" and MONITOR/NOMONITOR be disabled for non-systrace? +36) Should "monitor" and MONITOR/NOMONITOR be disabled for non-systrace? + +37) Add substitution mechanism in sudoers to subst, e.g. editors for sudoedit + +38) Move prototypes to extern.h? + +39) Get rid of VALIDATE_NOT_OK and just set/clear VALIDATE_OK + +40) visudo -c should also sanity check aliases + +41) Use AC_CHECK_DECLS for systems w/o proper prototypes? Maybe errno too? + +42) Flesh out testsudoers and fix glob/opendir issues. Use custom netgroup + code too? + +43) Think some more about giving admins a way to test commands for a user + on a specific host with a different sudoers file. + +44) Add nsswitch.conf parsing to LDAP support. + +45) document environment stuff (new vs. old) in sudo.pod + +46) Investigate systrace EBUSY issues w/ csh. Kernel bug? + +47) Refactor duplicated code in ldap.c into wrapper functions. + +48) Move setting of safe_cmnd out of match.c. + +49) Support timelimit, bind_timelimit, bind_policy in ldap.conf (see nss_ldap). + +51) Roll visudo into sudo ala sudoedit. + +52) Add ticket file to ticket dir in non-tty tickets case so we + can mix tty and non-tty ticket schemes. + +53) Use ldap_get_values_len() instead of ldap_get_values_len() for + OpenLDAP (what about others?) -42) Add substitution mechanism in sudoers to subst, e.g. editors for sudoedit +54) Add support for NOEXEC w/ 64-bit AIX executables. + http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.xlf91a.doc/xlfug/comp64.htm -43) Move prototypes to extern.h +55) For systrace rewrite argv using stackgap to avoid races. -44) Get rid of VALIDATE_NOT_OK and just set/clear VALIDATE_OK +56) Examine debian fqdn diffs -45) visudo -c should also sanity check aliases +57) Add gettext() support -46) Use AC_CHECK_DECLS for systems w/o proper prototypes? Maybe errno too? +58) Consider allowing chown/chrgp to fail in visudo in -f mode. -47) nicer defaults output for "sudo -l" and implement for LDAP too +59) Refactor common env code in logging.c