From: Todd C. Miller Date: Sat, 3 May 2008 00:53:21 +0000 (+0000) Subject: Add env_file Defaults option that is similar to /etc/environment on some X-Git-Tag: SUDO_1_7_0~120 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b85a28aba972b398fcb3ade2f211bab06a7e2b76;p=sudo Add env_file Defaults option that is similar to /etc/environment on some systems. --- diff --git a/WHATSNEW b/WHATSNEW index 81b51cfe6..372e45b2a 100644 --- a/WHATSNEW +++ b/WHATSNEW @@ -59,6 +59,9 @@ What's new in Sudo 1.7.0? "From:" field in the warning/error mail. If unspecified, the login name of the invoking user is used. + * A new Defaults option, "env_file" that refers to a file containing + environment variables to be set in the command being run. + * A new flag, -n, may be used to indicate that sudo should not prompt the user for a password and, instead, exit with an error if authentication is required. diff --git a/def_data.c b/def_data.c index eed0cab8d..0dd21be8c 100644 --- a/def_data.c +++ b/def_data.c @@ -290,6 +290,10 @@ struct sudo_defs_types sudo_defs_table[] = { "askpass", T_STR|T_PATH|T_BOOL, "Path to the askpass helper program: %s", NULL, + }, { + "env_file", T_STR|T_PATH|T_BOOL, + "Path to the sudo-specific environment file: %s", + NULL, }, { NULL, 0, NULL } diff --git a/def_data.h b/def_data.h index a01f41ae3..103b55e85 100644 --- a/def_data.h +++ b/def_data.h @@ -132,6 +132,8 @@ #define I_TYPE 65 #define def_askpass (sudo_defs_table[66].sd_un.str) #define I_ASKPASS 66 +#define def_env_file (sudo_defs_table[67].sd_un.str) +#define I_ENV_FILE 67 enum def_tupple { never, diff --git a/def_data.in b/def_data.in index ae2d78433..fa58e8d1a 100644 --- a/def_data.in +++ b/def_data.in @@ -214,3 +214,6 @@ type askpass T_STR|T_PATH|T_BOOL "Path to the askpass helper program: %s" +env_file + T_STR|T_PATH|T_BOOL + "Path to the sudo-specific environment file: %s" diff --git a/env.c b/env.c index b9ee0ab34..10a1061fd 100644 --- a/env.c +++ b/env.c @@ -346,7 +346,8 @@ insert_env(str, dupcheck, dosync) for (nep = env.envp; *nep; nep++) { if (strncmp(str, *nep, varlen) == 0) { - *nep = str; + if (dupcheck != -1) + *nep = str; return; } } @@ -738,7 +739,6 @@ validate_env_vars(env_vars) } } -#if defined(__linux__) || defined(_AIX) /* * Read in /etc/environment ala AIX and Linux. * Lines are in the form of NAME=VALUE @@ -746,8 +746,9 @@ validate_env_vars(env_vars) * character are skipped. */ void -read_env_file(path) +read_env_file(path, replace) const char *path; + int replace; { FILE *fp; char *cp; @@ -768,11 +769,10 @@ read_env_file(path) if (strchr(cp, '=') == NULL) continue; - insert_env(estrdup(cp), TRUE, TRUE); + insert_env(estrdup(cp), replace ? TRUE : -1, TRUE); } fclose(fp); } -#endif /* __linux__ || _AIX */ void init_envtables() diff --git a/sudo.c b/sudo.c index 58c8c7749..a4ed54613 100644 --- a/sudo.c +++ b/sudo.c @@ -474,13 +474,17 @@ main(argc, argv, envp) #if defined(__linux__) || defined(_AIX) /* Insert system-wide environment variables. */ - read_env_file(_PATH_ENVIRONMENT); + read_env_file(_PATH_ENVIRONMENT, TRUE); #endif } if (ISSET(sudo_mode, MODE_EDIT)) exit(sudo_edit(NewArgc, NewArgv, envp)); + /* Insert system-wide environment variables. */ + if (def_env_file) + read_env_file(def_env_file, FALSE); + /* Insert user-specified environment variables. */ insert_env_vars(sudo_user.env_vars); diff --git a/sudo.h b/sudo.h index 4726a03a7..f7e7af208 100644 --- a/sudo.h +++ b/sudo.h @@ -284,7 +284,7 @@ void efree __P((void *)); void dump_defaults __P((void)); void dump_auth_methods __P((void)); void init_envtables __P((void)); -void read_env_file __P((const char *)); +void read_env_file __P((const char *, int)); int lock_file __P((int, int)); int touch __P((int, char *, struct timespec *)); int user_is_exempt __P((void)); diff --git a/sudoers.cat b/sudoers.cat index aac188e97..6b6a305c5 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -915,7 +915,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment variable. - + env_file The _e_n_v___f_i_l_e options specifies the fully-qualilfy path to a @@ -928,6 +928,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + file containing variables to be set in the environment of + the program being run. Entries in this file should be of + the form VARIABLE=value. Variables in this file are sub- + ject to other ssuuddoo environment settings such as _e_n_v___k_e_e_p + and _e_n_v___c_h_e_c_k. + exempt_group Users in this group are exempt from password and PATH requirements. This is not set by default. @@ -977,12 +983,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ting a path turns on logging to a file; negating this option turns it off. By default, ssuuddoo logs via syslog. - mailerflags Flags to use when invoking mailer. Defaults to --tt. - - mailerpath Path to mail program used to send warning mail. Defaults - to the path to sendmail found at configure time. - - 1.7.0 May 2, 2008 15 @@ -994,6 +994,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + mailerflags Flags to use when invoking mailer. Defaults to --tt. + + mailerpath Path to mail program used to send warning mail. Defaults + to the path to sendmail found at configure time. + mailfrom Address to use for the "from" address when sending warning and error mail. The address should be enclosed in double quotes (") to protect against ssuuddoo interpreting the @ sign. @@ -1042,12 +1047,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) environment if the variable's value contains % or / characters. This can be used to guard against printf- style format vulnerabilities in poorly-written pro- - grams. The argument may be a double-quoted, space-sep- - arated list or a single value without double-quotes. - The list can be replaced, added to, deleted from, or - disabled by using the =, +=, -=, and ! operators - respectively. Regardless of whether the env_reset - option is enabled or disabled, variables specified by + grams. The argument may be a double-quoted, space- @@ -1060,6 +1060,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + separated list or a single value without double-quotes. + The list can be replaced, added to, deleted from, or + disabled by using the =, +=, -=, and ! operators + respectively. Regardless of whether the env_reset + option is enabled or disabled, variables specified by env_check will be preserved in the environment if they pass the aforementioned check. The default list of environment variables to check is displayed when ssuuddoo @@ -1106,14 +1111,9 @@ EEXXAAMMPPLLEESS Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit contrived. First, we define our _a_l_i_a_s_e_s: - # User alias specification - User_Alias FULLTIMERS = millert, mikef, dowdy - User_Alias PARTTIMERS = bostley, jwfox, crawl - User_Alias WEBMASTERS = will, wendy, wim - # Runas alias specification - Runas_Alias OP = root, operator - Runas_Alias DB = oracle, sybase + + @@ -1126,6 +1126,15 @@ EEXXAAMMPPLLEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + # User alias specification + User_Alias FULLTIMERS = millert, mikef, dowdy + User_Alias PARTTIMERS = bostley, jwfox, crawl + User_Alias WEBMASTERS = will, wendy, wim + + # Runas alias specification + Runas_Alias OP = root, operator + Runas_Alias DB = oracle, sybase + # Host alias specification Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ SGI = grolsch, dandelion, black :\ @@ -1172,25 +1181,24 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run what. - root ALL = (ALL) ALL - %wheel ALL = (ALL) ALL - - We let rroooott and any user in group wwhheeeell run any command on any host as - any user. - FULLTIMERS ALL = NOPASSWD: ALL +1.7.0 May 2, 2008 18 -1.7.0 May 2, 2008 18 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + root ALL = (ALL) ALL + %wheel ALL = (ALL) ALL -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + We let rroooott and any user in group wwhheeeell run any command on any host as + any user. + FULLTIMERS ALL = NOPASSWD: ALL Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on any host without authenticating themselves. @@ -1239,14 +1247,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) jim +biglab = ALL - The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. - ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. - - +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser - - Users in the sseeccrreettaarriieess netgroup need to help manage the printers as - well as add and remove users, so they are allowed to run those commands - 1.7.0 May 2, 2008 19 @@ -1258,6 +1258,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. + ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. + + +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser + + Users in the sseeccrreettaarriieess netgroup need to help manage the printers as + well as add and remove users, so they are allowed to run those commands on all machines. fred ALL = (DB) NOPASSWD: ALL @@ -1305,13 +1312,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) This is a bit tedious for users to type, so it is a prime candidate for encapsulating in a shell script. -SSEECCUURRIITTYY NNOOTTEESS - It is generally not effective to "subtract" commands from ALL using the - '!' operator. A user can trivially circumvent this by copying the - desired command to a different name and then executing that. For exam- - ple: - - bill ALL = ALL, !SU, !SHELLS @@ -1324,6 +1324,14 @@ SSEECCUURRIITTYY NNOOTTEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SSEECCUURRIITTYY NNOOTTEESS + It is generally not effective to "subtract" commands from ALL using the + '!' operator. A user can trivially circumvent this by copying the + desired command to a different name and then executing that. For exam- + ple: + + bill ALL = ALL, !SU, !SHELLS + Doesn't really prevent bbiillll from running the commands listed in _S_U or _S_H_E_L_L_S since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these @@ -1370,14 +1378,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS in the standard library with its own that simply return an error. Unfortunately, there is no foolproof way to know whether or not _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c - should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, - MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and - UnixWare. _n_o_e_x_e_c is expected to work on most operating sys- - tems that support the LD_PRELOAD environment variable. Check - your operating system's manual pages for the dynamic linker - (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see - if LD_PRELOAD is supported. - @@ -1390,6 +1390,14 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, + MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and + UnixWare. _n_o_e_x_e_c is expected to work on most operating sys- + tems that support the LD_PRELOAD environment variable. Check + your operating system's manual pages for the dynamic linker + (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see + if LD_PRELOAD is supported. + To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as docu- mented in the User Specification section above. Here is that example again: @@ -1436,6 +1444,18 @@ DDIISSCCLLAAIIMMEERR including, but not limited to, the implied warranties of merchantabil- ity and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with ssuuddoo or + + + +1.7.0 May 2, 2008 22 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + http://www.sudo.ws/sudo/license.html for complete details. @@ -1447,6 +1467,52 @@ DDIISSCCLLAAIIMMEERR -1.7.0 May 2, 2008 22 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +1.7.0 May 2, 2008 23 diff --git a/sudoers.man.in b/sudoers.man.in index 746db052f..b0dae49ab 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -1036,6 +1036,13 @@ specified by \fIaskpass\fR should display the argument passed to it as the prompt and write the user's password to the standard output. The value of \fIaskpass\fR may be overridden by the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable. +.IP "env_file" 12 +.IX Item "env_file" +The \fIenv_file\fR options specifies the fully-qualilfy path to a file +containing variables to be set in the environment of the program +being run. Entries in this file should be of the form \f(CW\*(C`VARIABLE=value\*(C'\fR. +Variables in this file are subject to other \fBsudo\fR environment +settings such as \fIenv_keep\fR and \fIenv_check\fR. .IP "exempt_group" 12 .IX Item "exempt_group" Users in this group are exempt from password and \s-1PATH\s0 requirements. diff --git a/sudoers.pod b/sudoers.pod index 59a1ad3e4..4f4d55e1d 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -926,6 +926,14 @@ as the prompt and write the user's password to the standard output. The value of I may be overridden by the C environment variable. +=item env_file + +The I options specifies the fully-qualilfy path to a file +containing variables to be set in the environment of the program +being run. Entries in this file should be of the form C. +Variables in this file are subject to other B environment +settings such as I and I. + =item exempt_group Users in this group are exempt from password and PATH requirements.