From: Todd C. Miller Date: Wed, 21 Jul 2010 19:19:56 +0000 (-0400) Subject: Mention that 127.0.0.1 will not match, nor will localhost unless X-Git-Tag: SUDO_1_8_0~346 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=bdecb14ea6e6f50fe80f7a4e7aaa696f43970d3e;p=sudo Mention that 127.0.0.1 will not match, nor will localhost unless that is the actual host name. --- diff --git a/doc/sudoers.cat b/doc/sudoers.cat index fc9d294ce..80766754f 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -286,6 +286,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) shell-style wildcards (see the Wildcards section below), but unless the host name command on your machine returns the fully qualified host name, you'll need to use the _f_q_d_n option for wildcards to be useful. + Note ssuuddoo only inspects actual network interfaces; this means that IP + address 127.0.0.1 (localhost) will never match. Also, the host name + "localhost" will only match if that is the actual host name, which is + usually only the case for non-networked systems. Cmnd_List ::= Cmnd | Cmnd ',' Cmnd_List @@ -318,10 +322,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may take command line arguments just as a normal command does. - DDeeffaauullttss - Certain configuration options may be changed from their default values - at runtime via one or more Default_Entry lines. These may affect all - users on any host, all users on a specific host, a specific user, a @@ -334,6 +334,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + DDeeffaauullttss + Certain configuration options may be changed from their default values + at runtime via one or more Default_Entry lines. These may affect all + users on any host, all users on a specific host, a specific user, a specific command, or commands being run as a specific user. Note that per-command entries may not include command line arguments. If you need to specify arguments, define a Cmnd_Alias and reference that @@ -385,10 +389,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') - Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | - 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | - 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') - 1.8.0b1 July 21, 2010 6 @@ -400,6 +400,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | + 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | + 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') + A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as what user) on specified hosts. By default, commands are run as rroooott, but this can be changed on a per-command basis. @@ -450,11 +455,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) device file with the dialer group. Note that in this example only the group will be set, the command still runs as user ttccmm. - tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ - /usr/local/bin/minicom - - - 1.8.0b1 July 21, 2010 7 @@ -466,6 +466,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ + /usr/local/bin/minicom + SSEELLiinnuuxx__SSppeecc On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an SELinux role and/or type associated with a command. If a role or type @@ -517,9 +520,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - - See the "PREVENTING SHELL ESCAPES" section below for more details on @@ -532,6 +532,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + + See the "PREVENTING SHELL ESCAPES" section below for more details on how NOEXEC works and whether or not it will work on your system. _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V @@ -583,9 +586,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Would match any file name beginning with a letter. - Note that a forward slash ('/') will nnoott be matched by wildcards used - in the path name. When matching the command line arguments, however, a - slash ddooeess get matched by wildcards. This is to make a path like: @@ -598,6 +598,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Note that a forward slash ('/') will nnoott be matched by wildcards used + in the path name. When matching the command line arguments, however, a + slash ddooeess get matched by wildcards. This is to make a path like: + /usr/bin/* match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. @@ -648,10 +652,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr - _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes - in the file names can be used to avoid such problems. - - Note that unlike files included via #include, vviissuuddoo will not edit the @@ -664,6 +664,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes + in the file names can be used to avoid such problems. + + Note that unlike files included via #include, vviissuuddoo will not edit the files in a #includedir directory unless one of them contains a syntax error. It is still possible to run vviissuuddoo with the -f flag to edit the files directly. @@ -715,10 +719,6 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS configurations where _e_n_v___r_e_s_e_t is disabled. This flag is _o_f_f by default. - authenticate If set, users must authenticate themselves via a - password (or other means of authentication) before they - may run commands. This default may be overridden via - 1.8.0b1 July 21, 2010 11 @@ -730,6 +730,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + authenticate If set, users must authenticate themselves via a + password (or other means of authentication) before they + may run commands. This default may be overridden via the PASSWD and NOPASSWD tags. This flag is _o_n by default. @@ -782,9 +785,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) path names which include globbing characters. This flag is _o_f_f by default. - fqdn Set this flag if you want to put fully qualified host - names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you - 1.8.0b1 July 21, 2010 12 @@ -796,6 +796,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + fqdn Set this flag if you want to put fully qualified host + names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). Beware that turning on _f_q_d_n requires ssuuddoo to make DNS lookups @@ -848,8 +850,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo does not enter the correct password. This flag is _o_f_f - by default. - @@ -862,6 +862,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + by default. + mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the invoking user exists in the _s_u_d_o_e_r_s file, but is not allowed to run commands on the current host. This flag @@ -914,8 +916,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide visual feedback when the user presses a key. Note that this does have a security impact as an onlooker may be - able to determine the length of the password being - entered. This flag is _o_f_f by default. @@ -928,6 +928,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + able to determine the length of the password being + entered. This flag is _o_f_f by default. + requiretty If set, ssuuddoo will only run when the user is logged in to a real tty. When this flag is set, ssuuddoo can only be run from a login session and not via other means such @@ -980,9 +983,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) should be allowed to set variables in this manner. This flag is _o_f_f by default. - shell_noargs If set and ssuuddoo is invoked with no arguments it acts as - if the --ss option had been given. That is, it runs a - 1.8.0b1 July 21, 2010 15 @@ -994,6 +994,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + shell_noargs If set and ssuuddoo is invoked with no arguments it acts as + if the --ss option had been given. That is, it runs a shell as root (the shell is determined by the SHELL environment variable if it is set, falling back on the shell listed in the invoking user's /etc/passwd entry @@ -1046,8 +1048,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) tty_tickets If set, users must authenticate on a per-tty basis. With this flag enabled, ssuuddoo will use a file named for - the tty the user is logged in on in the user's time - stamp directory. If disabled, the time stamp of the @@ -1060,6 +1060,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + the tty the user is logged in on in the user's time + stamp directory. If disabled, the time stamp of the directory is used instead. This flag is _o_n by default. umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s @@ -1112,8 +1114,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the option to disable word wrap). passwd_timeout Number of minutes before the ssuuddoo password prompt times - out, or 0 for no timeout. The timeout may include a - fractional component if minute granularity is @@ -1126,6 +1126,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + out, or 0 for no timeout. The timeout may include a + fractional component if minute granularity is insufficient, for example 2.5. The default is 5. timestamp_timeout @@ -1178,8 +1180,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) %H expanded to the local host name including the domain name (on if the machine's host name is fully - qualified or the _f_q_d_n option is set) - @@ -1192,6 +1192,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + qualified or the _f_q_d_n option is set) + %h expanded to the local host name without the domain name @@ -1244,8 +1246,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - askpass The _a_s_k_p_a_s_s option specifies the fully qualified path to a - helper program used to read the user's password when no @@ -1258,6 +1258,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + askpass The _a_s_k_p_a_s_s option specifies the fully qualified path to a + helper program used to read the user's password when no terminal is available. This may be the case when ssuuddoo is executed from a graphical (as opposed to text-based) application. The program specified by _a_s_k_p_a_s_s should @@ -1310,8 +1312,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Negating the option results in a value of _n_e_v_e_r being used. The default value is _o_n_c_e. - lecture_file - Path to a file containing an alternate ssuuddoo lecture that @@ -1324,6 +1324,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + lecture_file + Path to a file containing an alternate ssuuddoo lecture that will be used in place of the standard lecture if the named file exists. By default, ssuuddoo uses a built-in lecture. @@ -1376,8 +1378,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) option is not set by default. syslog Syslog facility if syslog is being used for logging (negate - to disable syslog logging). Defaults to local2. - @@ -1390,6 +1390,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + to disable syslog logging). Defaults to local2. + verifypw This option controls when a password will be required when a user runs ssuuddoo with the --vv option. It has the following possible values: @@ -1442,8 +1444,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) any setuid process (such as ssuuddoo). env_keep Environment variables to be preserved in the user's - environment when the _e_n_v___r_e_s_e_t option is in effect. - This allows fine-grained control over the environment @@ -1456,6 +1456,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + environment when the _e_n_v___r_e_s_e_t option is in effect. + This allows fine-grained control over the environment ssuuddoo-spawned processes will receive. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, @@ -1508,8 +1510,6 @@ EEXXAAMMPPLLEESS # Host alias specification Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ - SGI = grolsch, dandelion, black :\ - ALPHA = widget, thalamus, foobar :\ @@ -1522,6 +1522,8 @@ EEXXAAMMPPLLEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + SGI = grolsch, dandelion, black :\ + ALPHA = widget, thalamus, foobar :\ HPPA = boa, nag, python Host_Alias CUNETS = 128.138.0.0/255.255.0.0 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 @@ -1575,8 +1577,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on any host without authenticating themselves. - PARTTIMERS ALL = ALL - 1.8.0b1 July 21, 2010 24 @@ -1588,6 +1588,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + PARTTIMERS ALL = ALL + Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on any host but they must authenticate themselves first (since the entry lacks the NOPASSWD tag). @@ -1640,8 +1642,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser - Users in the sseeccrreettaarriieess netgroup need to help manage the printers as - well as add and remove users, so they are allowed to run those commands @@ -1654,6 +1654,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Users in the sseeccrreettaarriieess netgroup need to help manage the printers as + well as add and remove users, so they are allowed to run those commands on all machines. fred ALL = (DB) NOPASSWD: ALL @@ -1707,8 +1709,6 @@ SSEECCUURRIITTYY NNOOTTEESS desired command to a different name and then executing that. For example: - bill ALL = ALL, !SU, !SHELLS - 1.8.0b1 July 21, 2010 26 @@ -1720,6 +1720,8 @@ SSEECCUURRIITTYY NNOOTTEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + bill ALL = ALL, !SU, !SHELLS + Doesn't really prevent bbiillll from running the commands listed in _S_U or _S_H_E_L_L_S since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these @@ -1773,8 +1775,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS sudo -V | grep "dummy exec" - If the resulting output contains a line that begins with: - 1.8.0b1 July 21, 2010 27 @@ -1786,6 +1786,8 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + If the resulting output contains a line that begins with: + File containing dummy exec functions: then ssuuddoo may be able to replace the exec family of functions @@ -1839,8 +1841,6 @@ SSEECCUURRIITTYY NNOOTTEESS give away files if the time stamp directory is located in a world- writable directory. - On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time - 1.8.0b1 July 21, 2010 28 @@ -1852,6 +1852,7 @@ SSEECCUURRIITTYY NNOOTTEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time stamps that date from before the machine booted. Since time stamp files live in the file system, they can outlive a @@ -1908,7 +1909,6 @@ DDIISSCCLLAAIIMMEERR - 1.8.0b1 July 21, 2010 29 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 61469f04e..84aebfac3 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -414,7 +414,11 @@ or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may include shell-style wildcards (see the Wildcards section below), but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully qualified host name, you'll need to use the \fIfqdn\fR option for -wildcards to be useful. +wildcards to be useful. Note \fBsudo\fR only inspects actual network +interfaces; this means that \s-1IP\s0 address 127.0.0.1 (localhost) will +never match. Also, the host name \*(L"localhost\*(R" will only match if +that is the actual host name, which is usually only the case for +non-networked systems. .PP .Vb 2 \& Cmnd_List ::= Cmnd | diff --git a/doc/sudoers.pod b/doc/sudoers.pod index da2561c1d..6e6ae1fc9 100644 --- a/doc/sudoers.pod +++ b/doc/sudoers.pod @@ -288,7 +288,11 @@ or CIDR notation (number of bits, e.g.E24 or 64). A host name may include shell-style wildcards (see the L section below), but unless the C command on your machine returns the fully qualified host name, you'll need to use the I option for -wildcards to be useful. +wildcards to be useful. Note B only inspects actual network +interfaces; this means that IP address 127.0.0.1 (localhost) will +never match. Also, the host name "localhost" will only match if +that is the actual host name, which is usually only the case for +non-networked systems. Cmnd_List ::= Cmnd | Cmnd ',' Cmnd_List