From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Fri, 7 Aug 2015 23:00:42 +0000 (-0600)
Subject: Add warning about writable directories and sudo/sudoedit.
X-Git-Tag: SUDO_1_8_15^2~89
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c12dd68d1e16bd20b6ffdd469f73855381a85e3d;p=sudo

Add warning about writable directories and sudo/sudoedit.
---

diff --git a/doc/sudo.cat b/doc/sudo.cat
index 36deb9930..e329e7925 100644
--- a/doc/sudo.cat
+++ b/doc/sudo.cat
@@ -433,6 +433,18 @@ SSEECCUURRIITTYY NNOOTTEESS
      environment variable is _n_o_t modified and is passed unchanged to the
      program that ssuuddoo executes.
 
+     Users should not be granted ssuuddoo privileges to execute files that are
+     writable by the user or that reside in a directory that is writable by
+     the user.  If the user can modify or replace the command there is no way
+     to limit what additional commands they can run.  Likewise, users should
+     not be granted ssuuddooeeddiitt permission to edit a file that resides in a
+     directory the user has write access to.  A user with directory write
+     access could replace the legitimate file with a link to some other,
+     arbitrary, file.  Starting with version 1.8.15, ssuuddooeeddiitt will refuse to
+     open a symbolic link unless the security policy explicitly permits it.
+     However, it is still possible to create a hard link if the directory is
+     writable and the link target resides on the same file system.
+
      Please note that ssuuddoo will normally only log the command it explicitly
      runs.  If a user runs a command such as sudo su or sudo sh, subsequent
      commands run from that shell are not subject to ssuuddoo's security policy.
@@ -592,4 +604,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or http://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.15                     August 6, 2015                     Sudo 1.8.15
+Sudo 1.8.15                     August 7, 2015                     Sudo 1.8.15
diff --git a/doc/sudo.man.in b/doc/sudo.man.in
index 455e5148a..43e8a877c 100644
--- a/doc/sudo.man.in
+++ b/doc/sudo.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDO" "8" "August 6, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDO" "8" "August 7, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -869,6 +869,25 @@ modified and is passed unchanged to the program that
 \fBsudo\fR
 executes.
 .PP
+Users should not be granted
+\fBsudo\fR
+privileges to execute files that are writable by the user or
+that reside in a directory that is writable by the user.
+If the user can modify or replace the command there is no way
+to limit what additional commands they can run.
+Likewise, users should not be granted
+\fBsudoedit\fR
+permission to edit a file that resides in a directory the user has
+write access to.
+A user with directory write access could replace the legitimate
+file with a link to some other, arbitrary, file.
+Starting with version 1.8.15,
+\fBsudoedit\fR
+will refuse to open a symbolic link unless the security policy
+explicitly permits it.
+However, it is still possible to create a hard link if the directory
+is writable and the link target resides on the same file system.
+.PP
 Please note that
 \fBsudo\fR
 will normally only log the command it explicitly runs.
diff --git a/doc/sudo.mdoc.in b/doc/sudo.mdoc.in
index 89ceee0d6..119fff913 100644
--- a/doc/sudo.mdoc.in
+++ b/doc/sudo.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd August 6, 2015
+.Dd August 7, 2015
 .Dt SUDO @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -804,6 +804,25 @@ modified and is passed unchanged to the program that
 .Nm
 executes.
 .Pp
+Users should not be granted
+.Nm
+privileges to execute files that are writable by the user or
+that reside in a directory that is writable by the user.
+If the user can modify or replace the command there is no way
+to limit what additional commands they can run.
+Likewise, users should not be granted
+.Nm sudoedit
+permission to edit a file that resides in a directory the user has
+write access to.
+A user with directory write access could replace the legitimate
+file with a link to some other, arbitrary, file.
+Starting with version 1.8.15,
+.Nm sudoedit
+will refuse to open a symbolic link unless the security policy
+explicitly permits it.
+However, it is still possible to create a hard link if the directory
+is writable and the link target resides on the same file system.
+.Pp
 Please note that
 .Nm
 will normally only log the command it explicitly runs.