From: Todd C. Miller Date: Mon, 27 Sep 2004 18:06:26 +0000 (+0000) Subject: document tracing X-Git-Tag: SUDO_1_7_0~936 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d1f1af2bce31ed165fc47c28f341a36da52dddc0;p=sudo document tracing --- diff --git a/sudoers.pod b/sudoers.pod index 592b35c41..064edd704 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -458,6 +458,16 @@ tag has been set, unless overridden by a C tag. See the description of I below as well as the L section at the end of this manual. This flag is I by default. +=item trace + +If set, all commands run via sudo will behave as if the C +tag has been set, unless overridden by a C tag. See the +description of I below as well as the L section at the end of this manual. Be aware that +tracing is only supported on certain operating systems. On systems +where it is not supported this flag will have no effect. +This flag is I by default. + =item ignore_local_sudoers If set via LDAP, parsing of @sysconfdir@/sudoers will be skipped. @@ -790,7 +800,8 @@ B, and B. Runas_Spec ::= '(' Runas_List ')' - Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:') + Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | + 'TRACE' | 'NOTRACE') A B determines which commands a user may run (and as what user) on specified hosts. By default, commands are @@ -824,11 +835,12 @@ but F and F as B. =head2 Tag_Spec A command may have zero or more tags associated with it. There are -four possible tag values, C, C, C, C. +four possible tag values, C, C, C, C, +C and C. Once a tag is set on a C, subsequent Cs in the C, inherit the tag unless it is overridden by the -opposite tag (ie: C overrides C and C -overrides C). +opposite tag (ie: C overrides C and C +overrides C). =head3 NOPASSWD and PASSWD @@ -860,8 +872,8 @@ This behavior may be overridden via the verifypw and listpw options. =head3 NOEXEC and EXEC -If sudo has been compiled with I support and the underlying -operating system support it, the C tag can be used to prevent +If B has been compiled with I support and the underlying +operating system supports it, the C tag can be used to prevent a dynamically-linked executable from running further commands itself. In the following example, user B may run F @@ -870,7 +882,24 @@ and F but shell escapes will be disabled. aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi See the L section below for more details -on how I works and whether or not it will work on your system. +on how C works and whether or not it will work on your system. + +=head3 TRACE and NOTRACE + +If B has been configured with the C<--with-systrace> option, +the C tag can be used to cause programs spawned by a command +to be checked against I and logged just like they would +be if run through B directly. This is useful in conjunction +with commands that allow shell escapes such as editors, shells and +paginators. + +In the following example, user B may run any command on the +machine research with tracing enabled. + + chuck research = TRACE: ALL + +See the L section below for more details +on how C works and whether or not it will work on your system. =head2 Wildcards @@ -1182,9 +1211,24 @@ advisory at best (and reinforced by policy). Once B executes a program, that program is free to do whatever it pleases, including run other programs. This can be a security issue since it is not uncommon for a program to allow shell escapes, -which lets a user bypass B's restrictions. Common programs -that permit shell escapes include shells (obviously), editors, -paginators, mail and terminal programs. +which lets a user bypass B's access control and logging. +Common programs that permit shell escapes include shells (obviously), +editors, paginators, mail and terminal programs. + +There are three basic approaches to this problem: + +=over 10 + +=item restrict + +Avoid giving users access to commands that allow the user to run +arbitrary commands. Many editors have a restricted mode where shell +escapes are disabled, though B is a better solution to +running editors via sudo. Due to the large number of programs that +offer shell escapes, restricting users to the set of programs that +do not if often unworkable. + +=item noexec Many systems that support shared libraries have the ability to override default library functions by pointing an environment @@ -1226,11 +1270,39 @@ executing other commands (such as a shell). If you are unsure whether or not your system is capable of supporting I you can always just try it out and see if it works. -Note that disabling shell escapes is not a panacea. Programs running -as root are still capable of many potentially hazardous operations -(such as changing or overwriting files) that could lead to unintended -privilege escalation. In the specific case of an editor, a safer -approach is to give the user permission to run B. +=item tracing + +On operating systems that support the B pseudo-device, +the C<--with-systrace> configure option can be used to compile +support for command tracing in B. With B support +B can transparently intercept a new command, allow or deny +it based on I, and log the result. This does require that +B become a daemon that persists until the command and all its +descendents have finished. + +To enable tracing on a per-command basis, use the C tag as +documented in the User Specification section above. Here is that +example again: + + chuck research = TRACE: ALL + +This allows user B to run any command on the machine research +with tracing enabled. Any commands run via shell escapes will be +logged by sudo. + +At the time of this writing the B pseudo-device comes +standard with OpenBSD and NetBSD and is available as patches to +FreeBSD, MacOS X and Linux. See L for +more information. + +=back + +Note that restricting shell escapes is not a panacea. Programs +running as root are still capable of many potentially hazardous +operations (such as changing or overwriting files) that could lead +to unintended privilege escalation. In the specific case of an +editor, a safer approach is to give the user permission to run +B. =head1 SEE ALSO