From: Todd C. Miller Date: Mon, 19 Jul 2010 19:31:33 +0000 (-0400) Subject: Mention new handling of HOME in always_set_home and set_home descriptions. X-Git-Tag: SUDO_1_7_4~51 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e18b4d3b00c162d7d7e53de99db3f326a1adf63c;p=sudo Mention new handling of HOME in always_set_home and set_home descriptions. --HG-- branch : 1.7 --- diff --git a/sudoers.cat b/sudoers.cat index 09c675636..abe5a674d 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -600,11 +600,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) BBoooolleeaann FFllaaggss: - always_set_home If set, ssuuddoo will set the HOME environment variable to - the home directory of the target user (which is root + always_set_home If enabled, ssuuddoo will set the HOME environment variable + to the home directory of the target user (which is root unless the --uu option is used). This effectively means - that the --HH option is always implied. This flag is _o_f_f - by default. + that the --HH option is always implied. Note that HOME + is already set when the the _e_n_v___r_e_s_e_t option is + enabled, so _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for + configurations where _e_n_v___r_e_s_e_t is disabled. This flag + is _o_f_f by default. authenticate If set, users must authenticate themselves via a password (or other means of authentication) before they @@ -649,9 +652,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) long time to complete for some patterns, especially when the pattern references a network file system that is mounted on demand (automounted). The _f_a_s_t___g_l_o_b - option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function, - which does not access the file system to do its - matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is @@ -664,6 +664,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function, + which does not access the file system to do its + matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is unable to match relative path names such as _._/_l_s or _._._/_b_i_n_/_l_s. This has security implications when path names that include globbing characters are used with @@ -715,9 +718,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) log_year If set, the four-digit year will be logged in the (non- syslog) ssuuddoo log file. This flag is _o_f_f by default. - long_otp_prompt When validating with a One Time Password (OPT) scheme - such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to - make it easier to cut and paste the challenge to a @@ -730,6 +730,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + long_otp_prompt When validating with a One Time Password (OPT) scheme + such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to + make it easier to cut and paste the challenge to a local window. It's not as pretty as the default but some people find it more convenient. This flag is _o_f_f by default. @@ -781,9 +784,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) preserve_groups By default, ssuuddoo will initialize the group vector to the list of groups the target user is in. When - _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group - vector is left unaltered. The real and effective group - IDs, however, are still set to match the target user. @@ -796,6 +796,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group + vector is left unaltered. The real and effective group + IDs, however, are still set to match the target user. This flag is _o_f_f by default. pwfeedback By default, ssuuddoo reads the password like most other @@ -832,11 +835,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) instead of the password of the invoking user. This flag is _o_f_f by default. - set_home If set and ssuuddoo is invoked with the --ss option the HOME - environment variable will be set to the home directory - of the target user (which is root unless the --uu option - is used). This effectively makes the --ss option imply - --HH. This flag is _o_f_f by default. + set_home If enabled and ssuuddoo is invoked with the --ss option the + HOME environment variable will be set to the home + directory of the target user (which is root unless the + --uu option is used). This effectively makes the --ss + option imply --HH. Note that HOME is already set when + the the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is + only effective for configurations where _e_n_v___r_e_s_e_t is + disabled. This flag is _o_f_f by default. set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME environment variables to the name of the target user @@ -844,12 +850,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) since some programs (including the RCS revision control system) use LOGNAME to determine the real identity of the user, it may be desirable to change this behavior. - This can be done by negating the set_logname option. - Note that if the _e_n_v___r_e_s_e_t option has not been - disabled, entries in the _e_n_v___k_e_e_p list will override - the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_n by default. - - setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the @@ -862,6 +862,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + This can be done by negating the set_logname option. + Note that if the _e_n_v___r_e_s_e_t option has not been + disabled, entries in the _e_n_v___k_e_e_p list will override + the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_n by default. + + setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the command line. Additionally, environment variables set via the command line are not subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or @@ -910,12 +916,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the _s_c_r_i_p_t(1) command. If the standard output or standard error is not connected to the user's tty, due to I/O redirection or because the command is part of a - pipeline, that output is also captured and stored in - separate log files. - - Output is logged to the _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o directory - using a unique session ID that is included in the - normal ssuuddoo log line, prefixed with _T_S_I_D_=. @@ -928,6 +928,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + pipeline, that output is also captured and stored in + separate log files. + + Output is logged to the _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o directory + using a unique session ID that is included in the + normal ssuuddoo log line, prefixed with _T_S_I_D_=. + Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m) utility, which can also be used to list or search the available logs. @@ -976,13 +983,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) file descriptor at which to start closing. The default is 3. - passwd_tries The number of tries a user gets to enter his/her - password before ssuuddoo logs the failure and exits. The - default is 3. - - IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - - 1.7.4 July 19, 2010 15 @@ -994,6 +994,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + passwd_tries The number of tries a user gets to enter his/her + password before ssuuddoo logs the failure and exits. The + default is 3. + + IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + loglinelen Number of characters per line for the file log. This value is used to decide when to wrap lines for nicer log files. This has no effect on the syslog log file, @@ -1042,12 +1048,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Default is *** SECURITY information for %h ***. noexec_file Path to a shared library containing dummy versions of - the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_) library functions - that just return an error. This is used to implement - the _n_o_e_x_e_c functionality on systems that support - LD_PRELOAD or its equivalent. Defaults to - _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. - @@ -1060,6 +1060,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_) library functions + that just return an error. This is used to implement + the _n_o_e_x_e_c functionality on systems that support + LD_PRELOAD or its equivalent. Defaults to + _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. + passprompt The default prompt to use when asking for a password; can be overridden via the --pp option or the SUDO_PROMPT environment variable. The following percent (`%') @@ -1108,12 +1114,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) interpreted. Defaults to "C". timestampdir The directory in which ssuuddoo stores its timestamp files. - The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. - - timestampowner The owner of the timestamp directory and the timestamps - stored therein. The default is root. - - type The default SELinux type to use when constructing a new @@ -1126,6 +1126,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. + + timestampowner The owner of the timestamp directory and the timestamps + stored therein. The default is root. + + type The default SELinux type to use when constructing a new security context to run the command. The default type may be overridden on a per-command basis in _s_u_d_o_e_r_s or via command line options. This option is only @@ -1174,12 +1180,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) will be used in place of the standard lecture if the named file exists. By default, ssuuddoo uses a built-in lecture. - listpw This option controls when a password will be required when - a user runs ssuuddoo with the --ll option. It has the following - possible values: - - all All the user's _s_u_d_o_e_r_s entries for the current host - must have the NOPASSWD flag set to avoid entering a @@ -1192,6 +1192,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + listpw This option controls when a password will be required when + a user runs ssuuddoo with the --ll option. It has the following + possible values: + + all All the user's _s_u_d_o_e_r_s entries for the current host + must have the NOPASSWD flag set to avoid entering a password. always The user must always enter a password to use the --ll @@ -1241,12 +1247,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) a user runs ssuuddoo with the --vv option. It has the following possible values: - all All the user's _s_u_d_o_e_r_s entries for the current host - must have the NOPASSWD flag set to avoid entering a - password. - - always The user must always enter a password to use the --vv - 1.7.4 July 19, 2010 19 @@ -1258,6 +1258,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + all All the user's _s_u_d_o_e_r_s entries for the current host + must have the NOPASSWD flag set to avoid entering a + password. + + always The user must always enter a password to use the --vv option. any At least one of the user's _s_u_d_o_e_r_s entries for the @@ -1307,11 +1312,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the =, +=, - -=, and ! operators respectively. The default list of - variables to keep is displayed when ssuuddoo is run by root - with the _-_V option. - - When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following values for the @@ -1324,6 +1324,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + -=, and ! operators respectively. The default list of + variables to keep is displayed when ssuuddoo is run by root + with the _-_V option. + + When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following values for the syslog facility (the value of the ssyysslloogg Parameter): aauutthhpprriivv (if your OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11, llooccaall22, llooccaall33, llooccaall44, llooccaall55, llooccaall66, and llooccaall77. The following syslog priorities @@ -1373,11 +1378,6 @@ EEXXAAMMPPLLEESS Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore Cmnd_Alias KILL = /usr/bin/kill - Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm - Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown - Cmnd_Alias HALT = /usr/sbin/halt - Cmnd_Alias REBOOT = /usr/sbin/reboot - Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ @@ -1390,6 +1390,11 @@ EEXXAAMMPPLLEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm + Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown + Cmnd_Alias HALT = /usr/sbin/halt + Cmnd_Alias REBOOT = /usr/sbin/reboot + Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ /usr/local/bin/tcsh, /usr/bin/rsh, \ /usr/local/bin/zsh Cmnd_Alias SU = /usr/bin/su @@ -1439,11 +1444,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those networks, only 128.138.204.0 has an explicit netmask (in CIDR - notation) indicating it is a class C network. For the other networks - in _C_S_N_E_T_S, the local machine's netmask will be used during matching. - - lisa CUNETS = ALL - @@ -1456,6 +1456,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + notation) indicating it is a class C network. For the other networks + in _C_S_N_E_T_S, the local machine's netmask will be used during matching. + + lisa CUNETS = ALL + The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the class B network 128.138.0.0). @@ -1505,11 +1510,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* - On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is - not allowed to specify any options to the _s_u(1) command. - - jen ALL, !SERVERS = ALL - @@ -1522,6 +1522,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is + not allowed to specify any options to the _s_u(1) command. + + jen ALL, !SERVERS = ALL + The user jjeenn may run any command on any machine except for those in the _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns). @@ -1571,11 +1576,6 @@ SSEECCUURRIITTYY NNOOTTEESS Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably negate commands where the path name includes globbing (aka - wildcard) characters. This is because the C library's _f_n_m_a_t_c_h(3) - function cannot resolve relative paths. While this is typically only - an inconvenience for rules that grant privileges, it can result in a - security issue for rules that subtract or revoke privileges. - @@ -1588,6 +1588,11 @@ SSEECCUURRIITTYY NNOOTTEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + wildcard) characters. This is because the C library's _f_n_m_a_t_c_h(3) + function cannot resolve relative paths. While this is typically only + an inconvenience for rules that grant privileges, it can result in a + security issue for rules that subtract or revoke privileges. + For example, given the following _s_u_d_o_e_r_s entry: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, @@ -1637,11 +1642,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS error. Unfortunately, there is no foolproof way to know whether or not _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, - MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and - UnixWare. _n_o_e_x_e_c is expected to work on most operating - systems that support the LD_PRELOAD environment variable. - Check your operating system's manual pages for the dynamic - linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) @@ -1654,6 +1654,11 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and + UnixWare. _n_o_e_x_e_c is expected to work on most operating + systems that support the LD_PRELOAD environment variable. + Check your operating system's manual pages for the dynamic + linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if LD_PRELOAD is supported. To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as @@ -1706,11 +1711,6 @@ DDIISSCCLLAAIIMMEERR - - - - - 1.7.4 July 19, 2010 26 diff --git a/sudoers.man.in b/sudoers.man.in index cfebf3d06..93724ad53 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -731,9 +731,12 @@ grouped by type, are listed below. \&\fBBoolean Flags\fR: .IP "always_set_home" 16 .IX Item "always_set_home" -If set, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home -directory of the target user (which is root unless the \fB\-u\fR option is used). -This effectively means that the \fB\-H\fR option is always implied. +If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the +home directory of the target user (which is root unless the \fB\-u\fR +option is used). This effectively means that the \fB\-H\fR option is +always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the +\&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only +effective for configurations where \fIenv_reset\fR is disabled. This flag is \fIoff\fR by default. .IP "authenticate" 16 .IX Item "authenticate" @@ -924,10 +927,13 @@ If set, \fBsudo\fR will prompt for the password of the user defined by the password of the invoking user. This flag is \fIoff\fR by default. .IP "set_home" 16 .IX Item "set_home" -If set and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR +If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR environment variable will be set to the home directory of the target user (which is root unless the \fB\-u\fR option is used). This effectively -makes the \fB\-s\fR option imply \fB\-H\fR. This flag is \fIoff\fR by default. +makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already +set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is +only effective for configurations where \fIenv_reset\fR is disabled. +This flag is \fIoff\fR by default. .IP "set_logname" 16 .IX Item "set_logname" Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR diff --git a/sudoers.pod b/sudoers.pod index 241903b01..a8c63a0e5 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -589,9 +589,12 @@ B: =item always_set_home -If set, B will set the C environment variable to the home -directory of the target user (which is root unless the B<-u> option is used). -This effectively means that the B<-H> option is always implied. +If enabled, B will set the C environment variable to the +home directory of the target user (which is root unless the B<-u> +option is used). This effectively means that the B<-H> option is +always implied. Note that C is already set when the the +I option is enabled, so I is only +effective for configurations where I is disabled. This flag is I by default. =item authenticate @@ -810,10 +813,13 @@ password of the invoking user. This flag is I by default. =item set_home -If set and B is invoked with the B<-s> option the C +If enabled and B is invoked with the B<-s> option the C environment variable will be set to the home directory of the target user (which is root unless the B<-u> option is used). This effectively -makes the B<-s> option imply B<-H>. This flag is I by default. +makes the B<-s> option imply B<-H>. Note that C is already +set when the the I option is enabled, so I is +only effective for configurations where I is disabled. +This flag is I by default. =item set_logname