From: Todd C. Miller Date: Wed, 13 Oct 2004 16:52:51 +0000 (+0000) Subject: stay_setuid now requires set_reuid() or setresuid() X-Git-Tag: SUDO_1_7_0~880 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e455f848a929180bb88415b922ce3fc3a5ee90f1;p=sudo stay_setuid now requires set_reuid() or setresuid() --- diff --git a/sudoers.cat b/sudoers.cat index c1eaedd79..321f3051e 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.6.9 October 7, 2004 1 +1.6.9 October 13, 2004 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 7, 2004 2 +1.6.9 October 13, 2004 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 7, 2004 3 +1.6.9 October 13, 2004 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 7, 2004 4 +1.6.9 October 13, 2004 4 @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 7, 2004 5 +1.6.9 October 13, 2004 5 @@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 7, 2004 6 +1.6.9 October 13, 2004 6 @@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 7, 2004 7 +1.6.9 October 13, 2004 7 @@ -502,12 +502,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) this makes ssuuddoo act as a setuid wrapper. This can be useful on systems that disable some potentially dangerous functionality when a - program is run setuid. Note, however, that - this means that ssuuddoo will run with the real - uid of the invoking user which may allow that - user to kill ssuuddoo before it can log a failure, - depending on how your OS defines the interac­ - tion between signals and setuid processes. + program is run setuid. This option is only + effective on systems with either the + _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. env_reset If set, ssuuddoo will reset the environment to only contain the following variables: HOME, @@ -520,19 +517,20 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) with the SECURE_PATH option, its value will be used for the PATH environment variable. Other variables may be preserved with the _e_n_v___k_e_e_p + option. -1.6.9 October 7, 2004 8 +1.6.9 October 13, 2004 8 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - option. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + use_loginclass If set, ssuuddoo will apply the defaults specified @@ -586,10 +584,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) loglinelen Number of characters per line for the file log. This value is used to decide when to wrap lines for nicer log files. This has no + effect on the syslog log file, only the file + log. The default is 80 (use 0 or negate the -1.6.9 October 7, 2004 9 +1.6.9 October 13, 2004 9 @@ -598,8 +598,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - effect on the syslog log file, only the file - log. The default is 80 (use 0 or negate the option to disable word wrap). timestamp_timeout @@ -652,19 +650,19 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) %U expanded to the login name of the user the command will be run as (defaults + to root) -1.6.9 October 7, 2004 10 +1.6.9 October 13, 2004 10 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - to root) %h expanded to the local hostname without the domain name @@ -718,10 +716,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) never Never lecture the user. + once Only lecture the user the first time + they run ssuuddoo. -1.6.9 October 7, 2004 11 +1.6.9 October 13, 2004 11 @@ -730,9 +730,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - once Only lecture the user the first time - they run ssuuddoo. - always Always lecture the user. The default value is _o_n_c_e. @@ -784,21 +781,20 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) to use the --vv flag. always The user must always enter a password + to use the --vv flag. + The default value is `all'. -1.6.9 October 7, 2004 12 - +1.6.9 October 13, 2004 12 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - to use the --vv flag. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - The default value is `all'. listpw This option controls when a password will be required when a user runs ssuuddoo with the --ll @@ -850,10 +846,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) dangerous variables from the environment of any setuid process (such as ssuuddoo). + env_keep Environment variables to be preserved in the + user's environment when the _e_n_v___r_e_s_e_t option + is in effect. This allows fine-grained con­ + trol over the environment ssuuddoo-spawned -1.6.9 October 7, 2004 13 +1.6.9 October 13, 2004 13 @@ -862,11 +862,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - env_keep Environment variables to be preserved in the - user's environment when the _e_n_v___r_e_s_e_t option - is in effect. This allows fine-grained con­ - trol over the environment ssuuddoo-spawned pro­ - cesses will receive. The argument may be a + processes will receive. The argument may be a double-quoted, space-separated list or a sin­ gle value without double-quotes. The list can be replaced, added to, deleted from, or dis­ @@ -916,21 +912,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m + -- but only as ooppeerraattoorr. E.g., + $ sudo -u operator /bin/ls. -1.6.9 October 7, 2004 14 +1.6.9 October 13, 2004 14 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - -- but only as ooppeerraattoorr. E.g., +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - $ sudo -u operator /bin/ls. It is also possible to override a Runas_Spec later on in an entry. If we modify the entry like so: @@ -982,10 +978,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) _N_O_E_X_E_C _a_n_d _E_X_E_C + If ssuuddoo has been compiled with _n_o_e_x_e_c support and the + underlying operating system supports it, the NOEXEC tag + can be used to prevent a dynamically-linked executable + from running further commands itself. -1.6.9 October 7, 2004 15 +1.6.9 October 13, 2004 15 @@ -994,11 +994,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - If ssuuddoo has been compiled with _n_o_e_x_e_c support and the - underlying operating system supports it, the NOEXEC tag - can be used to prevent a dynamically-linked executable - from running further commands itself. - In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. @@ -1048,23 +1043,22 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) "?", "[", and "}". Note that a forward slash ('/') will nnoott be matched by + wildcards used in the pathname. When matching the command + line arguments, however, a slash ddooeess get matched by wild­ + cards. This is to make a path like: + /usr/bin/* -1.6.9 October 7, 2004 16 - +1.6.9 October 13, 2004 16 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - wildcards used in the pathname. When matching the command - line arguments, however, a slash ddooeess get matched by wild­ - cards. This is to make a path like: +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - /usr/bin/* match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. @@ -1114,10 +1108,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) _a_l_i_a_s called AALLLL as the built-in alias will be used in preference to your own. Please note that using AALLLL can be dangerous since in a command context, it allows the user + to run aannyy command on the system. + + An exclamation point ('!') can be used as a logical _n_o_t + operator both in an _a_l_i_a_s and in front of a Cmnd. This + allows one to exclude certain values. Note, however, that + using a ! in conjunction with the built-in ALL alias to -1.6.9 October 7, 2004 17 +1.6.9 October 13, 2004 17 @@ -1126,12 +1126,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - to run aannyy command on the system. - - An exclamation point ('!') can be used as a logical _n_o_t - operator both in an _a_l_i_a_s and in front of a Cmnd. This - allows one to exclude certain values. Note, however, that - using a ! in conjunction with the built-in ALL alias to allow a user to run "all but a few" commands rarely works as intended (see SECURITY NOTES below). @@ -1172,6 +1166,15 @@ EEXXAAMMPPLLEESS Runas_Alias OP = root, operator Runas_Alias DB = oracle, sybase + # Host alias specification + Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ + SGI = grolsch, dandelion, black :\ + ALPHA = widget, thalamus, foobar :\ + HPPA = boa, nag, python + Host_Alias CUNETS = 128.138.0.0/255.255.0.0 + Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 + Host_Alias SERVERS = master, mail, www, ns + Host_Alias CDROM = orion, perseus, hercules @@ -1180,10 +1183,7 @@ EEXXAAMMPPLLEESS - - - -1.6.9 October 7, 2004 18 +1.6.9 October 13, 2004 18 @@ -1192,16 +1192,6 @@ EEXXAAMMPPLLEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - # Host alias specification - Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ - SGI = grolsch, dandelion, black :\ - ALPHA = widget, thalamus, foobar :\ - HPPA = boa, nag, python - Host_Alias CUNETS = 128.138.0.0/255.255.0.0 - Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 - Host_Alias SERVERS = master, mail, www, ns - Host_Alias CDROM = orion, perseus, hercules - # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore @@ -1247,26 +1237,27 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on any host without authenticating themselves. + PARTTIMERS ALL = ALL + Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run + any command on any host but they must authenticate them­ + selves first (since the entry lacks the NOPASSWD tag). -1.6.9 October 7, 2004 19 + jack CSNETS = ALL + The user jjaacckk may run any command on the machines in the +1.6.9 October 13, 2004 19 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - PARTTIMERS ALL = ALL - Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run - any command on any host but they must authenticate them­ - selves first (since the entry lacks the NOPASSWD tag). - jack CSNETS = ALL +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + - The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those networks, only 128.138.204.0 has an explicit netmask (in CIDR notation) indicating it @@ -1312,27 +1303,26 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser Users in the sseeccrreettaarriieess netgroup need to help manage the + printers as well as add and remove users, so they are + allowed to run those commands on all machines. + fred ALL = (DB) NOPASSWD: ALL + The user ffrreedd can run commands as any user in the _D_B + Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password. -1.6.9 October 7, 2004 20 - + john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* +1.6.9 October 13, 2004 20 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - printers as well as add and remove users, so they are - allowed to run those commands on all machines. - fred ALL = (DB) NOPASSWD: ALL - The user ffrreedd can run commands as any user in the _D_B - Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is not allowed to give _s_u(1) any flags. @@ -1378,28 +1368,27 @@ SSEECCUURRIITTYY NNOOTTEESS It is generally not effective to "subtract" commands from ALL using the '!' operator. A user can trivially circum­ vent this by copying the desired command to a different + name and then executing that. For example: + bill ALL = ALL, !SU, !SHELLS - -1.6.9 October 7, 2004 21 + Doesn't really prevent bbiillll from running the commands + listed in _S_U or _S_H_E_L_L_S since he can simply copy those com­ + mands to a different name, or use a shell escape from an + editor or other program. Therefore, these kind of + restrictions should be considered advisory at best (and + reinforced by policy). +1.6.9 October 13, 2004 21 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - name and then executing that. For example: - bill ALL = ALL, !SU, !SHELLS +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - Doesn't really prevent bbiillll from running the commands - listed in _S_U or _S_H_E_L_L_S since he can simply copy those com­ - mands to a different name, or use a shell escape from an - editor or other program. Therefore, these kind of - restrictions should be considered advisory at best (and - reinforced by policy). PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS Once ssuuddoo executes a program, that program is free to do @@ -1444,18 +1433,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS File containing dummy exec functions: then ssuuddoo may be able to replace the exec family - - - -1.6.9 October 7, 2004 22 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - of functions in the standard library with its own that simply return an error. Unfortunately, there is no foolproof way to know whether or not @@ -1467,6 +1444,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the LD_PRELOAD environment variable. Check your operating system's manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, dld.sl, + + + +1.6.9 October 13, 2004 22 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + rld, or loader) to see if LD_PRELOAD is sup­ ported. @@ -1511,26 +1500,27 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) and Linux. See for more information. + Note that restricting shell escapes is not a panacea. + Programs running as root are still capable of many poten­ + tially hazardous operations (such as changing or overwrit­ + ing files) that could lead to unintended privilege escala­ + tion. In the specific case of an editor, a safer approach + is to give the user permission to run ssuuddooeeddiitt. +SSEEEE AALLSSOO + _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), sudo(1m), visudo(1m) -1.6.9 October 7, 2004 23 +1.6.9 October 13, 2004 23 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - Note that restricting shell escapes is not a panacea. - Programs running as root are still capable of many poten­ - tially hazardous operations (such as changing or overwrit­ - ing files) that could lead to unintended privilege escala­ - tion. In the specific case of an editor, a safer approach - is to give the user permission to run ssuuddooeeddiitt. -SSEEEE AALLSSOO - _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), sudo(1m), visudo(1m) +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + CCAAVVEEAATTSS The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo @@ -1579,6 +1569,16 @@ DDIISSCCLLAAIIMMEERR -1.6.9 October 7, 2004 24 + + + + + + + + + + +1.6.9 October 13, 2004 24 diff --git a/sudoers.man.in b/sudoers.man.in index d0f7d6373..3f96a660f 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "October 7, 2004" "1.6.9" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "October 13, 2004" "1.6.9" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" @@ -563,11 +563,9 @@ UIDs are set to the target user (root by default). This option changes that behavior such that the real \s-1UID\s0 is left as the invoking user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid wrapper. This can be useful on systems that disable some potentially -dangerous functionality when a program is run setuid. Note, however, -that this means that \fBsudo\fR will run with the real uid of the invoking -user which may allow that user to kill \fBsudo\fR before it can log a -failure, depending on how your \s-1OS\s0 defines the interaction between -signals and setuid processes. +dangerous functionality when a program is run setuid. This option +is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR +function. .IP "env_reset" 12 .IX Item "env_reset" If set, \fBsudo\fR will reset the environment to only contain the diff --git a/sudoers.pod b/sudoers.pod index eebc72849..3698ce5f2 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -427,11 +427,9 @@ UIDs are set to the target user (root by default). This option changes that behavior such that the real UID is left as the invoking user's UID. In other words, this makes B act as a setuid wrapper. This can be useful on systems that disable some potentially -dangerous functionality when a program is run setuid. Note, however, -that this means that B will run with the real uid of the invoking -user which may allow that user to kill B before it can log a -failure, depending on how your OS defines the interaction between -signals and setuid processes. +dangerous functionality when a program is run setuid. This option +is only effective on systems with either the setreuid() or setresuid() +function. =item env_reset