From: Todd C. Miller Date: Wed, 17 Apr 2013 19:42:28 +0000 (-0400) Subject: Document digest support. X-Git-Tag: SUDO_1_8_7~1^2~59 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ed6d6963de6077871c5f66c2ce3c2243963824d7;p=sudo Document digest support. --- diff --git a/NEWS b/NEWS index 6332e01ce..4ff52ba04 100644 --- a/NEWS +++ b/NEWS @@ -85,9 +85,14 @@ What's new in Sudo 1.8.7? HP-UX where libibmldap has a hidden dependency on libCsup. * The sudoers plugin will now ignore invalid domain names when - checking netgroup membership. Some Linux systems use the string + checking netgroup membership. Most Linux systems use the string "(none)" for the NIS-style domain name instead of an empty string. + * New support for specifying a SHA-2 digest along with the command + in the sudoers file. Supported hash types are sha224, sha256, + sha384 and sha512. See the description of Digest_Spec in the + sudoers manual for details. + What's new in Sudo 1.8.6p8? * Terminal detection now works properly on 64-bit AIX kernels. diff --git a/doc/sample.sudoers b/doc/sample.sudoers index 0ef1579ec..994600872 100644 --- a/doc/sample.sudoers +++ b/doc/sample.sudoers @@ -44,7 +44,9 @@ Host_Alias CDROM = orion, perseus, hercules # Cmnd alias specification ## Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \ - /usr/sbin/rrestore, /usr/bin/mt + /usr/sbin/rrestore, /usr/bin/mt, \ + sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \ + /home/operator/bin/start_backups Cmnd_Alias KILL = /usr/bin/kill Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 01576e9ed..66274e988 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -304,6 +304,14 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT ``localhost'' will only match if that is the actual host name, which is usually only the case for non-networked systems. + digest ::= [A-Fa-f0-9]+ | + [[A-Za-z0-9+/=]+ + + Digest_Spec ::= "sha224" ':' digest | + "sha256" ':' digest | + "sha384" ':' digest | + "sha512" ':' digest + Cmnd_List ::= Cmnd | Cmnd ',' Cmnd_List @@ -311,7 +319,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT file name args | file name '""' - Cmnd ::= '!'* command name | + Cmnd ::= Digest_Spec? '!'* command name | '!'* directory | '!'* "sudoedit" | '!'* Cmnd_Alias @@ -337,6 +345,27 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT ``sudoedit'' is a command built into ssuuddoo itself and must be specified in _s_u_d_o_e_r_s without a leading path. + If a command name is prefixed with a Digest_Spec, the command will only + match successfully if it can be verified using the specified SHA-2 + digest. This may be useful in situations where the user invoking ssuuddoo + has write access to the command or its parent directory. The digest + string may be specified in either hex or base64 format (base64 is more + compact). There are many utilities capable of generating SHA-2 digests + in hex format such as openssl, shasum, sha224sum, sha256sum, sha384sum, + sha512sum. + + For example, using openssl: + + $ openssl dgst -sha224 /bin/ls + SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25 + + It is also possible to use openssl to generate base64 output: + + $ openssl dgst -binary -sha224 /bin/ls | openssl base64 + EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== + + Command digests are only supported by version 1.8.7 or higher. + DDeeffaauullttss Certain configuration options may be changed from their default values at run-time via one or more Default_Entry lines. These may affect all users @@ -1817,7 +1846,9 @@ EEXXAAMMPPLLEESS # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ - /usr/sbin/restore, /usr/sbin/rrestore + /usr/sbin/restore, /usr/sbin/rrestore,\ + sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \ + /home/operator/bin/start_backups Cmnd_Alias KILL = /usr/bin/kill Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown @@ -1887,7 +1918,11 @@ EEXXAAMMPPLLEESS The ooppeerraattoorr user may run commands limited to simple maintenance. Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the directory - _/_u_s_r_/_o_p_e_r_/_b_i_n_/. + _/_u_s_r_/_o_p_e_r_/_b_i_n_/. Note that one command in the DUMPS Cmnd_Alias includes a + sha224 digest, _/_h_o_m_e_/_o_p_e_r_a_t_o_r_/_b_i_n_/_s_t_a_r_t___b_a_c_k_u_p_s. This is because the + directory containing the script is writable by the operator user. If the + script is modified (resulting in a digest mismatch) it will no longer be + possible to run it via ssuuddoo. joe ALL = /usr/bin/su operator @@ -2183,4 +2218,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -Sudo 1.8.7 March 5, 2013 Sudo 1.8.7 +Sudo 1.8.7 April 17, 2013 Sudo 1.8.7 diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index ffcb48ba7..2612814cb 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -79,11 +79,33 @@ DDEESSCCRRIIPPTTIIOONN with a `+'). The special value ALL will match any host. ssuuddooCCoommmmaanndd - A Unix command with optional command line arguments, potentially - including globbing characters (aka wild cards). The special value - ALL will match any command. If a command is prefixed with an - exclamation point `!', the user will be prohibited from running - that command. + A fully-qualified Unix command name with optional command line + arguments, potentially including globbing characters (aka wild + cards). If a command name is preceded by an exclamation point, + `!', the user will be prohibited from running that command. + + The built-in command ``sudoedit'' is used to permit a user to run + ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may take command line + arguments just as a normal command does. Note that ``sudoedit'' is + a command built into ssuuddoo itself and must be specified in without a + leading path. + + The special value ALL will match any command. + + If a command name is prefixed with a SHA-2 digest, it will only be + allowed if the digest matches. This may be useful in situations + where the user invoking ssuuddoo has write access to the command or its + parent directory. The following digest formats are supported: + sha224, sha256, sha384 and sha512. The digest name must be + followed by a colon (`:') and then the actual digest, in either hex + or base64 format. For example, given the following value for + sudoCommand: + + sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls + + The user may only run _/_b_i_n_/_l_s if its sha224 digest matches the + specified value. Command digests are only supported by version + 1.8.7 or higher. ssuuddooOOppttiioonn Identical in function to the global options described above, but @@ -769,4 +791,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -Sudo 1.8.7 February 7, 2013 Sudo 1.8.7 +Sudo 1.8.7 April 17, 2013 Sudo 1.8.7 diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in index 7de100c62..1607adb42 100644 --- a/doc/sudoers.ldap.man.in +++ b/doc/sudoers.ldap.man.in @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "SUDOERS.LDAP" "8" "February 7, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual" +.TH "SUDOERS.LDAP" "8" "April 17, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -165,20 +165,63 @@ The special value will match any host. .TP 6n \fBsudoCommand\fR -A Unix command with optional command line arguments, potentially -including globbing characters (aka wild cards). +A fully-qualified Unix command name with optional command line arguments, +potentially including globbing characters (aka wild cards). +If a command name is preceded by an exclamation point, +`\&!', +the user will be prohibited from running that command. +.sp +The built-in command +``\fRsudoedit\fR'' +is used to permit a user to run +\fBsudo\fR +with the +\fB\-e\fR +option (or as +\fBsudoedit\fR). +It may take command line arguments just as a normal command does. +Note that +``\fRsudoedit\fR'' +is a command built into +\fBsudo\fR +itself and must be specified in without a leading path. +.sp The special value \fRALL\fR will match any command. -If a command is prefixed with an exclamation point -`\&!', -the user will be prohibited from running that command. +.sp +If a command name is prefixed with a SHA-2 digest, it will +only be allowed if the digest matches. +This may be useful in situations where the user invoking +\fBsudo\fR +has write access to the command or its parent directory. +The following digest formats are supported: sha224, sha256, sha384 and sha512. +The digest name must be followed by a colon +(`:\&') +and then the actual digest, in either hex or base64 format. +For example, given the following value for sudoCommand: +.RS +.nf +.sp +.RS 4n +sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls +.RE +.fi +.sp +The user may only run +\fI/bin/ls\fR +if its sha224 digest matches the specified value. +Command digests are only supported by version 1.8.7 or higher. +.PP +.RE +.PD 0 .TP 6n \fBsudoOption\fR Identical in function to the global options described above, but specific to the \fRsudoRole\fR in which it resides. +.PD .TP 6n \fBsudoRunAsUser\fR A user name or uid (prefixed with diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in index 83c46e627..8a79ef2a7 100644 --- a/doc/sudoers.ldap.mdoc.in +++ b/doc/sudoers.ldap.mdoc.in @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd February 7, 2013 +.Dd April 17, 2013 .Dt SUDOERS.LDAP @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -156,14 +156,49 @@ The special value .Li ALL will match any host. .It Sy sudoCommand -A Unix command with optional command line arguments, potentially -including globbing characters (aka wild cards). +A fully-qualified Unix command name with optional command line arguments, +potentially including globbing characters (aka wild cards). +If a command name is preceded by an exclamation point, +.Ql \&! , +the user will be prohibited from running that command. +.Pp +The built-in command +.Dq Li sudoedit +is used to permit a user to run +.Nm sudo +with the +.Fl e +option (or as +.Nm sudoedit ) . +It may take command line arguments just as a normal command does. +Note that +.Dq Li sudoedit +is a command built into +.Nm sudo +itself and must be specified in without a leading path. +.Pp The special value .Li ALL will match any command. -If a command is prefixed with an exclamation point -.Ql \&! , -the user will be prohibited from running that command. +.Pp +If a command name is prefixed with a SHA-2 digest, it will +only be allowed if the digest matches. +This may be useful in situations where the user invoking +.Nm sudo +has write access to the command or its parent directory. +The following digest formats are supported: sha224, sha256, sha384 and sha512. +The digest name must be followed by a colon +.Pq Ql :\& +and then the actual digest, in either hex or base64 format. +For example, given the following value for sudoCommand: +.Bd -literal -offset 4n +sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls +.Ed +.Pp +The user may only run +.Pa /bin/ls +if its sha224 digest matches the specified value. +Command digests are only supported by version 1.8.7 or higher. .It Sy sudoOption Identical in function to the global options described above, but specific to the diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 2561506ef..7e459b5e1 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "@mansectsu@" "March 5, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual" +.TH "SUDOERS" "@mansectsu@" "April 17, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual" .nh .if n .ad l .SH "NAME" @@ -679,6 +679,14 @@ only the case for non-networked systems. .nf .sp .RS 0n +digest ::= [A-Fa-f0-9]+ | + [[A-Za-z0-9\+/=]+ + +Digest_Spec ::= "sha224" ':' digest | + "sha256" ':' digest | + "sha384" ':' digest | + "sha512" ':' digest + Cmnd_List ::= Cmnd | Cmnd ',' Cmnd_List @@ -686,7 +694,7 @@ command name ::= file name | file name args | file name '""' -Cmnd ::= '!'* command name | +Cmnd ::= Digest_Spec? '!'* command name | '!'* directory | '!'* "sudoedit" | '!'* Cmnd_Alias @@ -748,6 +756,40 @@ is a command built into itself and must be specified in \fIsudoers\fR without a leading path. +.PP +If a +\fRcommand name\fR +is prefixed with a +\fRDigest_Spec\fR, +the command will only match successfully if it can be verified +using the specified SHA-2 digest. +This may be useful in situations where the user invoking +\fBsudo\fR +has write access to the command or its parent directory. +The digest string may be specified in either hex or base64 format +(base64 is more compact). +There are many utilities capable of generating SHA-2 digests in hex +format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum. +.PP +For example, using openssl: +.nf +.sp +.RS 0n +$ openssl dgst -sha224 /bin/ls +SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25 +.RE +.fi +.PP +It is also possible to use openssl to generate base64 output: +.nf +.sp +.RS 0n +$ openssl dgst -binary -sha224 /bin/ls | openssl base64 +EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== +.RE +.fi +.PP +Command digests are only supported by version 1.8.7 or higher. .SS "Defaults" Certain configuration options may be changed from their default values at run-time via one or more @@ -3706,7 +3748,9 @@ Host_Alias CDROM = orion, perseus, hercules # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e - /usr/sbin/restore, /usr/sbin/rrestore + /usr/sbin/restore, /usr/sbin/rrestore,\e + sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e + /home/operator/bin/start_backups Cmnd_Alias KILL = /usr/bin/kill Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown @@ -3858,6 +3902,15 @@ Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the directory \fI/usr/oper/bin/\fR. +Note that one command in the +\fRDUMPS\fR +Cmnd_Alias includes a sha224 digest, +\fI/home/operator/bin/start_backups\fR. +This is because the directory containing the script is writable by the +operator user. +If the script is modified (resulting in a digest mismatch) it will no longer +be possible to run it via +\fBsudo\fR. .nf .sp .RS 0n diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index 06a788f93..f816931be 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd March 5, 2013 +.Dd April 17, 2013 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -648,6 +648,14 @@ Also, the host name will only match if that is the actual host name, which is usually only the case for non-networked systems. .Bd -literal +digest ::= [A-Fa-f0-9]+ | + [[A-Za-z0-9\+/=]+ + +Digest_Spec ::= "sha224" ':' digest | + "sha256" ':' digest | + "sha384" ':' digest | + "sha512" ':' digest + Cmnd_List ::= Cmnd | Cmnd ',' Cmnd_List @@ -655,7 +663,7 @@ command name ::= file name | file name args | file name '""' -Cmnd ::= '!'* command name | +Cmnd ::= Digest_Spec? '!'* command name | '!'* directory | '!'* "sudoedit" | '!'* Cmnd_Alias @@ -716,6 +724,34 @@ is a command built into itself and must be specified in .Em sudoers without a leading path. +.Pp +If a +.Li command name +is prefixed with a +.Li Digest_Spec , +the command will only match successfully if it can be verified +using the specified SHA-2 digest. +This may be useful in situations where the user invoking +.Nm sudo +has write access to the command or its parent directory. +The digest string may be specified in either hex or base64 format +(base64 is more compact). +There are many utilities capable of generating SHA-2 digests in hex +format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum. +.Pp +For example, using openssl: +.Bd -literal +$ openssl dgst -sha224 /bin/ls +SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25 +.Ed +.Pp +It is also possible to use openssl to generate base64 output: +.Bd -literal +$ openssl dgst -binary -sha224 /bin/ls | openssl base64 +EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== +.Ed +.Pp +Command digests are only supported by version 1.8.7 or higher. .Ss Defaults Certain configuration options may be changed from their default values at run-time via one or more @@ -3430,7 +3466,9 @@ Host_Alias CDROM = orion, perseus, hercules # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e - /usr/sbin/restore, /usr/sbin/rrestore + /usr/sbin/restore, /usr/sbin/rrestore,\e + sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e + /home/operator/bin/start_backups Cmnd_Alias KILL = /usr/bin/kill Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown @@ -3563,6 +3601,15 @@ Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the directory .Pa /usr/oper/bin/ . +Note that one command in the +.Li DUMPS +Cmnd_Alias includes a sha224 digest, +.Pa /home/operator/bin/start_backups . +This is because the directory containing the script is writable by the +operator user. +If the script is modified (resulting in a digest mismatch) it will no longer +be possible to run it via +.Nm sudo . .Bd -literal joe ALL = /usr/bin/su operator .Ed