From: Todd C. Miller Date: Sun, 16 May 2004 20:24:28 +0000 (+0000) Subject: regen X-Git-Tag: SUDO_1_6_8~146 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f4d073b89ea3f9e451c9c9a8d290b19e9edea726;p=sudo regen --- diff --git a/sudo.cat b/sudo.cat index 2bdf62dc5..6ad949a2c 100644 --- a/sudo.cat +++ b/sudo.cat @@ -5,12 +5,16 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) NNAAMMEE - sudo - execute a command as another user + sudo, sudoedit - execute a command as another user SSYYNNOOPPSSIISS - ssuuddoo --VV | --hh | --ll | --LL | --vv | --kk | --KK | --ss | [ --HH ] [--PP ] - [--SS ] [ --bb ] | [ --pp _p_r_o_m_p_t ] [ --cc _c_l_a_s_s|_- ] [ --aa _a_u_t_h___t_y_p_e - ] [ --uu _u_s_e_r_n_a_m_e|_#_u_i_d ] _c_o_m_m_a_n_d + ssuuddoo --KK | --LL | --VV | --hh | --kk | --ll | --vv + + ssuuddoo [--HHPPSSbb] [--aa _a_u_t_h___t_y_p_e] [--cc _c_l_a_s_s|_-] [--pp _p_r_o_m_p_t] + [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] {--ee file [...] | --ii | --ss | _c_o_m_m_a_n_d} + + ssuuddooeeddiitt [--SS] [--aa _a_u_t_h___t_y_p_e] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_­ + _n_a_m_e|_#_u_i_d] file [...] DDEESSCCRRIIPPTTIIOONN ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the @@ -25,6 +29,9 @@ DDEESSCCRRIIPPTTIIOONN the user may then use sudo without a password for a short period of time (5 minutes unless overridden in _s_u_d_o_e_r_s). + When invoked as ssuuddooeeddiitt, the --ee option (described below), + is implied. + ssuuddoo determines who is an authorized user by consulting the file _/_e_t_c_/_s_u_d_o_e_r_s. By giving ssuuddoo the --vv flag a user can update the time stamp without running a _c_o_m_m_a_n_d_. The @@ -40,28 +47,87 @@ DDEESSCCRRIIPPTTIIOONN --vv flags. This allows users to determine for themselves whether or not they are allowed to use ssuuddoo. + If ssuuddoo is run by root and the SUDO_USER environment vari­ + able is set, ssuuddoo will use this value to determine who the + actual user is. This can be used by a user to log com­ + mands through sudo even when a root shell has been + invoked. It also allows the --ee flag to remain useful even + when being run via a sudo-run script or program. Note + however, that the sudoers lookup is still done for root, + not the user specified by SUDO_USER. + ssuuddoo can log both successful and unsuccessful attempts (as well as errors) to _s_y_s_l_o_g(3), a log file, or both. By + + + +1.6.8 February 13, 2004 1 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + + default ssuuddoo will log via _s_y_s_l_o_g(3) but this is changeable at configure time or via the _s_u_d_o_e_r_s file. OOPPTTIIOONNSS ssuuddoo accepts the following command line options: + -H The --HH (_H_O_M_E) option sets the HOME environment vari­ + able to the homedir of the target user (root by + default) as specified in _p_a_s_s_w_d(4). By default, ssuuddoo + does not modify HOME. + + -K The --KK (sure _k_i_l_l) option to ssuuddoo removes the user's + timestamp entirely. Likewise, this option does not + require a password. + + -L The --LL (_l_i_s_t defaults) option will list out the param­ + eters that may be set in a _D_e_f_a_u_l_t_s line along with a + short description for each. This option is useful in + conjunction with _g_r_e_p(1). + + -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to + preserve the user's group vector unaltered. By + default, ssuuddoo will initialize the group vector to the + list of groups the target user is in. The real and + effective group IDs, however, are still set to match + the target user. + + -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password + from standard input instead of the terminal device. + -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the ver­ sion number and exit. If the invoking user is already root the --VV option will print out a list of the defaults ssuuddoo was compiled with as well as the machine's local network addresses. - -l The --ll (_l_i_s_t) option will list out the allowed (and - forbidden) commands for the user on the current host. + -a The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use + the specified authentication type when validating the + user, as allowed by /etc/login.conf. The system + administrator may specify a list of sudo-specific + authentication methods by adding an "auth-sudo" entry + in /etc/login.conf. This option is only available on + systems that support BSD authentication where ssuuddoo has + been configured with the --with-bsdauth option. + + -b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given + command in the background. Note that if you use the + --bb option you cannot use shell job control to manipu­ + late the process. - -L The --LL (_l_i_s_t defaults) option will list out the + -c The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified + command with resources limited by the specified login + class. The _c_l_a_s_s argument can be either a class name + as defined in /etc/login.conf, or a single '-' -1.6.7 March 13, 2003 1 +1.6.8 February 13, 2004 2 @@ -70,18 +136,71 @@ OOPPTTIIOONNSS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - parameters that may be set in a _D_e_f_a_u_l_t_s line along - with a short description for each. This option is - useful in conjunction with _g_r_e_p(1). + character. Specifying a _c_l_a_s_s of - indicates that the + command should be run restricted by the default login + capabilities for the user the command is run as. If + the _c_l_a_s_s argument specifies an existing user class, + the command must be run as root, or the ssuuddoo command + must be run from a shell that is already root. This + option is only available on systems with BSD login + classes where ssuuddoo has been configured with the + --with-logincap option. + + -e The --ee (_e_d_i_t) option indicates that, instead of run­ + ning a command, the user wishes to edit one or more + files. In lieu of a command, the string _"_s_u_d_o_e_d_i_t_" is + used when consulting the _s_u_d_o_e_r_s file. If the user is + authorized by _s_u_d_o_e_r_s the following steps are taken: + + 1. Temporary copies are made of the files to be + edited, owned by the invoking user. + + 2. The editor specified by the VISUAL or EDITOR + environment variables is run to edit the tem­ + porary files. If neither VISUAL nor EDITOR + are set, the program listed in the _e_d_i_t_o_r + _s_u_d_o_e_r_s variable is used. + + 3. If they have been modified, the temporary + files are copied back to their original loca­ + tion and the temporary versions are removed. + + If the specified file does not exist, it will be cre­ + ated. Note that unlike most commands run by ssuuddoo, the + editor is run with the invoking user's environment + unmodified. If, for some reason, ssuuddoo is unable to + update a file with its edited version, the user will + receive a warning and the edited copy will remain in a + temporary file. -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage mes­ sage and exit. - -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update - the user's timestamp, prompting for the user's pass­ - word if necessary. This extends the ssuuddoo timeout for - another 5 minutes (or whatever the timeout is set to - in _s_u_d_o_e_r_s) but does not run a command. + -i The -i (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell + specified in the passwd(4) entry of the user that the + command is being run as. The command name argument + given to the shell begins with a - to tell the shell + to run as a login shell. ssuuddoo attempts to change to + that user's home directory before running the shell. + It also initializes the environment, leaving _T_E_R_M + unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and + _P_A_T_H, and unsetting all other environment variables. + Note that because the shell to use is determined + before the _s_u_d_o_e_r_s file is parsed, a _r_u_n_a_s___d_e_f_a_u_l_t + setting in _s_u_d_o_e_r_s will specify the user to run the + shell as but will not affect which shell is actually + run. + + + +1.6.8 February 13, 2004 3 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + -k The --kk (_k_i_l_l) option to ssuuddoo invalidates the user's timestamp by setting the time on it to the epoch. The @@ -90,14 +209,8 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) to allow a user to revoke ssuuddoo permissions from a .logout file. - -K The --KK (sure _k_i_l_l) option to ssuuddoo removes the user's - timestamp entirely. Likewise, this option does not - require a password. - - -b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given - command in the background. Note that if you use the - --bb option you cannot use shell job control to manipu­ - late the process. + -l The --ll (_l_i_s_t) option will list out the allowed (and + forbidden) commands for the user on the current host. -p The --pp (_p_r_o_m_p_t) option allows you to override the default password prompt and use a custom one. The @@ -116,66 +229,22 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) fully qualified or the _f_q_d_n sudoers option is set) - %% two consecutive % characters are collaped into - a single % character - - -c The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified - command with resources limited by the specified login - class. The _c_l_a_s_s argument can be either a class name - as defined in /etc/login.conf, or a single '-' charac­ - ter. Specifying a _c_l_a_s_s of - indicates that the - - - -1.6.7 March 13, 2003 2 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - - command should be run restricted by the default login - capabilities for the user the command is run as. If - the _c_l_a_s_s argument specifies an existing user class, - the command must be run as root, or the ssuuddoo command - must be run from a shell that is already root. This - option is only available on systems with BSD login - classes where ssuuddoo has been configured with the - --with-logincap option. - - -a The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use - the specified authentication type when validating the - user, as allowed by /etc/login.conf. The system - administrator may specify a list of sudo-specific - authentication methods by adding an "auth-sudo" entry - in /etc/login.conf. This option is only available on - systems that support BSD authentication where ssuuddoo has - been configured with the --with-bsdauth option. - - -u The --uu (_u_s_e_r) option causes ssuuddoo to run the specified - command as a user other than _r_o_o_t. To specify a _u_i_d - instead of a _u_s_e_r_n_a_m_e, use _#_u_i_d. + %% two consecutive % characters are collasped + into a single % character -s The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L environment variable if it is set or the shell as specified in _p_a_s_s_w_d(4). - -H The --HH (_H_O_M_E) option sets the HOME environment vari­ - able to the homedir of the target user (root by - default) as specified in _p_a_s_s_w_d(4). By default, ssuuddoo - does not modify HOME. - - -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to - preserve the user's group vector unaltered. By - default, ssuuddoo will initialize the group vector to the - list of groups the target user is in. The real and - effective group IDs, however, are still set to match - the target user. + -u The --uu (_u_s_e_r) option causes ssuuddoo to run the specified + command as a user other than _r_o_o_t. To specify a _u_i_d + instead of a _u_s_e_r_n_a_m_e, use _#_u_i_d. - -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password - from standard input instead of the terminal device. + -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update + the user's timestamp, prompting for the user's pass­ + word if necessary. This extends the ssuuddoo timeout for + another 5 minutes (or whatever the timeout is set to + in _s_u_d_o_e_r_s) but does not run a command. -- The ---- flag indicates that ssuuddoo should stop processing command line arguments. It is most useful in conjunc­ @@ -187,13 +256,10 @@ RREETTUURRNN VVAALLUUEESS that was executed. Otherwise, ssuuddoo quits with an exit value of 1 if there is - a configuration/permission problem or if ssuuddoo cannot exe­ - cute the given command. In the latter case the error - string is printed to stderr. If ssuuddoo cannot _s_t_a_t(2) one -1.6.7 March 13, 2003 3 +1.6.8 February 13, 2004 4 @@ -202,6 +268,9 @@ RREETTUURRNN VVAALLUUEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + a configuration/permission problem or if ssuuddoo cannot exe­ + cute the given command. In the latter case the error + string is printed to stderr. If ssuuddoo cannot _s_t_a_t(2) one or more entries in the user's PATH an error is printed on stderr. (If the directory does not exist or if it is not really a directory, the entry is ignored and no error is @@ -253,13 +322,10 @@ SSEECCUURRIITTYY NNOOTTEESS ssuuddoo is run. However, because ssuuddoo checks the ownership and mode of the directory and its contents, the only dam­ age that can be done is to "hide" files by putting them in - the timestamp dir. This is unlikely to happen since once - the timestamp dir is owned by root and inaccessible by any - other user the user placing files there would be unable to -1.6.7 March 13, 2003 4 +1.6.8 February 13, 2004 5 @@ -268,6 +334,9 @@ SSEECCUURRIITTYY NNOOTTEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + the timestamp dir. This is unlikely to happen since once + the timestamp dir is owned by root and inaccessible by any + other user the user placing files there would be unable to get them back out. To get around this issue you can use a directory that is not world-writable for the timestamps (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance) or create _/_v_a_r_/_r_u_n_/_s_u_d_o with @@ -319,13 +388,10 @@ EEXXAAMMPPLLEESS % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" -EENNVVIIRROONNMMEENNTT - ssuuddoo utilizes the following environment variables: - -1.6.7 March 13, 2003 5 +1.6.8 February 13, 2004 6 @@ -334,21 +400,38 @@ EENNVVIIRROONNMMEENNTT SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - PATH Set to a sane value if SECURE_PATH is set - SHELL Used to determine shell to run with -s option - USER Set to the target user (root unless the -u option - is specified) +EENNVVIIRROONNMMEENNTT + ssuuddoo utilizes the following environment variables: + + EDITOR Default editor to use in -e (sudoedit) mode if + VISUAL is not set + HOME In -s or -H mode (or if sudo was configured with the --enable-shell-sets-home option), set to - homedir of the target user. + homedir of the target user + + PATH Set to a sane value if SECURE_PATH is set + + SHELL Used to determine shell to run with -s option + SUDO_PROMPT Used as the default password prompt + SUDO_COMMAND Set to the command run by sudo + SUDO_USER Set to the login of the user who invoked sudo + SUDO_UID Set to the uid of the user who invoked sudo + SUDO_GID Set to the gid of the user who invoked sudo + SUDO_PS1 If set, PS1 will be set to its value -FFIILLEESS + USER Set to the target user (root unless the -u option + is specified) + + VISUAL Default editor to use in -e (sudoedit) mode + =head1 FILES + /etc/sudoers List of who can run what /var/run/sudo Directory containing timestamps @@ -371,13 +454,29 @@ DDIISSCCLLAAIIMMEERR SSuuddoo is provided ``AS IS'' and any express or implied war­ ranties, including, but not limited to, the implied war­ ranties of merchantability and fitness for a particular + + + +1.6.8 February 13, 2004 7 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + + purpose are disclaimed. See the LICENSE file distributed with ssuuddoo for complete details. CCAAVVEEAATTSS There is no easy way to prevent a user from gaining a root - shell if that user has access to commands allowing shell - escapes. + shell if that user is allowed to run arbitrary commands + via ssuuddoo. Also, many programs (such as editors) allow the + user to run commands via shell escapes, thus avoiding + ssuuddoo's checks. However, on most systems it is possible to + prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality. + See the _s_u_d_o_e_r_s(4) manual for details. If users have sudo ALL there is nothing to prevent them from creating their own program that gives them a root @@ -389,17 +488,6 @@ CCAAVVEEAATTSS ing systems (if your OS supports the /dev/fd/ directory, setuid shell scripts are generally safe). - - -1.6.7 March 13, 2003 6 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - SSEEEE AALLSSOO _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _s_u_d_o_e_r_s(4), _p_a_s_s_w_d(5), _v_i_s_u_d_o(1m) @@ -435,28 +523,6 @@ SSEEEE AALLSSOO - - - - - - - - - - - - - - - - - - - - - - -1.6.7 March 13, 2003 7 +1.6.8 February 13, 2004 8 diff --git a/sudoers.cat b/sudoers.cat index 62c3c9b66..51e6eaeb4 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.6.7 March 13, 2003 1 +1.6.8 May 16, 2004 1 @@ -100,12 +100,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) '!'* '+'netgroup | '!'* User_Alias - A User_List is made up of one or more usernames, uids - (prefixed with '#'), System groups (prefixed with '%'), - netgroups (prefixed with '+') and other aliases. Each - list item may be prefixed with one or more '!' operators. - An odd number of '!' operators negate the value of the - item; an even number just cancel each other out. + A User_List is made up of one or more usernames, system + groups (prefixed with '%'), netgroups (prefixed with '+') + and other aliases. Each list item may be prefixed with + one or more '!' operators. An odd number of '!' operators + negate the value of the item; an even number just cancel + each other out. Runas_List ::= Runas_User | Runas_User ',' Runas_List @@ -118,16 +118,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) A Runas_List is similar to a User_List except that it can also contain uids (prefixed with '#') and instead of - User_Aliases it can contain Runas_Aliases. - - Host_List ::= Host | - Host ',' Host_List - - + User_Aliases it can contain Runas_Aliases. Note that + usernames and groups are matched as strings. In other + words, two users (groups) with the same uid (gid) are con­ + sidered to be distinct. If you wish to match all user­ + names with the same uid (e.g. root and toor), you can use + a uid instead (#0 in the example given). -1.6.7 March 13, 2003 2 +1.6.8 May 16, 2004 2 @@ -136,6 +136,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Host_List ::= Host | + Host ',' Host_List + Host ::= '!'* hostname | '!'* ip_addr | '!'* network(/netmask)? | @@ -165,6 +168,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Cmnd ::= '!'* commandname | '!'* directory | + '!'* "sudoedit" | '!'* Cmnd_Alias A Cmnd_List is a list of one or more commandnames, direc­ @@ -185,15 +189,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the user on the command line (or match the wildcards if there are any). Note that the following characters must be escaped with a '\' if they are used in command argu­ - ments: ',', ':', '=', '\'. - - + ments: ',', ':', '=', '\'. The special command "sudoedit" - - -1.6.7 March 13, 2003 3 +1.6.8 May 16, 2004 3 @@ -202,6 +202,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + is used to permit a user to run ssuuddoo with the --ee flag (or + as ssuuddooeeddiitt). It may take command line arguments just as + a normal command does. + DDeeffaauullttss Certain configuration options may be changed from their @@ -212,17 +216,20 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) applied in order. Where there are conflicting values, the last value on a matching line takes effect. - Default_Type ::= 'Defaults' || - 'Defaults' '@' Host || - 'Defaults' ':' User || + Default_Type ::= 'Defaults' | + 'Defaults' '@' Host | + 'Defaults' ':' User | 'Defaults' '>' RunasUser Default_Entry ::= Default_Type Parameter_List - Parameter ::= Parameter '=' Value || - Parameter '+=' Value || - Parameter '-=' Value || - '!'* Parameter || + Parameter_List ::= Parameter | + Parameter ',' Parameter_List + + Parameter ::= Parameter '=' Value | + Parameter '+=' Value | + Parameter '-=' Value | + '!'* Parameter Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are implicitly boolean and can be turned off @@ -249,24 +256,28 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) used to make it easier to cut and paste the challenge to a local window. It's not as pretty as the default but some people find it - more convenient. This flag is _o_f_f by default. - ignore_dot If set, ssuuddoo will ignore '.' or '' (current - dir) in the PATH environment variable; the - PATH itself is not modified. This flag is _o_f_f - by default. +1.6.8 May 16, 2004 4 -1.6.7 March 13, 2003 4 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + more convenient. This flag is _o_f_f by default. + ignore_dot If set, ssuuddoo will ignore '.' or '' (current + dir) in the PATH environment variable; the + PATH itself is not modified. This flag is _o_f_f + by default. Currently, while it is possible + to set _i_g_n_o_r_e___d_o_t in _s_u_d_o_e_r_s, its value is not + used. This option should be considered read- + only (it will be fixed in a future version of + ssuuddoo). mail_always Send mail to the _m_a_i_l_t_o user every time a users runs ssuuddoo. This flag is _o_f_f by default. @@ -303,10 +314,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) logged in on in that directory. This flag is _o_f_f by default. - lecture If set, a user will receive a short lecture - the first time he/she runs ssuuddoo. This flag is - _o_n by default. - authenticate If set, users must authenticate themselves via a password (or other means of authentication) @@ -314,18 +321,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) may be overridden via the PASSWD and NOPASSWD tags. This flag is _o_n by default. - root_sudo If set, root is allowed to run ssuuddoo too. Dis­ - abling this prevents users from "chaining" - ssuuddoo commands to get a root shell by doing - something like "sudo sudo /bin/sh". This flag - is _o_n by default. - - log_host If set, the hostname will be logged in the - (non-syslog) ssuuddoo log file. This flag is _o_f_f + root_sudo If set, root is allowed to run ssuuddoo too. -1.6.7 March 13, 2003 5 +1.6.8 May 16, 2004 5 @@ -334,6 +334,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Disabling this prevents users from "chaining" + ssuuddoo commands to get a root shell by doing + something like "sudo sudo /bin/sh". Note, + however, that turning off _r_o_o_t___s_u_d_o will also + prevent root and from running ssuuddooeeddiitt. Dis­ + abling _r_o_o_t___s_u_d_o provides no real additional + security; it exists purely for historical rea­ + sons. This flag is _o_n by default. + + log_host If set, the hostname will be logged in the + (non-syslog) ssuuddoo log file. This flag is _o_f_f by default. log_year If set, the four-digit year will be logged in @@ -376,22 +387,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) be confusing. This flag is _o_f_f by default. preserve_groups - By default ssuuddoo will initialize the group vec­ - tor to the list of groups the target user is - in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's - existing group vector is left unaltered. The - real and effective group IDs, however, are - still set to match the target user. This flag - is _o_f_f by default. - - fqdn Set this flag if you want to put fully quali­ - fied hostnames in the _s_u_d_o_e_r_s file. I.e., - instead of myhost you would use myhost.mydo­ - main.edu. You may still use the short form if + By default ssuuddoo will initialize the group -1.6.7 March 13, 2003 6 +1.6.8 May 16, 2004 6 @@ -400,6 +400,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + vector to the list of groups the target user + is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the + user's existing group vector is left unal­ + tered. The real and effective group IDs, how­ + ever, are still set to match the target user. + This flag is _o_f_f by default. + + fqdn Set this flag if you want to put fully quali­ + fied hostnames in the _s_u_d_o_e_r_s file. I.e., + instead of myhost you would use myhost.mydo­ + main.edu. You may still use the short form if you wish (and even mix the two). Beware that turning on _f_q_d_n requires ssuuddoo to make DNS lookups which may make ssuuddoo unusable if DNS @@ -443,28 +454,28 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) instead of the password of the invoking user. This flag is _o_f_f by default. - runaspw If set, ssuuddoo will prompt for the password of - the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t option - (defaults to root) instead of the password of - the invoking user. This flag is _o_f_f by - default. - targetpw If set, ssuuddoo will prompt for the password of - the user specified by the --uu flag (defaults to - root) instead of the password of the invoking - user. This flag is _o_f_f by default. +1.6.8 May 16, 2004 7 -1.6.7 March 13, 2003 7 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + runaspw If set, ssuuddoo will prompt for the password of + the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t option + (defaults to root) instead of the password of + the invoking user. This flag is _o_f_f by + default. + targetpw If set, ssuuddoo will prompt for the password of + the user specified by the --uu flag (defaults to + root) instead of the password of the invoking + user. This flag is _o_f_f by default. set_logname Normally, ssuuddoo will set the LOGNAME and USER environment variables to the name of the tar­ @@ -509,28 +520,35 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) for the target user's login class if one exists. Only available if ssuuddoo is configured with the --with-logincap option. This flag is - _o_f_f by default. - IInntteeggeerrss: - passwd_tries - The number of tries a user gets to enter - his/her password before ssuuddoo logs the failure - and exits. The default is 3. - IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: +1.6.8 May 16, 2004 8 -1.6.7 March 13, 2003 8 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + _o_f_f by default. + noexec If set, all commands run via sudo will behave + as if the NOEXEC tag has been set, unless + overridden by a EXEC tag. See the description + of _N_O_E_X_E_C _a_n_d _E_X_E_C below as well as the PPRREE­­ + VVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS section at the end of + this manual. This flag is _o_f_f by default. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + IInntteeggeerrss: + + passwd_tries + The number of tries a user gets to enter + his/her password before ssuuddoo logs the failure + and exits. The default is 3. + IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: loglinelen Number of characters per line for the file log. This value is used to decide when to @@ -568,6 +586,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) badpass_message Message that is displayed if a user enters an incorrect password. The default is Sorry, try + + + +1.6.8 May 16, 2004 9 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + again. unless insults are enabled. timestampdir @@ -587,17 +617,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) %u expanded to the invoking user's login name - - -1.6.7 March 13, 2003 9 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - %U expanded to the login name of the user the command will be run as (defaults to root) @@ -632,12 +651,50 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) allowed to be used with vviissuuddoo. vviissuuddoo will choose the editor that matches the user's USER environment variable if possible, or the first - editor in the list that exists and is exe­ - cutable. The default is the path to vi on + editor in the list that exists and is + + + +1.6.8 May 16, 2004 10 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + + executable. The default is the path to vi on your system. + noexec_file Path to a shared library containing dummy ver­ + sions of the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_) + library functions that just return an error. + This is used to implement the _n_o_e_x_e_c function­ + ality on systems that support LD_PRELOAD or + its equivalent. Defaults to + _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. + SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + lecture This option controls when a short lecture will + be printed along with the password prompt. It + has the following possible values: + + never Never lecture the user. + + once Only lecture the user the first time + they run ssuuddoo. + + always Always lecture the user. + + The default value is _o_n_c_e. + + lecture_file + Path to a file containing an alternate sudo + lecture that will be used in place of the + standard lecture if the named file exists. + logfile Path to the ssuuddoo log file (not the syslog log file). Setting a path turns on logging to a file; negating this option turns it off. @@ -653,25 +710,26 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) mailerflags Flags to use when invoking mailer. Defaults to --tt. + mailto Address to send warning and error mail to. + The address should be enclosed in double + quotes (") to protect against sudo interpret­ + ing the @ sign. Defaults to root. + exempt_group + Users in this group are exempt from password + and PATH requirements. This is not set by -1.6.7 March 13, 2003 10 +1.6.8 May 16, 2004 11 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - mailto Address to send warning and error mail to. - The address should be enclosed in double - quotes (") to protect against sudo interpret­ - ing the @ sign. Defaults to root. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + - exempt_group - Users in this group are exempt from password - and PATH requirements. This is not set by default. verifypw This option controls when a password will be @@ -718,10 +776,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + env_check Environment variables to be removed from the + user's environment if the variable's value + contains % or / characters. This can be used + to guard against printf-style format vulnera­ + bilities in poorly-written programs. The + argument may be a double-quoted, space-sepa­ + rated list or a single value without dou­ + ble-quotes. The list can be replaced, added -1.6.7 March 13, 2003 11 +1.6.8 May 16, 2004 12 @@ -730,14 +796,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - env_check Environment variables to be removed from the - user's environment if the variable's value - contains % or / characters. This can be used - to guard against printf-style format vulnera­ - bilities in poorly-written programs. The - argument may be a double-quoted, space-sepa­ - rated list or a single value without dou­ - ble-quotes. The list can be replaced, added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively. The default list of environment variables to check @@ -779,28 +837,31 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) UUsseerr SSppeecciiffiiccaattiioonn - User_Spec ::= User_list Host_List '=' Cmnd_Spec_List \ - (':' User_Spec)* + User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ + (':' Host_List '=' Cmnd_Spec_List)* Cmnd_Spec_List ::= Cmnd_Spec | Cmnd_Spec ',' Cmnd_Spec_List + Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd + Runas_Spec ::= '(' Runas_List ')' -1.6.7 March 13, 2003 12 + Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:') + A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may +1.6.8 May 16, 2004 13 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd - Runas_Spec ::= '(' Runas_List ')' - A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + run (and as what user) on specified hosts. By default, commands are run as rroooott, but this can be changed on a per-command basis. @@ -831,7 +892,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. - NNOOPPAASSSSWWDD aanndd PPAASSSSWWDD + TTaagg__SSppeecc + + A command may have zero or more tags associated with it. + There are four possible tag values, NOPASSWD, PASSWD, + NOEXEC, EXEC. Once a tag is set on a Cmnd, subsequent + Cmnds in the Cmnd_Spec_List, inherit the tag unless it is + overridden by the opposite tag (ie: PASSWD overrides + NOPASSWD and EXEC overrides NOEXEC). + + _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D By default, ssuuddoo requires that a user authenticate him or herself before running a command. This behavior can be @@ -846,21 +916,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) _/_u_s_r_/_b_i_n_/_l_p_r_m as root on the machine rushmore as rroooott without authenticating himself. If we only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry would - be: - ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm +1.6.8 May 16, 2004 14 -1.6.7 March 13, 2003 13 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + be: + ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm Note, however, that the PASSWD tag has no effect on users who are in the group specified by the exempt_group option. @@ -873,6 +943,22 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) tain to the current host. This behavior may be overridden via the verifypw and listpw options. + _N_O_E_X_E_C _a_n_d _E_X_E_C + + If sudo has been compiled with _n_o_e_x_e_c support and the + underlying operating system support it, the NOEXEC tag can + be used to prevent a dynamically-linked executable from + running further commands itself. + + In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e + and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. + + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + + See the PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS section below for more + details on how _n_o_e_x_e_c works and whether or not it will + work on your system. + WWiillddccaarrddss ((aakkaa mmeettaa cchhaarraacctteerrss)):: ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s to be used in pathnames @@ -897,9 +983,20 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) line arguments, however, a slash ddooeess get matched by wild­ cards. This is to make a path like: + + +1.6.8 May 16, 2004 15 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + /usr/bin/* - match /usr/bin/who but not /usr/bin/X11/xterm. + match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess:: @@ -917,22 +1014,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Both the comment character and any text after it, up to the end of the line, are ignored. - - -1.6.7 March 13, 2003 14 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - The reserved word AALLLL is a built in _a_l_i_a_s that always + The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to succeed. It can be used wherever one might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, or Host_Alias. You should not try to define your own - _a_l_i_a_s called AALLLL as the built in alias will be used in + _a_l_i_a_s called AALLLL as the built-in alias will be used in preference to your own. Please note that using AALLLL can be dangerous since in a command context, it allows the user to run aannyy command on the system. @@ -940,7 +1026,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) An exclamation point ('!') can be used as a logical _n_o_t operator both in an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain values. Note, however, that - using a ! in conjunction with the built in ALL alias to + using a ! in conjunction with the built-in ALL alias to allow a user to run "all but a few" commands rarely works as intended (see SECURITY NOTES below). @@ -959,6 +1045,21 @@ EEXXAAMMPPLLEESS Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit contrived. First, we define our _a_l_i_a_s_e_s: + + + + + + +1.6.8 May 16, 2004 16 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + # User alias specification User_Alias FULLTIMERS = millert, mikef, dowdy User_Alias PARTTIMERS = bostley, jwfox, crawl @@ -978,22 +1079,6 @@ EEXXAAMMPPLLEESS Host_Alias SERVERS = master, mail, www, ns Host_Alias CDROM = orion, perseus, hercules - - - - - - - -1.6.7 March 13, 2003 15 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore @@ -1018,7 +1103,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the year in each log line since the log entries will be kept around for several years. - # Override built in defaults + # Override built-in defaults Defaults syslog=auth Defaults>root !set_logname Defaults:FULLTIMERS !lecture @@ -1028,6 +1113,19 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually deter­ mines who may run what. + + + + +1.6.8 May 16, 2004 17 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + root ALL = (ALL) ALL %wheel ALL = (ALL) ALL @@ -1048,18 +1146,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) jack CSNETS = ALL The user jjaacckk may run any command on the machines in the - - - -1.6.7 March 13, 2003 16 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - _C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those networks, only 128.138.204.0 has an explicit netmask (in CIDR notation) indicating it @@ -1094,6 +1180,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user listed in the _O_P Runas_Alias (rroooott + + + +1.6.8 May 16, 2004 18 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + and ooppeerraattoorr). jim +biglab = ALL @@ -1115,17 +1213,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* - - -1.6.7 March 13, 2003 17 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is not allowed to give _s_u(1) any flags. @@ -1160,6 +1247,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM + + +1.6.8 May 16, 2004 19 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + Any user may mount or unmount a CD-ROM on the machines in the CDROM Host_Alias (orion, perseus, hercules) without entering a password. This is a bit tedious for users to @@ -1181,9 +1279,43 @@ SSEECCUURRIITTYY NNOOTTEESS restrictions should be considered advisory at best (and reinforced by policy). +PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS + Once ssuuddoo executes a program, that program is free to do + whatever it pleases, including run other programs. This + can be a security issue since it is not uncommon for a + program to allow shell escapes, which lets a user bypass + ssuuddoo's restrictions. Common programs that permit shell + escapes include shells (obviously), editors, paginators, + mail and terminal programs. + + Many systems that support shared libraries have the abil­ + ity to override default library functions by pointing an + environment variable (usually LD_PRELOAD) to an alternate + shared library. On such systems, ssuuddoo's _n_o_e_x_e_c function­ + ality can be used to prevent a program run by sudo from + executing any other programs. Note, however, that this + applies only to native dynamically-linked executables. + Statically-linked executables and foreign executables run­ + ning under binary emulation are not affected. + + To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run + the following as root: + # sudo -V | grep "dummy exec" -1.6.7 March 13, 2003 18 + If the resulting output contains a line that begins with: + + File containing dummy exec functions: + + then ssuuddoo may be able to replace the exec family of func­ + tions in the standard library with its own that simply + return an error. Unfortunately, there is no foolproof way + to know whether or not _n_o_e_x_e_c will work at compile-time. + _N_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX, + + + +1.6.8 May 16, 2004 20 @@ -1192,6 +1324,28 @@ SSEECCUURRIITTYY NNOOTTEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known nnoott to + work on AIX and UnixWare. _N_o_e_x_e_c is expected to work on + most operating systems that support the LD_PRELOAD envi­ + ronment variable. Check your operating system's manual + pages for the dynamic linker (usually ld.so, ld.so.1, + dyld, dld.sl, rld, or loader) to see if LD_PRELOAD is sup­ + ported. + + To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as doc­ + umented in the User Specification section above. If you + are unsure whether or not your system is capable of sup­ + porting _n_o_e_x_e_c you can always just try it out and see if + it works. + + Note that disabling shell escapes is not a panacea. Pro­ + grams running as root are still capable of many poten­ + tially hazardous operations (such as chaning or overwrit­ + ing files) that could lead to unintended privilege escala­ + tion. In the specific case of an editor, a safer approach + is to give the user permission to run the ssuuddooeeddiitt pro­ + gram. + CCAAVVEEAATTSS The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which locks the file and does grammatical check­ @@ -1227,28 +1381,6 @@ SSEEEE AALLSSOO - - - - - - - - - - - - - - - - - - - - - - -1.6.7 March 13, 2003 19 +1.6.8 May 16, 2004 21 diff --git a/visudo.cat b/visudo.cat index f0b72a5ef..912ccae02 100644 --- a/visudo.cat +++ b/visudo.cat @@ -22,14 +22,14 @@ DDEESSCCRRIIPPTTIIOONN set at compile-time that may be overridden via the _e_d_i_t_o_r _s_u_d_o_e_r_s Default variable. This list defaults to the path to _v_i(1) on your system, as determined by the _c_o_n_f_i_g_u_r_e - script. Normally, vviissuuddoo does not honor the EDITOR or - VISUAL environment variables unless they contain an editor + script. Normally, vviissuuddoo does not honor the VISUAL or + EDITOR environment variables unless they contain an editor in the aforementioned editors list. However, if vviissuuddoo is configured with the _-_-_w_i_t_h_-_e_n_v_e_d_i_t_o_r flag or the _e_n_v_e_d_i_t_o_r Default variable is set in _s_u_d_o_e_r_s, vviissuuddoo will use any - the editor defines by EDITOR or VISUAL. Note that this + the editor defines by VISUAL or EDITOR. Note that this can be a security hole since it allows the user to execute - any program they wish simply by setting EDITOR or VISUAL. + any program they wish simply by setting VISUAL or EDITOR. vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the changes if there is a syntax error. Upon finding @@ -61,7 +61,7 @@ OOPPTTIIOONNSS -1.6.7 March 13, 2003 1 +1.6.8 February 13, 2004 1 @@ -111,8 +111,8 @@ EENNVVIIRROONNMMEENNTT The following environment variables are used only if vviissuuddoo was configured with the _-_-_w_i_t_h_-_e_n_v_-_e_d_i_t_o_r option: - EDITOR Invoked by visudo as the editor to use - VISUAL Used Invoked visudo if EDITOR is not set + VISUAL Invoked by visudo as the editor to use + EDITOR Used by visudo if VISUAL is not set FFIILLEESS /etc/sudoers List of who can run what @@ -127,7 +127,7 @@ AAUUTTHHOORR -1.6.7 March 13, 2003 2 +1.6.8 February 13, 2004 2 @@ -193,6 +193,6 @@ SSEEEE AALLSSOO -1.6.7 March 13, 2003 3 +1.6.8 February 13, 2004 3