From 051943b6877deddb7f8e50c667119f677e30c18c Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 9 Jan 2004 21:24:50 +0000 Subject: [PATCH] Mention noexec --- sudo.man.in | 14 +++++++++----- sudo.pod | 8 ++++++-- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/sudo.man.in b/sudo.man.in index e0be23bb3..46961614e 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -30,13 +30,13 @@ .\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR .\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" +.\" .\" Sponsored in part by the Defense Advanced Research Projects .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" .\" $Sudo$ -.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.13 .\" .\" Standard preamble: .\" ======================================================================== @@ -167,7 +167,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "March 13, 2003" "1.6.7" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "January 9, 2004" "1.6.8" "MAINTENANCE COMMANDS" .SH "NAME" sudo \- execute a command as another user .SH "SYNOPSIS" @@ -498,8 +498,12 @@ and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 file distributed with \fBsudo\fR for complete details. .SH "CAVEATS" .IX Header "CAVEATS" -There is no easy way to prevent a user from gaining a root shell if -that user has access to commands allowing shell escapes. +There is no easy way to prevent a user from gaining a root shell +if that user is allowed to run arbitrary commands via \fBsudo\fR. +Also, many programs (such as editors) allow the user to run commands +via shell escapes, thus avoiding \fBsudo\fR's checks. However, on +most systems it is possible to prevent shell escapes with \fBsudo\fR's +\&\fInoexec\fR functionality. See the \fIsudoers\fR\|(@mansectform@) manual for details. .PP If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from creating their own program that gives them a root shell regardless of any '!' diff --git a/sudo.pod b/sudo.pod index a6256daf1..b93876c69 100644 --- a/sudo.pod +++ b/sudo.pod @@ -388,8 +388,12 @@ See the LICENSE file distributed with B for complete details. =head1 CAVEATS -There is no easy way to prevent a user from gaining a root shell if -that user has access to commands allowing shell escapes. +There is no easy way to prevent a user from gaining a root shell +if that user is allowed to run arbitrary commands via B. +Also, many programs (such as editors) allow the user to run commands +via shell escapes, thus avoiding B's checks. However, on +most systems it is possible to prevent shell escapes with B's +I functionality. See the sudoers(5) manual for details. If users have sudo C there is nothing to prevent them from creating their own program that gives them a root shell regardless of any '!' -- 2.40.0