From 21dd6af796c4019be9fa1cc9a6cb22788c724e91 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 27 Dec 2010 15:43:01 -0500 Subject: [PATCH] Document use of mkdtemp() for iolog path teplates --- doc/sudoers.cat | 130 ++++++++++++++++++++++----------------------- doc/sudoers.man.in | 6 ++- doc/sudoers.pod | 6 ++- 3 files changed, 75 insertions(+), 67 deletions(-) diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 83bdba503..d0b35d4a9 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -1221,6 +1221,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) In addition, any escape sequences supported by the system's _s_t_r_f_t_i_m_e_(_) function will be expanded. + Path names that end in six or more Xs will have the Xs + replaced with a unique combination of digits and + letters, similar to the _m_k_t_e_m_p_(_) function. + iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store input/output logs when the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled or when the or @@ -1242,10 +1246,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) LD_PRELOAD or its equivalent. Defaults to _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. - passprompt The default prompt to use when asking for a password; - can be overridden via the --pp option or the SUDO_PROMPT - environment variable. The following percent (`%') - escape sequences are supported: @@ -1258,6 +1258,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + passprompt The default prompt to use when asking for a password; + can be overridden via the --pp option or the SUDO_PROMPT + environment variable. The following percent (`%') + escape sequences are supported: + %H expanded to the local host name including the domain name (on if the machine's host name is fully qualified or the _f_q_d_n option is set) @@ -1307,11 +1312,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) stored therein. The default is root. type The default SELinux type to use when constructing a new - security context to run the command. The default type - may be overridden on a per-command basis in _s_u_d_o_e_r_s or - via command line options. This option is only - available whe ssuuddoo is built with SELinux support. - @@ -1324,6 +1324,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + security context to run the command. The default type + may be overridden on a per-command basis in _s_u_d_o_e_r_s or + via command line options. This option is only + available whe ssuuddoo is built with SELinux support. + SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: askpass The _a_s_k_p_a_s_s option specifies the fully qualified path to a @@ -1374,11 +1379,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) never Never lecture the user. - once Only lecture the user the first time they run ssuuddoo. - - If no value is specified, a value of _o_n_c_e is implied. - Negating the option results in a value of _n_e_v_e_r being used. - 1.8.0b3 December 27, 2010 21 @@ -1390,6 +1390,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + once Only lecture the user the first time they run ssuuddoo. + + If no value is specified, a value of _o_n_c_e is implied. + Negating the option results in a value of _n_e_v_e_r being used. The default value is _o_n_c_e. lecture_file @@ -1440,10 +1444,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) secure_path Path used for every command run from ssuuddoo. If you don't trust the people running ssuuddoo to have a sane PATH environment variable you may want to use this. Another use - is if you want to have the "root path" be separate from the - "user path." Users in the group specified by the - _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This - option is not set by default. @@ -1456,6 +1456,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + is if you want to have the "root path" be separate from the + "user path." Users in the group specified by the + _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This + option is not set by default. + syslog Syslog facility if syslog is being used for logging (negate to disable syslog logging). Defaults to auth. @@ -1505,11 +1510,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) can be replaced, added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively. The default list of environment variables to remove is - displayed when ssuuddoo is run by root with the _-_V option. - Note that many operating systems will remove - potentially dangerous variables from the environment of - any setuid process (such as ssuuddoo). - @@ -1522,6 +1522,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + displayed when ssuuddoo is run by root with the _-_V option. + Note that many operating systems will remove + potentially dangerous variables from the environment of + any setuid process (such as ssuuddoo). + env_keep Environment variables to be preserved in the user's environment when the _e_n_v___r_e_s_e_t option is in effect. This allows fine-grained control over the environment @@ -1571,11 +1576,6 @@ EEXXAAMMPPLLEESS User_Alias WEBMASTERS = will, wendy, wim # Runas alias specification - Runas_Alias OP = root, operator - Runas_Alias DB = oracle, sybase - Runas_Alias ADMINGRP = adm, oper - - # Host alias specification @@ -1588,6 +1588,11 @@ EEXXAAMMPPLLEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Runas_Alias OP = root, operator + Runas_Alias DB = oracle, sybase + Runas_Alias ADMINGRP = adm, oper + + # Host alias specification Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ SGI = grolsch, dandelion, black :\ ALPHA = widget, thalamus, foobar :\ @@ -1637,11 +1642,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) %wheel ALL = (ALL) ALL We let rroooott and any user in group wwhheeeell run any command on any host as - any user. - - FULLTIMERS ALL = NOPASSWD: ALL - - Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on @@ -1654,6 +1654,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + any user. + + FULLTIMERS ALL = NOPASSWD: ALL + + Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on any host without authenticating themselves. PARTTIMERS ALL = ALL @@ -1703,11 +1708,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr). - jim +biglab = ALL - - The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. - ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. - @@ -1720,6 +1720,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + jim +biglab = ALL + + The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. + ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. + +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser Users in the sseeccrreettaarriieess netgroup need to help manage the printers as @@ -1769,11 +1774,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Any user may mount or unmount a CD-ROM on the machines in the CDROM Host_Alias (orion, perseus, hercules) without entering a password. This is a bit tedious for users to type, so it is a prime candidate for - encapsulating in a shell script. - -SSEECCUURRIITTYY NNOOTTEESS - It is generally not effective to "subtract" commands from ALL using the - '!' operator. A user can trivially circumvent this by copying the @@ -1786,6 +1786,11 @@ SSEECCUURRIITTYY NNOOTTEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + encapsulating in a shell script. + +SSEECCUURRIITTYY NNOOTTEESS + It is generally not effective to "subtract" commands from ALL using the + '!' operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example: @@ -1835,11 +1840,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality can be used to prevent a program run by ssuuddoo from executing any other programs. Note, however, that this applies only to - native dynamically-linked executables. Statically-linked - executables and foreign executables running under binary - emulation are not affected. - - To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run the @@ -1852,6 +1852,11 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + native dynamically-linked executables. Statically-linked + executables and foreign executables running under binary + emulation are not affected. + + To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run the following as root: sudo -V | grep "dummy exec" @@ -1901,11 +1906,6 @@ SSEECCUURRIITTYY NNOOTTEESS ownership and mode of the directory and its contents, the only damage that can be done is to "hide" files by putting them in the time stamp dir. This is unlikely to happen since once the time stamp dir is owned - by root and inaccessible by any other user, the user placing files - there would be unable to get them back out. - - _s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps - with a date greater than current_time + 2 * TIMEOUT will be ignored and @@ -1918,6 +1918,11 @@ SSEECCUURRIITTYY NNOOTTEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + by root and inaccessible by any other user, the user placing files + there would be unable to get them back out. + + _s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps + with a date greater than current_time + 2 * TIMEOUT will be ignored and sudo will log and complain. This is done to keep a user from creating his/her own time stamp with a bogus date on systems that allow users to give away files if the time stamp directory is located in a world- @@ -1947,8 +1952,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) specification. SSEEEE AALLSSOO - _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _s_t_r_f_t_i_m_e(3), _s_u_d_o_e_r_s_._l_d_a_p(4), - _s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o(1m), _v_i_s_u_d_o(1m) + _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _m_k_t_e_m_p(3), _s_t_r_f_t_i_m_e(3), + _s_u_d_o_e_r_s_._l_d_a_p(4), _s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o(1m), _v_i_s_u_d_o(1m) CCAAVVEEAATTSS The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which @@ -1967,11 +1972,6 @@ BBUUGGSS SSUUPPPPOORRTT Limited free support is available via the sudo-users mailing list, see - http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. - -DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied warranties, @@ -1984,6 +1984,11 @@ DDIISSCCLLAAIIMMEERR SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search + the archives. + +DDIISSCCLLAAIIMMEERR + ssuuddoo is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with ssuuddoo or @@ -2030,11 +2035,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - - - diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 544725a47..233ec9aad 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -1248,6 +1248,10 @@ expanded to the base name of the command being run .Sp In addition, any escape sequences supported by the system's \fIstrftime()\fR function will be expanded. +.Sp +Path names that end in six or more \f(CW\*(C`X\*(C'\fRs will have the \f(CW\*(C`X\*(C'\fRs replaced +with a unique combination of digits and letters, similar to the +\&\fImktemp()\fR function. .RE .IP "iolog_file" 16 .IX Item "iolog_file" @@ -1956,7 +1960,7 @@ their own copy of a shell) regardless of any '!' elements in the user specification. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fIstrftime\fR\|(3), +\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fImktemp\fR\|(3), \fIstrftime\fR\|(3), \&\fIsudoers.ldap\fR\|(@mansectform@), \fIsudo_plugin\fR\|(@mansectsu@), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@) .SH "CAVEATS" .IX Header "CAVEATS" diff --git a/doc/sudoers.pod b/doc/sudoers.pod index 842dd4f38..f00bd927c 100644 --- a/doc/sudoers.pod +++ b/doc/sudoers.pod @@ -1170,6 +1170,10 @@ expanded to the base name of the command being run In addition, any escape sequences supported by the system's strftime() function will be expanded. +Path names that end in six or more Cs will have the Cs replaced +with a unique combination of digits and letters, similar to the +mktemp() function. + =item iolog_file The path name, relative to I, in which to store input/output @@ -1887,7 +1891,7 @@ user specification. =head1 SEE ALSO -L, L, L, L, L, +L, L, L, L, L, L, L, L, L, L =head1 CAVEATS -- 2.40.0