From 42666204e2e9baf2a3c22cb91abd0d0360b9dc5b Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 10 Jul 2015 10:02:38 -0600 Subject: [PATCH] Attempt to clarify the conditions under which MAIL and HOME are set to the target user. --- doc/sudo.cat | 17 ++++++++++------- doc/sudo.man.in | 39 +++++++++++++++++++++++++-------------- doc/sudo.mdoc.in | 39 +++++++++++++++++++++++++-------------- doc/sudoers.cat | 9 +++++---- doc/sudoers.man.in | 8 ++++---- doc/sudoers.mdoc.in | 8 ++++---- 6 files changed, 73 insertions(+), 47 deletions(-) diff --git a/doc/sudo.cat b/doc/sudo.cat index 2dfd5f9d9..c4b5b3c67 100644 --- a/doc/sudo.cat +++ b/doc/sudo.cat @@ -455,13 +455,16 @@ EENNVVIIRROONNMMEENNTT EDITOR Default editor to use in --ee (sudoedit) mode if neither SUDO_EDITOR nor VISUAL is set. - MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set - to the mail spool of the target user. + MAIL Set to the mail spool of the target user when the --ii + option is specified or when _e_n_v___r_e_s_e_t is enabled in + _s_u_d_o_e_r_s (unless MAIL is present in the _e_n_v___k_e_e_p list). - HOME Set to the home directory of the target user if --ii or --HH - are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set in - _s_u_d_o_e_r_s, or when the --ss option is specified and _s_e_t___h_o_m_e - is set in _s_u_d_o_e_r_s. + HOME Set to the home directory of the target user when the --ii + or --HH options are specified, when the --ss option is + specified and _s_e_t___h_o_m_e is set in _s_u_d_o_e_r_s, when + _a_l_w_a_y_s___s_e_t___h_o_m_e is enabled in _s_u_d_o_e_r_s, or when _e_n_v___r_e_s_e_t + is enabled in _s_u_d_o_e_r_s and _H_O_M_E is not present in the + _e_n_v___k_e_e_p list. PATH May be overridden by the security policy. @@ -582,4 +585,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/license.html for complete details. -Sudo 1.8.14 June 8, 2015 Sudo 1.8.14 +Sudo 1.8.14 July 10, 2015 Sudo 1.8.14 diff --git a/doc/sudo.man.in b/doc/sudo.man.in index 52e8d6c88..c3b50ac9d 100644 --- a/doc/sudo.man.in +++ b/doc/sudo.man.in @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDO" "8" "June 8, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" +.TH "SUDO" "8" "July 10, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -920,31 +920,42 @@ nor is set. .TP 17n \fRMAIL\fR -In +Set to the mail spool of the target user when the \fB\-i\fR -mode or when +option is specified or when \fIenv_reset\fR is enabled in -\fIsudoers\fR, -set to the mail spool of the target user. +\fIsudoers\fR +(unless +\fRMAIL\fR +is present in the +\fIenv_keep\fR +list). .TP 17n \fRHOME\fR -Set to the home directory of the target user if +Set to the home directory of the target user when the \fB\-i\fR or \fB\-H\fR -are specified, -\fIenv_reset\fR -or -\fIalways_set_home\fR -are set in -\fIsudoers\fR, -or when the +options are specified, when the \fB\-s\fR option is specified and \fIset_home\fR is set in -\fIsudoers\fR. +\fIsudoers\fR, +when +\fIalways_set_home\fR +is enabled in +\fIsudoers\fR, +or when +\fIenv_reset\fR +is enabled in +\fIsudoers\fR +and +\fIHOME\fR +is not present in the +\fIenv_keep\fR +list. .TP 17n \fRPATH\fR May be overridden by the security policy. diff --git a/doc/sudo.mdoc.in b/doc/sudo.mdoc.in index 13f7b252c..23ed9f020 100644 --- a/doc/sudo.mdoc.in +++ b/doc/sudo.mdoc.in @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd June 8, 2015 +.Dd July 10, 2015 .Dt SUDO @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -851,30 +851,41 @@ nor .Ev VISUAL is set. .It Ev MAIL -In +Set to the mail spool of the target user when the .Fl i -mode or when +option is specified or when .Em env_reset is enabled in -.Em sudoers , -set to the mail spool of the target user. +.Em sudoers +(unless +.Ev MAIL +is present in the +.Em env_keep +list). .It Ev HOME -Set to the home directory of the target user if +Set to the home directory of the target user when the .Fl i or .Fl H -are specified, -.Em env_reset -or -.Em always_set_home -are set in -.Em sudoers , -or when the +options are specified, when the .Fl s option is specified and .Em set_home is set in -.Em sudoers . +.Em sudoers , +when +.Em always_set_home +is enabled in +.Em sudoers , +or when +.Em env_reset +is enabled in +.Em sudoers +and +.Em HOME +is not present in the +.Em env_keep +list. .It Ev PATH May be overridden by the security policy. .It Ev SHELL diff --git a/doc/sudoers.cat b/doc/sudoers.cat index b091ff61e..cbf478fde 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -837,9 +837,10 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS always_set_home If enabled, ssuuddoo will set the HOME environment variable to the home directory of the target user (which is root unless the --uu option is used). This effectively means - that the --HH option is always implied. Note that HOME - is already set when the _e_n_v___r_e_s_e_t option is enabled, so - _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for configurations + that the --HH option is always implied. Note that by + default, HOME will be set to the home directory of the + target user when the _e_n_v___r_e_s_e_t option is enabled, so + _a_l_w_a_y_s___s_e_t___h_o_m_e only has an effect for configurations where either _e_n_v___r_e_s_e_t is disabled or HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f by default. @@ -2416,4 +2417,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/license.html for complete details. -Sudo 1.8.14 March 24, 2015 Sudo 1.8.14 +Sudo 1.8.14 July 10, 2015 Sudo 1.8.14 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 74b67d284..298a33a70 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "5" "March 24, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "5" "July 10, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -1825,13 +1825,13 @@ option is used). This effectively means that the \fB\-H\fR option is always implied. -Note that +Note that by default, \fRHOME\fR -is already set when the +will be set to the home directory of the target user when the \fIenv_reset\fR option is enabled, so \fIalways_set_home\fR -is only effective for configurations where either +only has an effect for configurations where either \fIenv_reset\fR is disabled or \fRHOME\fR diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index 2fe0cb329..cd8d6c7b0 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd March 24, 2015 +.Dd July 10, 2015 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -1697,13 +1697,13 @@ option is used). This effectively means that the .Fl H option is always implied. -Note that +Note that by default, .Ev HOME -is already set when the +will be set to the home directory of the target user when the .Em env_reset option is enabled, so .Em always_set_home -is only effective for configurations where either +only has an effect for configurations where either .Em env_reset is disabled or .Ev HOME -- 2.40.0