From 50219d0aa04d598d22a63b441957b726ddd68cc1 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sun, 7 Feb 1999 00:47:32 +0000 Subject: [PATCH] Make it clear that it is the user's password, not root's, that we want. --- Makefile.in | 7 ------- sudo.cat | 30 +++++++++++++++--------------- sudo.html | 43 +++++++++++++++++++++++++++---------------- sudo.man | 12 ++++++------ sudo.pod | 6 +++--- 5 files changed, 51 insertions(+), 47 deletions(-) diff --git a/Makefile.in b/Makefile.in index 94fa5321e..87fdf91b8 100644 --- a/Makefile.in +++ b/Makefile.in @@ -144,7 +144,6 @@ all: $(PROGS) .man.cat: @rm -f $(srcdir)/$@ $(NROFF) -man $< > $(srcdir)/$@ - @chmod 444 $(srcdir)/$@ sudo: $(PARSEOBJS) $(SUDOBJS) $(LIBOBJS) $(CC) -o $@ $(PARSEOBJS) $(SUDOBJS) $(LIBOBJS) $(SUDO_LDFLAGS) $(SUDO_LIBS) @@ -174,36 +173,30 @@ $(SUDOBJS) $(LIBOBJS) : $(HDRS) config.h sudo.html: $(srcdir)/sudo.pod @rm -f $(srcdir)/$@ pod2html --title="Sudo Manual" --infile=$< --outfile=$(srcdir)/$@ - @chmod 444 $(srcdir)/$@ sudo.man: $(srcdir)/sudo.pod @rm -f $(srcdir)/$@ pod2man --section=$(mansect8) --release=$(VERSION) --center="MAINTENANCE COMMANDS" $< > $(srcdir)/$@ - @chmod 444 $(srcdir)/$@ sudo.cat: $(srcdir)/sudo.man visudo.html: $(srcdir)/visudo.pod @rm -f $(srcdir)/$@ pod2html --title="Visudo Manual" --infile=$< --outfile=$(srcdir)/$@ - @chmod 444 $(srcdir)/$@ visudo.man: $(srcdir)/visudo.pod @rm -f $(srcdir)/$@ pod2man --section=$(mansect8) --release=$(VERSION) --center="MAINTENANCE COMMANDS" $< > $(srcdir)/$@ - @chmod 444 $(srcdir)/$@ visudo.cat: $(srcdir)/visudo.man sudoers.html: $(srcdir)/sudoers.pod @rm -f $(srcdir)/$@ pod2html --title="Sudoers Manual" --infile=$< --outfile=$(srcdir)/$@ - @chmod 444 $(srcdir)/$@ sudoers.man: $(srcdir)/sudoers.pod @rm -f $(srcdir)/$@ pod2man --section=$(mansect5) --release=$(VERSION) --center="FILE FORMATS" $< > $(srcdir)/$@ - @chmod 444 $(srcdir)/$@ sudoers.cat: $(srcdir)/sudoers.man diff --git a/sudo.cat b/sudo.cat index 26cb69216..2eee11668 100644 --- a/sudo.cat +++ b/sudo.cat @@ -19,9 +19,9 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN ssssuuuuddddoooo determines who is an authorized user by consulting the file _/_e_t_c_/_s_u_d_o_e_r_s. By giving ssssuuuuddddoooo the -v flag a user can update the time stamp without running a _c_o_m_m_a_n_d_. The - password prompt itself will also time out if the password - is not entered with N minutes (again, this is defined at - installation time and defaults to 5 minutes). + password prompt itself will also time out if the user's + password is not entered with N minutes (again, this is + defined at installation time and defaults to 5 minutes). If an unauthorized user executes ssssuuuuddddoooo, mail will be sent from the user to the local authorities (defined at @@ -44,15 +44,15 @@ OOOOPPPPTTTTIIIIOOOONNNNSSSS of ssssuuuuddddoooo and a usage message before exiting. -v If given the -v (_v_a_l_i_d_a_t_e) option, ssssuuuuddddoooo will update - the user's timestamp file, prompting for a password if - necessary. This extends the ssssuuuuddddoooo timeout to for - another N minutes (where N is defined at installation - time and defaults to 5 minutes) but does not run a - command. + the user's timestamp file, prompting for the user's + password if necessary. This extends the ssssuuuuddddoooo timeout + to for another N minutes (where N is defined at + installation time and defaults to 5 minutes) but does + not run a command. -k The -k (_k_i_l_l) option to ssssuuuuddddoooo removes the user's - timestamp file, thus requiring a password the next - time ssssuuuuddddoooo is run. This option does not require a + timestamp file, thus requiring the user's password the + next time ssssuuuuddddoooo is run. This option does not require a password and was added to allow a user to revoke ssssuuuuddddoooo permissions from a .logout file. @@ -61,7 +61,7 @@ OOOOPPPPTTTTIIIIOOOONNNNSSSS -26/Jan/99 1.5.8 1 +6/Feb/99 1.5.8 1 @@ -127,7 +127,7 @@ SSSSEEEECCCCUUUURRRRIIIITTTTYYYY NNNNOOOOTTTTE -26/Jan/99 1.5.8 2 +6/Feb/99 1.5.8 2 @@ -193,7 +193,7 @@ EEEENNNNVVVVIIIIRRRROOOONNNNMMMMEEEENNNNTTTT V -26/Jan/99 1.5.8 3 +6/Feb/99 1.5.8 3 @@ -259,7 +259,7 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO -26/Jan/99 1.5.8 4 +6/Feb/99 1.5.8 4 @@ -325,6 +325,6 @@ sudo(8) MAINTENANCE COMMANDS sudo(8) -26/Jan/99 1.5.8 5 +6/Feb/99 1.5.8 5 diff --git a/sudo.html b/sudo.html index 2c76b3bbb..218c3c372 100644 --- a/sudo.html +++ b/sudo.html @@ -42,7 +42,7 @@ sudo - execute a command as the superuser

SYNOPSIS

-sudo -V | -h | -l | -v | -k | -s | -H | [ -b ] | [ -p prompt ] [ -u username/#uid] command +sudo -V | -h | -l | -v | -k | -s | -H | [ -b ] | [ -r realm ] | [ -p prompt ] [ -u username/#uid] command @@ -61,7 +61,7 @@ as the superuser (real and effective uid and gid are set to and ro

sudo determines who is an authorized user by consulting the file /etc/sudoers. By giving sudo the -v flag a user can update the time stamp without running a command. -The password prompt itself will also time out if the password is not +The password prompt itself will also time out if the user's password is not entered with N minutes (again, this is defined at installation time and defaults to 5 minutes). @@ -119,7 +119,7 @@ The -h (help) option causes sudo to print

-v
-If given the -v (validate) option, sudo will update the user's timestamp file, prompting for a password if +If given the -v (validate) option, sudo will update the user's timestamp file, prompting for the user's password if necessary. This extends the sudo timeout to for another N minutes (where N is defined at installation time and defaults to 5 minutes) but does not run a command. @@ -129,7 +129,8 @@ and defaults to 5 minutes) but does not run a command.
-k
-The -k (kill) option to sudo removes the user's timestamp file, thus requiring a password the next time sudo is run. This option does not require a password and was added to allow a +The -k (kill) option to sudo removes the user's timestamp file, thus requiring the user's password the +next time sudo is run. This option does not require a password and was added to allow a user to revoke sudo permissions from a .logout file. @@ -142,6 +143,15 @@ The -b (background) option tells sudo to option you cannot use shell job control to manipulate the command. +

+ +

-r + +
+The -r (realm) option is only available if sudo was configured with Kerberos version 5 support. It allows the user to specify a +Kerberos realm other than the system default to use when authenticating the user via Kerberos. + +

-p @@ -216,25 +226,23 @@ your PATH is on a machine that is currently unreachable. sudo tries to be safe when executing external commands. Variables that control how dynamic loading and binding is done can be used to subvert the program -that sudo runs. To combat this the LD_*, SHLIB_PATH (HP-UX only), -LIBPATH (AIX only), and _RLD_* environment variables are removed from the environment passed on to all -commands executed. -sudo will also remove the IFS, ENV, BASH_ENV -and KRB_CONF variables as they too can pose a threat. +that sudo runs. To combat this the +LD_*, _RLD_*, SHLIB_PATH (HP-UX only), and LIBPATH (AIX only) environment variables are removed from the environment passed on +to all commands executed. sudo will also remove the IFS, +ENV, BASH_ENV, KRB_CONF and KRB5_CONFIG variables as they too can pose a threat.

To prevent command spoofing, sudo checks ``.'' and ``'' (both denoting current directory) last when searching for a command in the user's PATH (if one or both are in the PATH). Note, -however, that the actual PATH environment variable is not modified and is passed unchanged to the program that -sudo executes. +however, that the actual PATH environment variable is not modified and is passed unchanged to the program that sudo executes.

-For security reasons, if your OS supports shared libraries, -sudo should always be statically linked unless the dynamic loader disables +For security reasons, if your OS supports shared libraries, sudo +should always be statically linked unless the dynamic loader disables user-defined library search paths for setuid programs. (Most modern dynamic loaders do this.) @@ -244,7 +252,8 @@ loaders do this.) sudo will check the ownership of its timestamp directory (/var/run/sudo or /tmp/.odus by default) and ignore the directory's contents if it is not owned by root and only read, writable, and executable by root. On systems that allow users to give files away to root (via chown), if the timestamp directory is -located in a directory writable by anyone (ie: /tmp), it is possible for a user to create the timestamp directory before sudo is run. However, because sudo checks the ownership and mode of the directory, the only damage that can be +located in a directory writable by anyone (ie: /tmp), it is possible for a user to create the timestamp directory before sudo +is run. However, because sudo checks the ownership and mode of the directory, the only damage that can be done is to ``hide'' files by putting them in the timestamp dir. This is unlikely to happen since once the timestamp dir is owned by root and inaccessible by any other user the user placing files there would be unable @@ -255,8 +264,10 @@ is not world-writable for the timestamps (/var/adm/sudo for instance).

sudo will not honor timestamp files set far in the future. Timestamp files with -a date greater than current_time + 2 * TIMEOUT will be ignored and sudo will log the anomaly. This is done to keep a user -from creating his/her own timestamp file with a bogus date. +a date greater than current_time + 2 * TIMEOUT +will be ignored and sudo complain about a ``preposterous stampfile date''. +This is done to keep a user from creating his/her own timestamp file with a +bogus date.

diff --git a/sudo.man b/sudo.man index 954c3fbfc..26311dfd7 100644 --- a/sudo.man +++ b/sudo.man @@ -2,8 +2,8 @@ ''' $RCSfile$$Revision$$Date$ ''' ''' $Log$ -''' Revision 1.28 1999/02/01 00:45:02 millert -''' clarify bad timestamp and fmt +''' Revision 1.29 1999/02/07 00:47:32 millert +''' Make it clear that it is the user's password, not root's, that we want. ''' ''' .de Sh @@ -96,7 +96,7 @@ .nr % 0 .rr F .\} -.TH sudo 8 "1.5.8" "26/Jan/99" "MAINTENANCE COMMANDS" +.TH sudo 8 "1.5.8" "6/Feb/99" "MAINTENANCE COMMANDS" .UC .if n .hy 0 .if n .na @@ -203,7 +203,7 @@ to \f(CW0\fR and root's group as set in the passwd file respectively). \fBsudo\fR determines who is an authorized user by consulting the file \fI/etc/sudoers\fR. By giving \fBsudo\fR the \f(CW-v\fR flag a user can update the time stamp without running a \fIcommand.\fR -The password prompt itself will also time out if the password is +The password prompt itself will also time out if the user's password is not entered with N minutes (again, this is defined at installation time and defaults to 5 minutes). .PP @@ -225,13 +225,13 @@ The \f(CW-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print the version of \fBsudo\fR and a usage message before exiting. .Ip "-v" 4 If given the \f(CW-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the -user's timestamp file, prompting for a password if necessary. +user's timestamp file, prompting for the user's password if necessary. This extends the \fBsudo\fR timeout to for another N minutes (where N is defined at installation time and defaults to 5 minutes) but does not run a command. .Ip "-k" 4 The \f(CW-k\fR (\fIkill\fR) option to \fBsudo\fR removes the user's timestamp -file, thus requiring a password the next time \fBsudo\fR is run. +file, thus requiring the user's password the next time \fBsudo\fR is run. This option does not require a password and was added to allow a user to revoke \fBsudo\fR permissions from a .logout file. .Ip "-b" 4 diff --git a/sudo.pod b/sudo.pod index c7212daae..0ff61f7ce 100644 --- a/sudo.pod +++ b/sudo.pod @@ -20,7 +20,7 @@ to C<0> and root's group as set in the passwd file respectively). B determines who is an authorized user by consulting the file I. By giving B the C<-v> flag a user can update the time stamp without running a I -The password prompt itself will also time out if the password is +The password prompt itself will also time out if the user's password is not entered with N minutes (again, this is defined at installation time and defaults to 5 minutes). @@ -54,7 +54,7 @@ of B and a usage message before exiting. =item -v If given the C<-v> (I) option, B will update the -user's timestamp file, prompting for a password if necessary. +user's timestamp file, prompting for the user's password if necessary. This extends the B timeout to for another N minutes (where N is defined at installation time and defaults to 5 minutes) but does not run a command. @@ -62,7 +62,7 @@ minutes) but does not run a command. =item -k The C<-k> (I) option to B removes the user's timestamp -file, thus requiring a password the next time B is run. +file, thus requiring the user's password the next time B is run. This option does not require a password and was added to allow a user to revoke B permissions from a .logout file. -- 2.50.1