From 927a0d2d0c0aab45ef271d16c40c5a6dd27a8011 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 3 Feb 2011 13:20:26 -0500 Subject: [PATCH] Attempt to clarify how users and groups interact in Runas_Specs --HG-- branch : 1.7 --- sudoers.cat | 560 ++++++++++++++++++++++++------------------------- sudoers.man.in | 37 +++- sudoers.pod | 29 ++- 3 files changed, 339 insertions(+), 287 deletions(-) diff --git a/sudoers.cat b/sudoers.cat index d3fa3c35b..cafd28685 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.5b2 January 28, 2011 1 +1.7.5b2 February 3, 2011 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 28, 2011 2 +1.7.5b2 February 3, 2011 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 28, 2011 3 +1.7.5b2 February 3, 2011 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 28, 2011 4 +1.7.5b2 February 3, 2011 4 @@ -320,12 +320,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only as ooppeerraattoorr. E.g., - $ sudo -u operator /bin/ls. + $ sudo -u operator /bin/ls -1.7.5b2 January 28, 2011 5 +1.7.5b2 February 3, 2011 5 @@ -348,13 +348,36 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ /usr/bin/lprm + Note that while the group portion of the Runas_Spec permits the user to + run as command with that group, it does not force the user to do so. + If no group is specified on the command line, the command will run with + the group listed in the target user's password database entry. The + following would all be permitted by the sudoers entry above: + + $ sudo -u operator /bin/ls + $ sudo -u operator -g operator /bin/ls + $ sudo -g operator /bin/ls + In the following example, user ttccmm may run commands that access a modem - device file with the dialer group. Note that in this example only the - group will be set, the command still runs as user ttccmm. + device file with the dialer group. tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ /usr/local/bin/minicom + Note that in this example only the group will be set, the command still + runs as user ttccmm. E.g. + + $ sudo -g dialer /usr/bin/cu + + Multiple users and groups may be present in a Runas_Spec, in which case + the user may select any combination of users and groups via the --uu and + --gg options. In this example: + + alan ALL = (root, bin : operator, system) ALL + + user aallaann may run any command as either user root or bin, optionally + setting the group to operator or system. + SSEELLiinnuuxx__SSppeecc On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an SELinux role and/or type associated with a command. If a role or type @@ -365,6 +388,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) TTaagg__SSppeecc A command may have zero or more tags associated with it. There are eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, + + + +1.7.5b2 February 3, 2011 6 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite tag (i.e.: PASSWD @@ -388,18 +423,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm Note, however, that the PASSWD tag has no effect on users who are in - - - -1.7.5b2 January 28, 2011 6 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. By default, if the NOPASSWD tag is applied to any of the entries for a @@ -431,6 +454,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set variables in this manner. If the command matched is AALLLL, the SETENV tag is implied for that + + + +1.7.5b2 February 3, 2011 7 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + command; this default may be overridden by use of the NOSETENV tag. _L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T @@ -455,17 +490,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ? Matches any single character. - - -1.7.5b2 January 28, 2011 7 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - [...] Matches any character in the specified range. [!...] Matches any character nnoott in the specified range. @@ -496,6 +520,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) _s_u_d_o_e_r_s entry it means that command is not allowed to be run with aannyy arguments. + + + +1.7.5b2 February 3, 2011 8 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s file currently being parsed using the #include and #includedir @@ -521,17 +557,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) #include /etc/sudoers.%h - - -1.7.5b2 January 28, 2011 8 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. The #includedir directive can be used to create a _s_u_d_o_._d directory that @@ -561,6 +586,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) as a uid). Both the comment character and any text after it, up to the end of the line, are ignored. + + + +1.7.5b2 February 3, 2011 9 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to succeed. It can be used wherever one might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, or Host_Alias. You should not try to define @@ -585,19 +622,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) used as part of a word (e.g. a user name or host name): '@', '!', '=', ':', ',', '(', ')', '\'. - - - - -1.7.5b2 January 28, 2011 9 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - SSUUDDOOEERRSS OOPPTTIIOONNSS ssuuddoo's behavior can be modified by Default_Entry lines, as explained earlier. A list of all supported Defaults parameters, grouped by type, @@ -628,6 +652,18 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS by default. compress_io If set, and ssuuddoo is configured to log a command's input + + + +1.7.5b2 February 3, 2011 10 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + or output, the I/O logs will be compressed using zzlliibb. This flag is _o_n by default when ssuuddoo is compiled with zzlliibb support. @@ -652,18 +688,6 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS its value will be used for the PATH environment variable. This flag is _o_n by default. - - - -1.7.5b2 January 28, 2011 10 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell- style globbing when matching path names. However, since it accesses the file system, _g_l_o_b(3) can take a @@ -694,6 +718,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) use a host alias (CNAME entry) due to performance issues and the fact that there is no way to get all aliases from DNS. If your machine's host name (as + + + +1.7.5b2 February 3, 2011 11 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + returned by the hostname command) is already fully qualified you shouldn't need to set _f_q_d_n. This flag is _o_f_f by default. @@ -718,18 +754,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) insults If set, ssuuddoo will insult users when they enter an incorrect password. This flag is _o_f_f by default. - - - -1.7.5b2 January 28, 2011 11 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - log_host If set, the host name will be logged in the (non- syslog) ssuuddoo log file. This flag is _o_f_f by default. @@ -761,6 +785,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) entry or is explicitly denied. This flag is _o_f_f by default. + + +1.7.5b2 February 3, 2011 12 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the invoking user is not in the _s_u_d_o_e_r_s file. This flag is _o_n by default. @@ -784,18 +819,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) passprompt_override The password prompt specified by _p_a_s_s_p_r_o_m_p_t will normally only be used if the password prompt provided - - - -1.7.5b2 January 28, 2011 12 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - by systems such as PAM matches the string "Password:". If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always be used. This flag is _o_f_f by default. @@ -827,6 +850,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) this prevents users from "chaining" ssuuddoo commands to get a root shell by doing something like "sudo sudo /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o + + + +1.7.5b2 February 3, 2011 13 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + will also prevent root from running ssuuddooeeddiitt. Disabling _r_o_o_t___s_u_d_o provides no real additional security; it exists purely for historical reasons. @@ -851,17 +886,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) _e_n_v___r_e_s_e_t is disabled or HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f by default. - - -1.7.5b2 January 28, 2011 13 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME environment variables to the name of the target user (usually root unless the --uu option is given). However, @@ -892,6 +916,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) effective UIDs are set to the target user (root by default). This option changes that behavior such that the real UID is left as the invoking user's UID. In + + + +1.7.5b2 February 3, 2011 14 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + other words, this makes ssuuddoo act as a setuid wrapper. This can be useful on systems that disable some potentially dangerous functionality when a program is @@ -917,17 +953,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) a unique session ID that is included in the normal ssuuddoo log line, prefixed with _T_S_I_D_=. - - -1.7.5b2 January 28, 2011 14 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and log all output that is sent to the screen, similar to the _s_c_r_i_p_t(1) command. If the standard output or @@ -958,6 +983,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) be the union of the user's umask and what is specified in _s_u_d_o_e_r_s. This flag is _o_f_f by default. + + +1.7.5b2 February 3, 2011 15 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + use_loginclass If set, ssuuddoo will apply the defaults specified for the target user's login class if one exists. Only available if ssuuddoo is configured with the @@ -982,18 +1018,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) closefrom Before it executes a command, ssuuddoo will close all open file descriptors other than standard input, standard - - - -1.7.5b2 January 28, 2011 15 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - output and standard error (ie: file descriptors 0-2). The _c_l_o_s_e_f_r_o_m option can be used to specify a different file descriptor at which to start closing. The default @@ -1024,6 +1048,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or + + + +1.7.5b2 February 3, 2011 16 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + delete their own timestamps via sudo -v and sudo -k respectively. @@ -1049,17 +1085,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) possible, or the first editor in the list that exists and is executable. The default is "vi". - - -1.7.5b2 January 28, 2011 16 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - iolog_dir The directory in which to store input/output logs when the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled or when the LOG_INPUT or LOG_OUTPUT tags are present for a @@ -1089,6 +1114,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) name %p expanded to the user whose password is being asked + + + +1.7.5b2 February 3, 2011 17 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s) @@ -1114,18 +1151,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) before any Runas_Alias specifications. syslog_badpri Syslog priority to use when user authenticates - - - -1.7.5b2 January 28, 2011 17 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - unsuccessfully. Defaults to alert. syslog_goodpri Syslog priority to use when user authenticates @@ -1155,6 +1180,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) terminal is available. This may be the case when ssuuddoo is executed from a graphical (as opposed to text-based) application. The program specified by _a_s_k_p_a_s_s should + + + +1.7.5b2 February 3, 2011 18 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + display the argument passed to it as the prompt and write the user's password to the standard output. The value of _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment @@ -1180,18 +1217,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) never Never lecture the user. - - - -1.7.5b2 January 28, 2011 18 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - once Only lecture the user the first time they run ssuuddoo. If no value is specified, a value of _o_n_c_e is implied. @@ -1221,6 +1246,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) never The user need never enter a password to use the --ll option. + + + +1.7.5b2 February 3, 2011 19 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + If no value is specified, a value of _a_n_y is implied. Negating the option results in a value of _n_e_v_e_r being used. The default value is _a_n_y. @@ -1246,18 +1283,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) secure_path Path used for every command run from ssuuddoo. If you don't trust the people running ssuuddoo to have a sane PATH environment variable you may want to use this. Another use - - - -1.7.5b2 January 28, 2011 19 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - is if you want to have the "root path" be separate from the "user path." Users in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This @@ -1288,6 +1313,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Negating the option results in a value of _n_e_v_e_r being used. The default value is _a_l_l. + + +1.7.5b2 February 3, 2011 20 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: env_check Environment variables to be removed from the user's @@ -1312,18 +1348,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) can be replaced, added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively. The default list of environment variables to remove is - - - -1.7.5b2 January 28, 2011 20 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - displayed when ssuuddoo is run by root with the _-_V option. Note that many operating systems will remove potentially dangerous variables from the environment of @@ -1354,6 +1378,18 @@ FFIILLEESS _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups + + + +1.7.5b2 February 3, 2011 21 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files EEXXAAMMPPLLEESS @@ -1378,18 +1414,6 @@ EEXXAAMMPPLLEESS # Host alias specification Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ - - - -1.7.5b2 January 28, 2011 21 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - SGI = grolsch, dandelion, black :\ ALPHA = widget, thalamus, foobar :\ HPPA = boa, nag, python @@ -1420,6 +1444,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an additional local log file and make sure we log the year in each log line since the log entries will be kept around for several years. + + + +1.7.5b2 February 3, 2011 22 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + Lastly, we disable shell escapes for the commands in the PAGERS Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s). @@ -1445,17 +1481,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on any host without authenticating themselves. - - -1.7.5b2 January 28, 2011 22 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - PARTTIMERS ALL = ALL Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on @@ -1485,6 +1510,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) joe ALL = /usr/bin/su operator + + + +1.7.5b2 February 3, 2011 23 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + The user jjooee may only _s_u(1) to operator. pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root @@ -1510,18 +1547,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser - - - -1.7.5b2 January 28, 2011 23 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - Users in the sseeccrreettaarriieess netgroup need to help manage the printers as well as add and remove users, so they are allowed to run those commands on all machines. @@ -1552,6 +1577,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user sstteevvee may run any command in the directory /usr/local/op_commands/ but only as user operator. + + +1.7.5b2 February 3, 2011 24 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + matt valkyrie = KILL On his personal workstation, valkyrie, mmaatttt needs to be able to kill @@ -1577,17 +1613,6 @@ SSEECCUURRIITTYY NNOOTTEESS desired command to a different name and then executing that. For example: - - -1.7.5b2 January 28, 2011 24 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - bill ALL = ALL, !SU, !SHELLS Doesn't really prevent bbiillll from running the commands listed in _S_U or @@ -1617,6 +1642,18 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS since it is not uncommon for a program to allow shell escapes, which lets a user bypass ssuuddoo's access control and logging. Common programs that permit shell escapes include shells (obviously), editors, + + + +1.7.5b2 February 3, 2011 25 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + paginators, mail and terminal programs. There are two basic approaches to this problem: @@ -1643,17 +1680,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS sudo -V | grep "dummy exec" - - -1.7.5b2 January 28, 2011 25 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - If the resulting output contains a line that begins with: File containing dummy exec functions: @@ -1682,6 +1708,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) unsure whether or not your system is capable of supporting _n_o_e_x_e_c you can always just try it out and see if it works. + + + +1.7.5b2 February 3, 2011 26 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + Note that restricting shell escapes is not a panacea. Programs running as root are still capable of many potentially hazardous operations (such as changing or overwriting files) that could lead to unintended @@ -1708,18 +1746,6 @@ BBUUGGSS SSUUPPPPOORRTT Limited free support is available via the sudo-users mailing list, see - - - -1.7.5b2 January 28, 2011 26 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. @@ -1751,32 +1777,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - - - - - - - - - - - - - - - - - -1.7.5b2 January 28, 2011 27 +1.7.5b2 February 3, 2011 27 diff --git a/sudoers.man.in b/sudoers.man.in index 5cb767871..885caa1eb 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -148,7 +148,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "January 28, 2011" "1.7.5b2" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "February 3, 2011" "1.7.5b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -460,7 +460,7 @@ The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and \&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g., .PP .Vb 1 -\& $ sudo \-u operator /bin/ls. +\& $ sudo \-u operator /bin/ls .Ve .PP It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an @@ -481,14 +481,43 @@ the user or group set to \fBoperator\fR: \& /usr/bin/lprm .Ve .PP +Note that while the group portion of the \f(CW\*(C`Runas_Spec\*(C'\fR permits the +user to run as command with that group, it does not force the user +to do so. If no group is specified on the command line, the command +will run with the group listed in the target user's password database +entry. The following would all be permitted by the sudoers entry above: +.PP +.Vb 3 +\& $ sudo \-u operator /bin/ls +\& $ sudo \-u operator \-g operator /bin/ls +\& $ sudo \-g operator /bin/ls +.Ve +.PP In the following example, user \fBtcm\fR may run commands that access -a modem device file with the dialer group. Note that in this example -only the group will be set, the command still runs as user \fBtcm\fR. +a modem device file with the dialer group. .PP .Vb 2 \& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e \& /usr/local/bin/minicom .Ve +.PP +Note that in this example only the group will be set, the command +still runs as user \fBtcm\fR. E.g. +.PP +.Vb 1 +\& $ sudo \-g dialer /usr/bin/cu +.Ve +.PP +Multiple users and groups may be present in a \f(CW\*(C`Runas_Spec\*(C'\fR, in +which case the user may select any combination of users and groups +via the \fB\-u\fR and \fB\-g\fR options. In this example: +.PP +.Vb 1 +\& alan ALL = (root, bin : operator, system) ALL +.Ve +.PP +user \fBalan\fR may run any command as either user root or bin, +optionally setting the group to operator or system. .if \n(SL \{\ .SS "SELinux_Spec" .IX Subsection "SELinux_Spec" diff --git a/sudoers.pod b/sudoers.pod index a65a232ec..3336f46b0 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -322,7 +322,7 @@ What this means is that for the entry: The user B may run F, F, and F -- but only as B. E.g., - $ sudo -u operator /bin/ls. + $ sudo -u operator /bin/ls It is also possible to override a C later on in an entry. If we modify the entry like so: @@ -338,13 +338,36 @@ the user or group set to B: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ /usr/bin/lprm +Note that while the group portion of the C permits the +user to run as command with that group, it does not force the user +to do so. If no group is specified on the command line, the command +will run with the group listed in the target user's password database +entry. The following would all be permitted by the sudoers entry above: + + $ sudo -u operator /bin/ls + $ sudo -u operator -g operator /bin/ls + $ sudo -g operator /bin/ls + In the following example, user B may run commands that access -a modem device file with the dialer group. Note that in this example -only the group will be set, the command still runs as user B. +a modem device file with the dialer group. tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ /usr/local/bin/minicom +Note that in this example only the group will be set, the command +still runs as user B. E.g. + + $ sudo -g dialer /usr/bin/cu + +Multiple users and groups may be present in a C, in +which case the user may select any combination of users and groups +via the B<-u> and B<-g> options. In this example: + + alan ALL = (root, bin : operator, system) ALL + +user B may run any command as either user root or bin, +optionally setting the group to operator or system. + =head2 SELinux_Spec On systems with SELinux support, I entries may optionally have -- 2.49.0