From 9c88441420a76c5ba08f07db9531645820c81a78 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sun, 28 Nov 2004 21:08:09 +0000 Subject: [PATCH] Mention values when lecture, listpw and verifypw are used in boolean context. --- sudoers.cat | 278 ++++++++++++++++++++++++------------------------- sudoers.man.in | 12 ++- sudoers.pod | 10 +- 3 files changed, 156 insertions(+), 144 deletions(-) diff --git a/sudoers.cat b/sudoers.cat index 99e5ade55..3c8f2573e 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.6.9 November 19, 2004 1 +1.6.9 November 28, 2004 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 November 19, 2004 2 +1.6.9 November 28, 2004 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 November 19, 2004 3 +1.6.9 November 28, 2004 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 November 19, 2004 4 +1.6.9 November 28, 2004 4 @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 November 19, 2004 5 +1.6.9 November 28, 2004 5 @@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 November 19, 2004 6 +1.6.9 November 28, 2004 6 @@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 November 19, 2004 7 +1.6.9 November 28, 2004 7 @@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 November 19, 2004 8 +1.6.9 November 28, 2004 8 @@ -589,7 +589,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 November 19, 2004 9 +1.6.9 November 28, 2004 9 @@ -655,7 +655,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 November 19, 2004 10 +1.6.9 November 28, 2004 10 @@ -721,7 +721,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 November 19, 2004 11 +1.6.9 November 28, 2004 11 @@ -730,7 +730,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - The default value is _o_n_c_e. + If no value is specified, a value of _o_n_c_e is + implied. Negating the option results in a + value of _n_e_v_e_r being used. The default value + is _o_n_c_e. lecture_file Path to a file containing an alternate ssuuddoo @@ -781,13 +784,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) any At least one of the user's _s_u_d_o_e_r_s entries for the current host must have - the NOPASSWD flag set to avoid enter­ - ing a password. - -1.6.9 November 19, 2004 12 +1.6.9 November 28, 2004 12 @@ -796,13 +796,19 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + the NOPASSWD flag set to avoid enter­ + ing a password. + never The user need never enter a password to use the --vv flag. always The user must always enter a password to use the --vv flag. - The default value is `all'. + If no value is specified, a value of _a_l_l is + implied. Negating the option results in a + value of _n_e_v_e_r being used. The default value + is _a_l_l. listpw This option controls when a password will be required when a user runs ssuuddoo with the --ll @@ -823,7 +829,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) always The user must always enter a password to use the --ll flag. - The default value is `any'. + If no value is specified, a value of _a_n_y is + implied. Negating the option results in a + value of _n_e_v_e_r being used. The default value + is _a_n_y. LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: @@ -841,19 +850,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) is printed when ssuuddoo is run by root with the _-_V option. - env_delete Environment variables to be removed from the - user's environment. The argument may be a - double-quoted, space-separated list or a sin­ - gle value without double-quotes. The list can - be replaced, added to, deleted from, or dis­ - abled by using the =, +=, -=, and ! operators - respectively. The default list of environment - variables to remove is printed when ssuuddoo is - run by root with the _-_V option. Note that -1.6.9 November 19, 2004 13 +1.6.9 November 28, 2004 13 @@ -862,6 +862,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + env_delete Environment variables to be removed from the + user's environment. The argument may be a + double-quoted, space-separated list or a sin­ + gle value without double-quotes. The list can + be replaced, added to, deleted from, or dis­ + abled by using the =, +=, -=, and ! operators + respectively. The default list of environment + variables to remove is printed when ssuuddoo is + run by root with the _-_V option. Note that many operating systems will remove potentially dangerous variables from the environment of any setuid process (such as ssuuddoo). @@ -908,25 +917,25 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Let's break that down into its constituent parts: - RRuunnaass__SSppeecc - A Runas_Spec is simply a Runas_List (as defined above) - enclosed in a set of parentheses. If you do not specify a - Runas_Spec in the user specification, a default Runas_Spec - of rroooott will be used. A Runas_Spec sets the default for - commands that follow it. What this means is that for the - entry: +1.6.9 November 28, 2004 14 -1.6.9 November 19, 2004 14 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + RRuunnaass__SSppeecc + A Runas_Spec is simply a Runas_List (as defined above) + enclosed in a set of parentheses. If you do not specify a + Runas_Spec in the user specification, a default Runas_Spec + of rroooott will be used. A Runas_Spec sets the default for + commands that follow it. What this means is that for the + entry: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm @@ -973,19 +982,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm Note, however, that the PASSWD tag has no effect on users - who are in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. - - By default, if the NOPASSWD tag is applied to any of the - entries for a user on the current host, he or she will be - able to run sudo -l without a password. Additionally, a - user may only run sudo -v without a password if the - NOPASSWD tag is present for all a user's entries that per­ - tain to the current host. This behavior may be overridden - via the verifypw and listpw options. -1.6.9 November 19, 2004 15 +1.6.9 November 28, 2004 15 @@ -994,6 +994,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + who are in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. + + By default, if the NOPASSWD tag is applied to any of the + entries for a user on the current host, he or she will be + able to run sudo -l without a password. Additionally, a + user may only run sudo -v without a password if the + NOPASSWD tag is present for all a user's entries that per­ + tain to the current host. This behavior may be overridden + via the verifypw and listpw options. + _N_O_E_X_E_C _a_n_d _E_X_E_C If ssuuddoo has been compiled with _n_o_e_x_e_c support and the @@ -1039,26 +1049,26 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) * Matches any set of zero or more characters. - ? Matches any single character. - [...] Matches any character in the specified range. - [!...] Matches any character nnoott in the specified range. +1.6.9 November 28, 2004 16 - \x For any character "x", evaluates to "x". This is - used to escape special characters such as: "*", - "?", "[", and "}". -1.6.9 November 19, 2004 16 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + ? Matches any single character. + [...] Matches any character in the specified range. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + [!...] Matches any character nnoott in the specified range. + \x For any character "x", evaluates to "x". This is + used to escape special characters such as: "*", + "?", "[", and "}". Note that a forward slash ('/') will nnoott be matched by wildcards used in the pathname. When matching the command @@ -1104,20 +1114,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The pound sign ('#') is used to indicate a comment (unless it is part of a #include directive or unless it occurs in the context of a user name and is followed by one or more - digits, in which case it is treated as a uid). Both the - comment character and any text after it, up to the end of - the line, are ignored. - - The reserved word AALLLL is a built-in _a_l_i_a_s that always - causes a match to succeed. It can be used wherever one - might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, - or Host_Alias. You should not try to define your own - _a_l_i_a_s called AALLLL as the built-in alias will be used in - preference to your own. Please note that using AALLLL can be -1.6.9 November 19, 2004 17 +1.6.9 November 28, 2004 17 @@ -1126,6 +1126,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + digits, in which case it is treated as a uid). Both the + comment character and any text after it, up to the end of + the line, are ignored. + + The reserved word AALLLL is a built-in _a_l_i_a_s that always + causes a match to succeed. It can be used wherever one + might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, + or Host_Alias. You should not try to define your own + _a_l_i_a_s called AALLLL as the built-in alias will be used in + preference to your own. Please note that using AALLLL can be dangerous since in a command context, it allows the user to run aannyy command on the system. @@ -1165,15 +1175,6 @@ EEXXAAMMPPLLEESS Runas_Alias OP = root, operator Runas_Alias DB = oracle, sybase - # Host alias specification - Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ - SGI = grolsch, dandelion, black :\ - ALPHA = widget, thalamus, foobar :\ - HPPA = boa, nag, python - Host_Alias CUNETS = 128.138.0.0/255.255.0.0 - Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 - Host_Alias SERVERS = master, mail, www, ns - Host_Alias CDROM = orion, perseus, hercules @@ -1182,8 +1183,7 @@ EEXXAAMMPPLLEESS - -1.6.9 November 19, 2004 18 +1.6.9 November 28, 2004 18 @@ -1192,6 +1192,16 @@ EEXXAAMMPPLLEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + # Host alias specification + Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ + SGI = grolsch, dandelion, black :\ + ALPHA = widget, thalamus, foobar :\ + HPPA = boa, nag, python + Host_Alias CUNETS = 128.138.0.0/255.255.0.0 + Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 + Host_Alias SERVERS = master, mail, www, ns + Host_Alias CDROM = orion, perseus, hercules + # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore @@ -1236,27 +1246,28 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) We let rroooott and any user in group wwhheeeell run any command on any host as any user. - FULLTIMERS ALL = NOPASSWD: ALL - Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run - any command on any host without authenticating themselves. - PARTTIMERS ALL = ALL - Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run - any command on any host but they must authenticate them­ - selves first (since the entry lacks the NOPASSWD tag). +1.6.9 November 28, 2004 19 -1.6.9 November 19, 2004 19 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + FULLTIMERS ALL = NOPASSWD: ALL -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run + any command on any host without authenticating themselves. + PARTTIMERS ALL = ALL + + Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run + any command on any host but they must authenticate them­ + selves first (since the entry lacks the NOPASSWD tag). jack CSNETS = ALL @@ -1301,29 +1312,29 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. SSuuddoo knows that "biglab" is a netgroup due to - the '+' prefix. - +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser - Users in the sseeccrreettaarriieess netgroup need to help manage the - printers as well as add and remove users, so they are - allowed to run those commands on all machines. - fred ALL = (DB) NOPASSWD: ALL +1.6.9 November 28, 2004 20 - The user ffrreedd can run commands as any user in the _D_B -1.6.9 November 19, 2004 20 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + the '+' prefix. + +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Users in the sseeccrreettaarriieess netgroup need to help manage the + printers as well as add and remove users, so they are + allowed to run those commands on all machines. + fred ALL = (DB) NOPASSWD: ALL + The user ffrreedd can run commands as any user in the _D_B Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password. john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* @@ -1368,30 +1379,29 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) type, so it is a prime candidate for encapsulating in a shell script. -SSEECCUURRIITTYY NNOOTTEESS - It is generally not effective to "subtract" commands from - ALL using the '!' operator. A user can trivially circum­ - vent this by copying the desired command to a different - name and then executing that. For example: - bill ALL = ALL, !SU, !SHELLS - - Doesn't really prevent bbiillll from running the commands - listed in _S_U or _S_H_E_L_L_S since he can simply copy those +1.6.9 November 28, 2004 21 -1.6.9 November 19, 2004 21 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SSEECCUURRIITTYY NNOOTTEESS + It is generally not effective to "subtract" commands from + ALL using the '!' operator. A user can trivially circum­ + vent this by copying the desired command to a different + name and then executing that. For example: + bill ALL = ALL, !SU, !SHELLS - commands to a different name, or use a shell escape from - an editor or other program. Therefore, these kind of + Doesn't really prevent bbiillll from running the commands + listed in _S_U or _S_H_E_L_L_S since he can simply copy those com­ + mands to a different name, or use a shell escape from an + editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). @@ -1435,19 +1445,9 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS If the resulting output contains a line that begins with: - File containing dummy exec functions: - - then ssuuddoo may be able to replace the exec family - of functions in the standard library with its - own that simply return an error. Unfortunately, - there is no foolproof way to know whether or not - _n_o_e_x_e_c will work at compile-time. _N_o_e_x_e_c should - work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 - UNIX, MacOS X, and HP-UX 11.x. It is known nnoott - -1.6.9 November 19, 2004 22 +1.6.9 November 28, 2004 22 @@ -1456,6 +1456,15 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + File containing dummy exec functions: + + then ssuuddoo may be able to replace the exec family + of functions in the standard library with its + own that simply return an error. Unfortunately, + there is no foolproof way to know whether or not + _n_o_e_x_e_c will work at compile-time. _N_o_e_x_e_c should + work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 + UNIX, MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and UnixWare. _N_o_e_x_e_c is expected to work on most operating systems that support the LD_PRELOAD environment variable. Check your @@ -1501,19 +1510,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) At the time of this writing the ssyyssttrraaccee pseudo- device comes standard with OpenBSD and NetBSD - and is available as patches to FreeBSD, MacOS X - and Linux. See for - more information. - Note that restricting shell escapes is not a panacea. - Programs running as root are still capable of many poten­ - tially hazardous operations (such as changing or overwrit­ - ing files) that could lead to unintended privilege escala­ - tion. In the specific case of an editor, a safer approach - -1.6.9 November 19, 2004 23 +1.6.9 November 28, 2004 23 @@ -1522,6 +1522,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + and is available as patches to FreeBSD, MacOS X + and Linux. See for + more information. + + Note that restricting shell escapes is not a panacea. + Programs running as root are still capable of many poten­ + tially hazardous operations (such as changing or overwrit­ + ing files) that could lead to unintended privilege escala­ + tion. In the specific case of an editor, a safer approach is to give the user permission to run ssuuddooeeddiitt. SSEEEE AALLSSOO @@ -1570,15 +1579,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - -1.6.9 November 19, 2004 24 +1.6.9 November 28, 2004 24 diff --git a/sudoers.man.in b/sudoers.man.in index 7012e95e8..c524c139a 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "November 19, 2004" "1.6.9" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "November 28, 2004" "1.6.9" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" @@ -734,6 +734,8 @@ Always lecture the user. .RE .RS 12 .Sp +If no value is specified, a value of \fIonce\fR is implied. +Negating the option results in a value of \fInever\fR being used. The default value is \fI@lecture@\fR. .RE .IP "lecture_file" 12 @@ -794,7 +796,9 @@ The user must always enter a password to use the \fB\-v\fR flag. .RE .RS 12 .Sp -The default value is `all'. +If no value is specified, a value of \fIall\fR is implied. +Negating the option results in a value of \fInever\fR being used. +The default value is \fIall\fR. .RE .IP "listpw" 12 .IX Item "listpw" @@ -818,7 +822,9 @@ The user must always enter a password to use the \fB\-l\fR flag. .RE .RS 12 .Sp -The default value is `any'. +If no value is specified, a value of \fIany\fR is implied. +Negating the option results in a value of \fInever\fR being used. +The default value is \fIany\fR. .RE .PP \&\fBLists that can be used in a boolean context\fR: diff --git a/sudoers.pod b/sudoers.pod index fee274681..030c9cd77 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -641,6 +641,8 @@ Always lecture the user. =back +If no value is specified, a value of I is implied. +Negating the option results in a value of I being used. The default value is I<@lecture@>. =item lecture_file @@ -714,7 +716,9 @@ The user must always enter a password to use the B<-v> flag. =back -The default value is `all'. +If no value is specified, a value of I is implied. +Negating the option results in a value of I being used. +The default value is I. =item listpw @@ -743,7 +747,9 @@ The user must always enter a password to use the B<-l> flag. =back -The default value is `any'. +If no value is specified, a value of I is implied. +Negating the option results in a value of I being used. +The default value is I. =back -- 2.40.0