From b925712f9468db2ec94f4e224a91f337533c80d9 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 26 Jul 2007 11:28:45 +0000 Subject: [PATCH] Sort sudoers options; based on a diff from Igor Sobrado. --- sudoers.pod | 505 ++++++++++++++++++++++++++-------------------------- 1 file changed, 254 insertions(+), 251 deletions(-) diff --git a/sudoers.pod b/sudoers.pod index 2e5332c56..d4998a6f6 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -475,13 +475,62 @@ B: =over 12 -=item long_otp_prompt +=item always_set_home -When validating with a One Time Password scheme (B or B), -a two-line prompt is used to make it easier to cut and paste the -challenge to a local window. It's not as pretty as the default but -some people find it more convenient. This flag is I<@long_otp_prompt@> -by default. +If set, B will set the C environment variable to the home +directory of the target user (which is root unless the B<-u> option is used). +This effectively means that the B<-H> flag is always implied. +This flag is I by default. + +=item authenticate + +If set, users must authenticate themselves via a password (or other +means of authentication) before they may run commands. This default +may be overridden via the C and C tags. +This flag is I by default. + +=item closefrom_override + +If set, the user may use B's B<-C> option which +overrides the default starting point at which B begins +closing open file descriptors. This flag is I by default. + +=item env_editor + +If set, B will use the value of the EDITOR or VISUAL +environment variables before falling back on the default editor list. +Note that this may create a security hole as it allows the user to +run any arbitrary command as root without logging. A safer alternative +is to place a colon-separated list of editors in the C +variable. B will then only use the EDITOR or VISUAL if +they match a value specified in C. This flag is I<@env_editor@> by +default. + +=item env_reset + +If set, B will reset the environment to only contain the +LOGNAME, SHELL, USER, USERNAME and the C variables. Any +variables in the caller's environment that match the C +and C lists are then added. The default contents of the +C and C lists are displayed when B is +run by root with the I<-V> option. If the I option +is set, its value will be used for the C environment variable. +This flag is I by default. + +=item fqdn + +Set this flag if you want to put fully qualified hostnames in the +I file. I.e., instead of myhost you would use myhost.mydomain.edu. +You may still use the short form if you wish (and even mix the two). +Beware that turning on I requires B to make DNS lookups +which may make B unusable if DNS stops working (for example +if the machine is not plugged into the network). Also note that +you must use the host's official name as DNS knows it. That is, +you may not use a host alias (C entry) due to performance +issues and the fact that there is no way to get all aliases from +DNS. If your machine's hostname (as returned by the C +command) is already fully qualified you shouldn't need to set +I. This flag is I<@fqdn@> by default. =item ignore_dot @@ -489,6 +538,40 @@ If set, B will ignore '.' or '' (current dir) in the C environment variable; the C itself is not modified. This flag is I<@ignore_dot@> by default. +=item ignore_local_sudoers + +If set via LDAP, parsing of @sysconfdir@/sudoers will be skipped. +This is intended for Enterprises that wish to prevent the usage of local +sudoers files so that only LDAP is used. This thwarts the efforts of +rogue operators who would attempt to add roles to @sysconfdir@/sudoers. +When this option is present, @sysconfdir@/sudoers does not even need to exist. +Since this option tells B how to behave when no specific LDAP entries +have been matched, this sudoOption is only meaningful for the cn=defaults +section. This flag is I by default. + +=item insults + +If set, B will insult users when they enter an incorrect +password. This flag is I<@insults@> by default. + +=item log_host + +If set, the hostname will be logged in the (non-syslog) B log file. +This flag is I by default. + +=item log_year + +If set, the four-digit year will be logged in the (non-syslog) B log file. +This flag is I by default. + +=item long_otp_prompt + +When validating with a One Time Password (OPT) scheme such as +B or B, a two-line prompt is used to make it easier +to cut and paste the challenge to a local window. It's not as +pretty as the default but some people find it more convenient. This +flag is I<@long_otp_prompt@> by default. + =item mail_always Send mail to the I user every time a users runs B. @@ -499,12 +582,6 @@ This flag is I by default. Send mail to the I user if the user running B does not enter the correct password. This flag is I by default. -=item mail_no_user - -If set, mail will be sent to the I user if the invoking -user is not in the I file. This flag is I<@mail_no_user@> -by default. - =item mail_no_host If set, mail will be sent to the I user if the invoking @@ -518,62 +595,28 @@ user is allowed to use B but the command they are trying is not listed in their I file entry or is explicitly denied. This flag is I<@mail_no_perms@> by default. -=item tty_tickets - -If set, users must authenticate on a per-tty basis. Normally, -B uses a directory in the ticket dir with the same name as -the user running it. With this flag enabled, B will use a -file named for the tty the user is logged in on in that directory. -This flag is I<@tty_tickets@> by default. - -=item authenticate - -If set, users must authenticate themselves via a password (or other -means of authentication) before they may run commands. This default -may be overridden via the C and C tags. -This flag is I by default. - -=item root_sudo - -If set, root is allowed to run B too. Disabling this prevents users -from "chaining" B commands to get a root shell by doing something -like C<"sudo sudo /bin/sh">. Note, however, that turning off I -will also prevent root and from running B. -Disabling I provides no real additional security; it -exists purely for historical reasons. -This flag is I<@root_sudo@> by default. - -=item log_host +=item mail_no_user -If set, the hostname will be logged in the (non-syslog) B log file. -This flag is I by default. +If set, mail will be sent to the I user if the invoking +user is not in the I file. This flag is I<@mail_no_user@> +by default. -=item log_year +=item monitor -If set, the four-digit year will be logged in the (non-syslog) B log file. +If set, all commands run via B will behave as if the C +tag has been set, unless overridden by a C tag. See the +description of I below as well as the L section at the end of this manual. Be aware that +tracing is only supported on certain operating systems. On systems +where it is not supported this flag will have no effect. This flag is I by default. -=item shell_noargs - -If set and B is invoked with no arguments it acts as if the -B<-s> flag had been given. That is, it runs a shell as root (the -shell is determined by the C environment variable if it is -set, falling back on the shell listed in the invoking user's -/etc/passwd entry if not). This flag is I by default. - -=item set_home - -If set and B is invoked with the B<-s> flag the C -environment variable will be set to the home directory of the target -user (which is root unless the B<-u> option is used). This effectively -makes the B<-s> flag imply B<-H>. This flag is I by default. - -=item always_set_home +=item noexec -If set, B will set the C environment variable to the home -directory of the target user (which is root unless the B<-u> option is used). -This effectively means that the B<-H> flag is always implied. -This flag is I by default. +If set, all commands run via B will behave as if the C +tag has been set, unless overridden by a C tag. See the +description of I below as well as the L section at the end of this manual. This flag is I by default. =item path_info @@ -594,26 +637,6 @@ user's existing group vector is left unaltered. The real and effective group IDs, however, are still set to match the target user. This flag is I by default. -=item fqdn - -Set this flag if you want to put fully qualified hostnames in the -I file. I.e., instead of myhost you would use myhost.mydomain.edu. -You may still use the short form if you wish (and even mix the two). -Beware that turning on I requires B to make DNS lookups -which may make B unusable if DNS stops working (for example -if the machine is not plugged into the network). Also note that -you must use the host's official name as DNS knows it. That is, -you may not use a host alias (C entry) due to performance -issues and the fact that there is no way to get all aliases from -DNS. If your machine's hostname (as returned by the C -command) is already fully qualified you shouldn't need to set -I. This flag is I<@fqdn@> by default. - -=item insults - -If set, B will insult users when they enter an incorrect -password. This flag is I<@insults@> by default. - =item requiretty If set, B will only run when the user is logged in to a real @@ -623,16 +646,15 @@ off echo when there is no tty present, some sites may wish to set this flag to prevent a user from entering a visible password. This flag is I by default. -=item env_editor +=item root_sudo -If set, B will use the value of the EDITOR or VISUAL -environment variables before falling back on the default editor list. -Note that this may create a security hole as it allows the user to -run any arbitrary command as root without logging. A safer alternative -is to place a colon-separated list of editors in the C -variable. B will then only use the EDITOR or VISUAL if -they match a value specified in C. This flag is C<@env_editor@> by -default. +If set, root is allowed to run B too. Disabling this prevents users +from "chaining" B commands to get a root shell by doing something +like C<"sudo sudo /bin/sh">. Note, however, that turning off I +will also prevent root and from running B. +Disabling I provides no real additional security; it +exists purely for historical reasons. +This flag is I<@root_sudo@> by default. =item rootpw @@ -645,13 +667,12 @@ If set, B will prompt for the password of the user defined by the I option (defaults to C<@runas_default@>) instead of the password of the invoking user. This flag is I by default. -=item targetpw +=item set_home -If set, B will prompt for the password of the user specified by -the B<-u> flag (defaults to C) instead of the password of the -invoking user. Note that this precludes the use of a uid not listed -in the passwd database as an argument to the B<-u> flag. -This flag is I by default. +If set and B is invoked with the B<-s> flag the C +environment variable will be set to the home directory of the target +user (which is root unless the B<-u> option is used). This effectively +makes the B<-s> flag imply B<-H>. This flag is I by default. =item set_logname @@ -663,7 +684,24 @@ determine the real identity of the user, it may be desirable to change this behavior. This can be done by negating the set_logname option. Note that if the I option has not been disabled, entries in the I list will override the value of -I. +I. This flag is I by default. + +=item setenv + +Allow the user to disable the I option from the command +line. Additionally, environment variables set via the command line +are not subject to the restrictions imposed by I, +I, or I. As such, only trusted users should +be allowed to set variables in this manner. This flag is I +by default. + +=item shell_noargs + +If set and B is invoked with no arguments it acts as if the +B<-s> flag had been given. That is, it runs a shell as root (the +shell is determined by the C environment variable if it is +set, falling back on the shell listed in the invoking user's +/etc/passwd entry if not). This flag is I by default. =item stay_setuid @@ -674,18 +712,23 @@ user's UID. In other words, this makes B act as a setuid wrapper. This can be useful on systems that disable some potentially dangerous functionality when a program is run setuid. This option is only effective on systems with either the setreuid() or setresuid() -function. +function. This flag is I by default. -=item env_reset +=item targetpw -If set, B will reset the environment to only contain the -LOGNAME, SHELL, USER, USERNAME and the C variables. Any -variables in the caller's environment that match the C -and C lists are then added. The default contents of the -C and C lists are displayed when B is -run by root with the I<-V> option. If the I option -is set, its -value will be used for the C environment variable. -This flag is I by default. +If set, B will prompt for the password of the user specified by +the B<-u> flag (defaults to C) instead of the password of the +invoking user. Note that this precludes the use of a uid not listed +in the passwd database as an argument to the B<-u> flag. +This flag is I by default. + +=item tty_tickets + +If set, users must authenticate on a per-tty basis. Normally, +B uses a directory in the ticket dir with the same name as +the user running it. With this flag enabled, B will use a +file named for the tty the user is logged in on in that directory. +This flag is I<@tty_tickets@> by default. =item use_loginclass @@ -693,46 +736,20 @@ If set, B will apply the defaults specified for the target user's login class if one exists. Only available if B is configured with the --with-logincap option. This flag is I by default. -=item noexec - -If set, all commands run via B will behave as if the C -tag has been set, unless overridden by a C tag. See the -description of I below as well as the L section at the end of this manual. This flag is I by default. - -=item monitor - -If set, all commands run via B will behave as if the C -tag has been set, unless overridden by a C tag. See the -description of I below as well as the L section at the end of this manual. Be aware that -tracing is only supported on certain operating systems. On systems -where it is not supported this flag will have no effect. -This flag is I by default. - -=item ignore_local_sudoers - -If set via LDAP, parsing of @sysconfdir@/sudoers will be skipped. -This is intended for Enterprises that wish to prevent the usage of local -sudoers files so that only LDAP is used. This thwarts the efforts of -rogue operators who would attempt to add roles to @sysconfdir@/sudoers. -When this option is present, @sysconfdir@/sudoers does not even need to exist. -Since this option tells B how to behave when no specific LDAP entries -have been matched, this sudoOption is only meaningful for the cn=defaults -section. This flag is I by default. - -=item closefrom_override - -If set, the user may use B's B<-C> option which -overrides the default starting point at which B begins -closing open file descriptors. This flag is I by default. - =back B: =over 12 +=item closefrom + +Before it executes a command, B will close all open file +descriptors other than standard input, standard output and standard +error (ie: file descriptors 0-2). The I option can be used +to specify a different file descriptor at which to start closing. +The default is C<3>. + =item passwd_tries The number of tries a user gets to enter his/her password before @@ -751,6 +768,11 @@ to decide when to wrap lines for nicer log files. This has no effect on the syslog log file, only the file log. The default is C<@loglen@> (use 0 or negate the option to disable word wrap). +=item passwd_timeout + +Number of minutes before the B password prompt times out. +The default is C<@password_timeout@>; set this to C<0> for no password timeout. + =item timestamp_timeout Number of minutes that can elapse before B will ask for a @@ -760,58 +782,42 @@ If set to a value less than C<0> the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via C and C respectively. -=item passwd_timeout - -Number of minutes before the B password prompt times out. -The default is C<@password_timeout@>, set this to C<0> for no password timeout. - =item umask Umask to use when running the command. Negate this option or set it to 0777 to preserve the user's umask. The default is C<@sudo_umask@>. -=item closefrom - -Before it executes a command, B will close all open file -descriptors other than standard input, standard output and standard -error (ie: file descriptors 0-2). The I option can be used -to specify a different file descriptor at which to start closing. -The default is 3. - -=item setenv - -Allow the user to disable the I option from the command -line. Additionally, environment variables set via the command line -are not subject to the restrictions imposed by I, -I, or I. As such, only trusted users should -be allowed to set variables in this manner. - =back B: =over 12 -=item mailsub - -Subject of the mail sent to the I user. The escape C<%h> -will expand to the hostname of the machine. -Default is C<@mailsub@>. - =item badpass_message Message that is displayed if a user enters an incorrect password. The default is C<@badpass_message@> unless insults are enabled. -=item timestampdir +=item editor -The directory in which B stores its timestamp files. -The default is F<@timedir@>. +A colon (':') separated list of editors allowed to be used with +B. B will choose the editor that matches the user's +EDITOR environment variable if possible, or the first editor in the +list that exists and is executable. The default is the path to vi +on your system. -=item timestampowner +=item mailsub -The owner of the timestamp directory and the timestamps stored therein. -The default is C. +Subject of the mail sent to the I user. The escape C<%h> +will expand to the hostname of the machine. +Default is C<@mailsub@>. + +=item noexec_file + +Path to a shared library containing dummy versions of the execv(), +execve() and fexecve() library functions that just return an error. +This is used to implement the I functionality on systems that +support C or its equivalent. Defaults to F<@noexec_file@>. =item passprompt @@ -821,24 +827,24 @@ The following percent (`C<%>') escapes are supported: =over 8 -=item C<%u> +=item C<%H> -expanded to the invoking user's login name +expanded to the local hostname including the domain name +(on if the machine's hostname is fully qualified or the I +option is set) + +=item C<%h> + +expanded to the local hostname without the domain name =item C<%U> expanded to the login name of the user the command will be run as (defaults to root) -=item C<%h> - -expanded to the local hostname without the domain name - -=item C<%H> +=item C<%u> -expanded to the local hostname including the domain name -(on if the machine's hostname is fully qualified or the I -option is set) +expanded to the invoking user's login name =item C<%%> @@ -855,30 +861,25 @@ on the command line. This defaults to C<@runas_default@>. Note that if I is set it B occur before any C specifications. -=item syslog_goodpri - -Syslog priority to use when user authenticates successfully. -Defaults to C<@goodpri@>. - =item syslog_badpri Syslog priority to use when user authenticates unsuccessfully. Defaults to C<@badpri@>. -=item editor +=item syslog_goodpri -A colon (':') separated list of editors allowed to be used with -B. B will choose the editor that matches the user's -EDITOR environment variable if possible, or the first editor in the -list that exists and is executable. The default is the path to vi -on your system. +Syslog priority to use when user authenticates successfully. +Defaults to C<@goodpri@>. -=item noexec_file +=item timestampdir -Path to a shared library containing dummy versions of the execv(), -execve() and fexecve() library functions that just return an error. -This is used to implement the I functionality on systems that -support C or its equivalent. Defaults to F<@noexec_file@>. +The directory in which B stores its timestamp files. +The default is F<@timedir@>. + +=item timestampowner + +The owner of the timestamp directory and the timestamps stored therein. +The default is C. =back @@ -886,6 +887,11 @@ B: =over 12 +=item exempt_group + +Users in this group are exempt from password and PATH requirements. +This is not set by default. + =item lecture This option controls when a short lecture will be printed along with @@ -893,6 +899,10 @@ the password prompt. It has the following possible values: =over 8 +=item always + +Always lecture the user. + =item never Never lecture the user. @@ -901,10 +911,6 @@ Never lecture the user. Only lecture the user the first time they run B. -=item always - -Always lecture the user. - =back If no value is specified, a value of I is implied. @@ -915,37 +921,60 @@ The default value is I<@lecture@>. Path to a file containing an alternate B lecture that will be used in place of the standard lecture if the named file exists. +By default, B uses a built-in lecture. + +=item listpw + +This option controls when a password will be required when a +user runs B with the B<-l> flag. It has the following possible values: + +=over 8 + +=item all + +All the user's I entries for the current host must have +the C flag set to avoid entering a password. + +=item always + +The user must always enter a password to use the B<-l> flag. + +=item any + +At least one of the user's I entries for the current host +must have the C flag set to avoid entering a password. + +=item never + +The user need never enter a password to use the B<-l> flag. + +=back + +If no value is specified, a value of I is implied. +Negating the option results in a value of I being used. +The default value is I. =item logfile Path to the B log file (not the syslog log file). Setting a path turns on logging to a file; negating this option turns it off. +By default, B logs via syslog. -=item syslog +=item mailerflags -Syslog facility if syslog is being used for logging (negate to -disable syslog logging). Defaults to C<@logfac@>. +Flags to use when invoking mailer. Defaults to B<-t>. =item mailerpath Path to mail program used to send warning mail. Defaults to the path to sendmail found at configure time. -=item mailerflags - -Flags to use when invoking mailer. Defaults to B<-t>. - =item mailto Address to send warning and error mail to. The address should be enclosed in double quotes (C<">) to protect against B interpreting the C<@> sign. Defaults to C<@mailto@>. -=item exempt_group - -Users in this group are exempt from password and PATH requirements. -This is not set by default. - =item secure_path Path used for every command run from B. If you don't trust the @@ -955,6 +984,11 @@ be separate from the "user path." Users in the group specified by the I option are not affected by I. This is not set by default. +=item syslog + +Syslog facility if syslog is being used for logging (negate to +disable syslog logging). Defaults to C<@logfac@>. + =item verifypw This option controls when a password will be required when a user runs @@ -967,37 +1001,10 @@ B with the B<-v> flag. It has the following possible values: All the user's I entries for the current host must have the C flag set to avoid entering a password. -=item any - -At least one of the user's I entries for the current host -must have the C flag set to avoid entering a password. - -=item never - -The user need never enter a password to use the B<-v> flag. - =item always The user must always enter a password to use the B<-v> flag. -=back - -If no value is specified, a value of I is implied. -Negating the option results in a value of I being used. -The default value is I. - -=item listpw - -This option controls when a password will be required when a -user runs B with the B<-l> flag. It has the following possible values: - -=over 8 - -=item all - -All the user's I entries for the current host must have -the C flag set to avoid entering a password. - =item any At least one of the user's I entries for the current host @@ -1005,17 +1012,13 @@ must have the C flag set to avoid entering a password. =item never -The user need never enter a password to use the B<-l> flag. - -=item always - -The user must always enter a password to use the B<-l> flag. +The user need never enter a password to use the B<-v> flag. =back -If no value is specified, a value of I is implied. +If no value is specified, a value of I is implied. Negating the option results in a value of I being used. -The default value is I. +The default value is I. =back -- 2.50.1