From c4fa5baa1cceb184df6383fbb712e8528f20a300 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 25 Sep 2009 01:12:16 +0000 Subject: [PATCH] regen --- sudo.cat | 40 ++-- sudo.man.in | 5 +- sudoers.cat | 520 ++++++++++++++++++++++++------------------------- sudoers.man.in | 60 ++++-- 4 files changed, 327 insertions(+), 298 deletions(-) diff --git a/sudo.cat b/sudo.cat index c7375477c..a2f3bc153 100644 --- a/sudo.cat +++ b/sudo.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.2 June 15, 2009 1 +1.7.2 September 24, 2009 1 @@ -127,7 +127,7 @@ OOPPTTIIOONNSS -1.7.2 June 15, 2009 2 +1.7.2 September 24, 2009 2 @@ -193,7 +193,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.2 June 15, 2009 3 +1.7.2 September 24, 2009 3 @@ -259,7 +259,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.2 June 15, 2009 4 +1.7.2 September 24, 2009 4 @@ -291,7 +291,8 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from - the standard input instead of the terminal device. + the standard input instead of the terminal device. The + password must be followed by a newline character. -s [command] The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L @@ -321,11 +322,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the user's timestamp, prompting for the user's password if - necessary. This extends the ssuuddoo timeout for another 5 -1.7.2 June 15, 2009 5 +1.7.2 September 24, 2009 5 @@ -334,6 +334,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + necessary. This extends the ssuuddoo timeout for another 5 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s) but does not run a command. @@ -387,11 +388,10 @@ SSEECCUURRIITTYY NNOOTTEESS environment variables that ssuuddoo allows or denies is contained in the output of sudo -V when run as root. - Note that the dynamic linker on most operating systems will remove -1.7.2 June 15, 2009 6 +1.7.2 September 24, 2009 6 @@ -400,6 +400,7 @@ SSEECCUURRIITTYY NNOOTTEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + Note that the dynamic linker on most operating systems will remove variables that can control dynamic linking from the environment of setuid executables, including ssuuddoo. Depending on the operating system this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and @@ -453,11 +454,10 @@ EENNVVIIRROONNMMEENNTT HOME In --ss or --HH mode (or if sudo was configured with the --enable-shell-sets-home option), set to homedir of the - target user -1.7.2 June 15, 2009 7 +1.7.2 September 24, 2009 7 @@ -466,6 +466,8 @@ EENNVVIIRROONNMMEENNTT SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + target user + PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h sudoers option is set. @@ -518,12 +520,10 @@ EEXXAAMMPPLLEESS To edit the _i_n_d_e_x_._h_t_m_l file as user www: - $ sudo -u www vi ~www/htdocs/index.html - -1.7.2 June 15, 2009 8 +1.7.2 September 24, 2009 8 @@ -532,6 +532,8 @@ EEXXAAMMPPLLEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + $ sudo -u www vi ~www/htdocs/index.html + To view system logs only accessible to root and users in the adm group: $ sudo -g adm view /var/log/syslog @@ -584,12 +586,10 @@ CCAAVVEEAATTSS Running shell scripts via ssuuddoo can expose the same kernel bugs that make setuid shell scripts unsafe on some operating systems (if your OS - has a /dev/fd/ directory, setuid shell scripts are generally safe). - -1.7.2 June 15, 2009 9 +1.7.2 September 24, 2009 9 @@ -598,6 +598,8 @@ CCAAVVEEAATTSS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + has a /dev/fd/ directory, setuid shell scripts are generally safe). + BBUUGGSS If you feel you have found a bug in ssuuddoo, please submit a bug report at http://www.sudo.ws/sudo/bugs/ @@ -653,8 +655,6 @@ DDIISSCCLLAAIIMMEERR - - -1.7.2 June 15, 2009 10 +1.7.2 September 24, 2009 10 diff --git a/sudo.man.in b/sudo.man.in index a50b6c55f..dbfca4727 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -153,7 +153,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "June 15, 2009" "1.7.2" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "September 24, 2009" "1.7.2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -442,7 +442,8 @@ password prompt on systems that support \s-1PAM\s0 unless the .IP "\-S" 12 .IX Item "-S" The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from -the standard input instead of the terminal device. +the standard input instead of the terminal device. The password must +be followed by a newline character. .IP "\-s [command]" 12 .IX Item "-s [command]" The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR diff --git a/sudoers.cat b/sudoers.cat index 1afd9269d..03ec402cd 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.2 June 30, 2009 1 +1.7.2 September 24, 2009 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.2 June 30, 2009 2 +1.7.2 September 24, 2009 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.2 June 30, 2009 3 +1.7.2 September 24, 2009 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.2 June 30, 2009 4 +1.7.2 September 24, 2009 4 @@ -285,7 +285,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | - 'SETENV:' | 'NOSETENV:' ) + 'SETENV:' | 'NOSETENV:' | 'TRANSCRIPT:' | 'NOTRANSCRIPT:') A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as what user) on specified hosts. By default, commands are run as rroooott, @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.2 June 30, 2009 5 +1.7.2 September 24, 2009 5 @@ -355,10 +355,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) TTaagg__SSppeecc A command may have zero or more tags associated with it. There are - eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV and - NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in the - Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite - tag (i.e.: PASSWD overrides NOPASSWD and NOEXEC overrides EXEC). + eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, + NOSETENV, TRANSCRIPT and NOTRANSCRIPT. Once a tag is set on a Cmnd, + subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless it is + overridden by the opposite tag (i.e.: PASSWD overrides NOPASSWD and + NOEXEC overrides EXEC). _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D @@ -387,11 +388,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) pertain to the current host. This behavior may be overridden via the verifypw and listpw options. - _N_O_E_X_E_C _a_n_d _E_X_E_C -1.7.2 June 30, 2009 6 +1.7.2 September 24, 2009 6 @@ -400,6 +400,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + _N_O_E_X_E_C _a_n_d _E_X_E_C + If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying operating system supports it, the NOEXEC tag can be used to prevent a dynamically-linked executable from running further commands itself. @@ -422,6 +424,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) If the command matched is AALLLL, the SETENV tag is implied for that command; this default may be overridden by use of the UNSETENV tag. + _T_R_A_N_S_C_R_I_P_T _a_n_d _N_O_T_R_A_N_S_C_R_I_P_T + + These tags override the value of the _t_r_a_n_s_c_r_i_p_t option on a per-command + basis. For more information, see the description of _t_r_a_n_s_c_r_i_p_t in the + "SUDOERS OPTIONS" section below. + WWiillddccaarrddss ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be @@ -446,25 +454,25 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) /bin/ls [[\:alpha\:]]* - Would match any filename beginning with a letter. - Note that a forward slash ('/') will nnoott be matched by wildcards used - in the pathname. When matching the command line arguments, however, a - slash ddooeess get matched by wildcards. This is to make a path like: - /usr/bin/* +1.7.2 September 24, 2009 7 -1.7.2 June 30, 2009 7 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Would match any filename beginning with a letter. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Note that a forward slash ('/') will nnoott be matched by wildcards used + in the pathname. When matching the command line arguments, however, a + slash ddooeess get matched by wildcards. This is to make a path like: + /usr/bin/* match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. @@ -512,18 +520,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that end in ~ or contain a . character to avoid causing problems with - package manager or editor temporary/backup files. Files are parsed in - sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed - before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is - lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr - _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes - in the file names can be used to avoid such problems. - - Note that unlike files included via #include, vviissuuddoo will not edit the -1.7.2 June 30, 2009 8 +1.7.2 September 24, 2009 8 @@ -532,6 +532,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + package manager or editor temporary/backup files. Files are parsed in + sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed + before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is + lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr + _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes + in the file names can be used to avoid such problems. + + Note that unlike files included via #include, vviissuuddoo will not edit the files in a #includedir directory unless one of them contains a syntax error. It is still possible to run vviissuuddoo with the -f flag to edit the files directly. @@ -578,18 +586,10 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS always_set_home If set, ssuuddoo will set the HOME environment variable to the home directory of the target user (which is root unless the --uu option is used). This effectively means - that the --HH option is always implied. This flag is _o_f_f - by default. - - authenticate If set, users must authenticate themselves via a - password (or other means of authentication) before they - may run commands. This default may be overridden via - the PASSWD and NOPASSWD tags. This flag is _o_n by - default. -1.7.2 June 30, 2009 9 +1.7.2 September 24, 2009 9 @@ -598,6 +598,15 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + that the --HH option is always implied. This flag is _o_f_f + by default. + + authenticate If set, users must authenticate themselves via a + password (or other means of authentication) before they + may run commands. This default may be overridden via + the PASSWD and NOPASSWD tags. This flag is _o_n by + default. + closefrom_override If set, the user may use ssuuddoo's --CC option which overrides the default starting point at which ssuuddoo @@ -624,6 +633,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) its value will be used for the PATH environment variable. This flag is _o_n by default. + fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell- + style globbing when matching pathnames. However, since + it accesses the file system, _g_l_o_b(3) can take a long + time to complete for some patterns, especially when the + pattern references a network file system that is + mounted on demand (automounted). The _f_a_s_t___g_l_o_b option + causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function, which does + not access the file system to do its matching. The + disadvantage of _f_a_s_t___g_l_o_b is that it is unable to match + relative pathnames such as _._/_l_s or _._._/_b_i_n_/_l_s. This + flag is _o_f_f by default. + fqdn Set this flag if you want to put fully qualified hostnames in the _s_u_d_o_e_r_s file. I.e., instead of myhost you would use myhost.mydomain.edu. You may still use @@ -631,6 +652,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Beware that turning on _f_q_d_n requires ssuuddoo to make DNS lookups which may make ssuuddoo unusable if DNS stops working (for example if the machine is not plugged into + + + +1.7.2 September 24, 2009 10 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + the network). Also note that you must use the host's official name as DNS knows it. That is, you may not use a host alias (CNAME entry) due to performance @@ -652,18 +685,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) operators who would attempt to add roles to _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present, _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this - - - -1.7.2 June 30, 2009 10 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - option tells ssuuddoo how to behave when no specific LDAP entries have been matched, this sudoOption is only meaningful for the cn=defaults section. This flag is @@ -697,6 +718,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) allowed to run commands on the current host. This flag is _o_f_f by default. + + + +1.7.2 September 24, 2009 11 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the invoking user is allowed to use ssuuddoo but the command they are trying is not listed in their _s_u_d_o_e_r_s file @@ -718,18 +751,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) sites may wish to disable this as it could be used to gather information on the location of executables that the normal user does not have access to. The - - - -1.7.2 June 30, 2009 11 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - disadvantage is that if the executable is simply not in the user's PATH, ssuuddoo will tell the user that they are not allowed to run it, which can be confusing. This @@ -763,6 +784,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) to a real tty. When this flag is set, ssuuddoo can only be run from a login session and not via other means such as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by + + + +1.7.2 September 24, 2009 12 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + default. root_sudo If set, root is allowed to run ssuuddoo too. Disabling @@ -784,18 +817,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) flag is _o_f_f by default. set_home If set and ssuuddoo is invoked with the --ss option the HOME - - - -1.7.2 June 30, 2009 12 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - environment variable will be set to the home directory of the target user (which is root unless the --uu option is used). This effectively makes the --ss option imply @@ -827,33 +848,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) shell listed in the invoking user's /etc/passwd entry if not). This flag is _o_f_f by default. - fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell- - style globbing when matching pathnames. However, since - it accesses the file system, _g_l_o_b(3) can take a long - time to complete for some patterns, especially when the - pattern references a network file system that is - mounted on demand (automounted). The _f_a_s_t___g_l_o_b option - causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function, which does - not access the file system to do its matching. The - disadvantage of _f_a_s_t___g_l_o_b is that it is unable to match - relative pathnames such as _._/_l_s or _._._/_b_i_n_/_l_s. This - flag is _o_f_f by default. - stay_setuid Normally, when ssuuddoo executes a command the real and effective UIDs are set to the target user (root by - default). This option changes that behavior such that - the real UID is left as the invoking user's UID. In - other words, this makes ssuuddoo act as a setuid wrapper. - This can be useful on systems that disable some - potentially dangerous functionality when a program is - run setuid. This option is only effective on systems - with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. - This flag is _o_f_f by default. - -1.7.2 June 30, 2009 13 +1.7.2 September 24, 2009 13 @@ -862,6 +862,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + default). This option changes that behavior such that + the real UID is left as the invoking user's UID. In + other words, this makes ssuuddoo act as a setuid wrapper. + This can be useful on systems that disable some + potentially dangerous functionality when a program is + run setuid. This option is only effective on systems + with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. + This flag is _o_f_f by default. + targetpw If set, ssuuddoo will prompt for the password of the user specified by the --uu option (defaults to root) instead of the password of the invoking user. Note that this @@ -869,6 +878,26 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) database as an argument to the --uu option. This flag is _o_f_f by default. + transcript If set, ssuuddoo will log a transcript of the command being + run, similar to the _s_c_r_i_p_t(1) command. In this mode + ssuuddoo will allocate a new _p_s_e_u_d_o _t_t_y and log all input + and output for the command (except when echo is turned + off as when a password is entered). Transcripts are + logged to the _/_v_a_r_/_l_o_g_/_s_u_d_o_-_s_e_s_s_i_o_n directory with a + unique transcript ID that is included in the normal + ssuuddoo log line, prefixed with _T_S_I_D_=. + + Transcripts may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m) + utility, which can also be used to list or search the + available transcripts. + + A side effect of this mode is that it will not be + possible to suspend the command being run (because it + is running in a different tty with its own job + control). If a shell is being run, commands executed + by that shell will have normal job control but the + shell itself may not be suspended. + tty_tickets If set, users must authenticate on a per-tty basis. Normally, ssuuddoo uses a directory in the ticket dir with the same name as the user running it. With this flag @@ -887,6 +916,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) use_loginclass If set, ssuuddoo will apply the defaults specified for the target user's login class if one exists. Only available if ssuuddoo is configured with the + + + +1.7.2 September 24, 2009 14 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + --with-logincap option. This flag is _o_f_f by default. visiblepw By default, ssuuddoo will refuse to run if the user must @@ -916,18 +957,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) value is used to decide when to wrap lines for nicer log files. This has no effect on the syslog log file, only the file log. The default is 80 (use 0 or negate - - - -1.7.2 June 30, 2009 14 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - the option to disable word wrap). passwd_timeout Number of minutes before the ssuuddoo password prompt times @@ -954,6 +983,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SSttrriinnggss: + + +1.7.2 September 24, 2009 15 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + badpass_message Message that is displayed if a user enters an incorrect password. The default is Sorry, try again. unless insults are enabled. @@ -982,18 +1022,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) escapes are supported: %H expanded to the local hostname including the domain - - - -1.7.2 June 30, 2009 15 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - name (on if the machine's hostname is fully qualified or the _f_q_d_n option is set) @@ -1020,6 +1048,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) before any Runas_Alias specifications. syslog_badpri Syslog priority to use when user authenticates + + + +1.7.2 September 24, 2009 16 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + unsuccessfully. Defaults to alert. syslog_goodpri Syslog priority to use when user authenticates @@ -1048,18 +1088,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) variable. env_file The _e_n_v___f_i_l_e options specifies the fully qualified path to - - - -1.7.2 June 30, 2009 16 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - a file containing variables to be set in the environment of the program being run. Entries in this file should either be of the form VARIABLE=value or export VARIABLE=value. @@ -1085,6 +1113,19 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Negating the option results in a value of _n_e_v_e_r being used. The default value is _o_n_c_e. + + + + +1.7.2 September 24, 2009 17 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + lecture_file Path to a file containing an alternate ssuuddoo lecture that will be used in place of the standard lecture if the named @@ -1114,18 +1155,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) logfile Path to the ssuuddoo log file (not the syslog log file). Setting a path turns on logging to a file; negating this - - - -1.7.2 June 30, 2009 17 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - option turns it off. By default, ssuuddoo logs via syslog. mailerflags Flags to use when invoking mailer. Defaults to --tt. @@ -1148,9 +1177,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) is if you want to have the "root path" be separate from the "user path." Users in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This - is not set by default. + option is @secure_path@ by default. syslog Syslog facility if syslog is being used for logging (negate + + + +1.7.2 September 24, 2009 18 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + to disable syslog logging). Defaults to local2. verifypw This option controls when a password will be required when @@ -1180,18 +1221,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) env_check Environment variables to be removed from the user's environment if the variable's value contains % or / characters. This can be used to guard against printf- - - - -1.7.2 June 30, 2009 18 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - style format vulnerabilities in poorly-written programs. The argument may be a double-quoted, space- separated list or a single value without double-quotes. @@ -1217,6 +1246,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) any setuid process (such as ssuuddoo). env_keep Environment variables to be preserved in the user's + + + +1.7.2 September 24, 2009 19 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + environment when the _e_n_v___r_e_s_e_t option is in effect. This allows fine-grained control over the environment ssuuddoo-spawned processes will receive. The argument may @@ -1241,23 +1282,12 @@ FFIILLEESS _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_s_e_s_s_i_o_n Transcript logs + EEXXAAMMPPLLEESS Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit contrived. First, we define our _a_l_i_a_s_e_s: - - - - -1.7.2 June 30, 2009 19 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - # User alias specification User_Alias FULLTIMERS = millert, mikef, dowdy User_Alias PARTTIMERS = bostley, jwfox, crawl @@ -1282,6 +1312,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore Cmnd_Alias KILL = /usr/bin/kill + + + +1.7.2 September 24, 2009 20 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown Cmnd_Alias HALT = /usr/sbin/halt @@ -1312,18 +1354,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Defaults!PAGERS noexec The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run - - - -1.7.2 June 30, 2009 20 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - what. root ALL = (ALL) ALL @@ -1348,6 +1378,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those networks, only 128.138.204.0 has an explicit netmask (in CIDR + + + +1.7.2 September 24, 2009 21 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + notation) indicating it is a class C network. For the other networks in _C_S_N_E_T_S, the local machine's netmask will be used during matching. @@ -1379,17 +1421,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take multiple usernames on the command line. - - -1.7.2 June 30, 2009 21 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - bob SPARC = (OP) ALL : SGI = (OP) ALL The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user @@ -1413,6 +1444,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* + + + +1.7.2 September 24, 2009 22 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is not allowed to specify any options to the _s_u(1) command. @@ -1443,19 +1486,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) and wim), may run any command as user www (which owns the web pages) or simply _s_u(1) to www. - - - - -1.7.2 June 30, 2009 22 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM @@ -1480,6 +1510,18 @@ SSEECCUURRIITTYY NNOOTTEESS PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS Once ssuuddoo executes a program, that program is free to do whatever it + + + +1.7.2 September 24, 2009 23 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + pleases, including run other programs. This can be a security issue since it is not uncommon for a program to allow shell escapes, which lets a user bypass ssuuddoo's access control and logging. Common programs @@ -1510,18 +1552,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS sudo -V | grep "dummy exec" - - - -1.7.2 June 30, 2009 23 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - If the resulting output contains a line that begins with: File containing dummy exec functions: @@ -1546,6 +1576,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will prevent those two commands + + + +1.7.2 September 24, 2009 24 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + from executing other commands (such as a shell). If you are unsure whether or not your system is capable of supporting _n_o_e_x_e_c you can always just try it out and see if it works. @@ -1576,18 +1618,6 @@ BBUUGGSS SSUUPPPPOORRTT Limited free support is available via the sudo-users mailing list, see - - - -1.7.2 June 30, 2009 24 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. @@ -1615,36 +1645,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1.7.2 June 30, 2009 25 +1.7.2 September 24, 2009 25 diff --git a/sudoers.man.in b/sudoers.man.in index daa552377..958299395 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -153,7 +153,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "June 30, 2009" "1.7.2" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "September 24, 2009" "1.7.2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -417,7 +417,7 @@ See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults par \& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq \& \& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq | -\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq ) +\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqTRANSCRIPT:\*(Aq | \*(AqNOTRANSCRIPT:\*(Aq) .Ve .PP A \fBuser specification\fR determines which commands a user may run @@ -487,8 +487,8 @@ only the group will be set, the command still runs as user \fBtcm\fR. .Sh "Tag_Spec" .IX Subsection "Tag_Spec" A command may have zero or more tags associated with it. There are -eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR, -\&\f(CW\*(C`SETENV\*(C'\fR and \f(CW\*(C`NOSETENV\*(C'\fR. +eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, +\&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`TRANSCRIPT\*(C'\fR and \f(CW\*(C`NOTRANSCRIPT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR @@ -555,6 +555,13 @@ to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or variables in this manner. If the command matched is \fB\s-1ALL\s0\fR, the \&\f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this default may be overridden by use of the \f(CW\*(C`UNSETENV\*(C'\fR tag. +.PP +\fI\s-1TRANSCRIPT\s0 and \s-1NOTRANSCRIPT\s0\fR +.IX Subsection "TRANSCRIPT and NOTRANSCRIPT" +.PP +These tags override the value of the \fItranscript\fR option on a +per-command basis. For more information, see the description of +\&\fItranscript\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below. .Sh "Wildcards" .IX Subsection "Wildcards" \&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters) @@ -742,6 +749,17 @@ and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of t run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable. This flag is \fIon\fR by default. +.IP "fast_glob" 16 +.IX Item "fast_glob" +Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style +globbing when matching pathnames. However, since it accesses the +file system, \fIglob\fR\|(3) can take a long time to complete for some +patterns, especially when the pattern references a network file +system that is mounted on demand (automounted). The \fIfast_glob\fR +option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does +not access the file system to do its matching. The disadvantage +of \fIfast_glob\fR is that it is unable to match relative pathnames +such as \fI./ls\fR or \fI../bin/ls\fR. This flag is \fIoff\fR by default. .IP "fqdn" 16 .IX Item "fqdn" Set this flag if you want to put fully qualified hostnames in the @@ -909,17 +927,6 @@ If set and \fBsudo\fR is invoked with no arguments it acts as if the shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is set, falling back on the shell listed in the invoking user's /etc/passwd entry if not). This flag is \fIoff\fR by default. -.IP "fast_glob" 16 -.IX Item "fast_glob" -Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style -globbing when matching pathnames. However, since it accesses the -file system, \fIglob\fR\|(3) can take a long time to complete for some -patterns, especially when the pattern references a network file -system that is mounted on demand (automounted). The \fIfast_glob\fR -option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does -not access the file system to do its matching. The disadvantage -of \fIfast_glob\fR is that it is unable to match relative pathnames -such as \fI./ls\fR or \fI../bin/ls\fR. This flag is \fIoff\fR by default. .IP "stay_setuid" 16 .IX Item "stay_setuid" Normally, when \fBsudo\fR executes a command the real and effective @@ -937,6 +944,24 @@ the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the passwor invoking user. Note that this precludes the use of a uid not listed in the passwd database as an argument to the \fB\-u\fR option. This flag is \fIoff\fR by default. +.IP "transcript" 16 +.IX Item "transcript" +If set, \fBsudo\fR will log a transcript of the command being run, +similar to the \fIscript\fR\|(1) command. In this mode \fBsudo\fR will allocate +a new \fIpseudo tty\fR and log all input and output for the command (except +when echo is turned off as when a password is entered). Transcripts +are logged to the \fI/var/log/sudo\-session\fR directory with a unique +transcript \s-1ID\s0 that is included in the normal \fBsudo\fR log line, +prefixed with \fITSID=\fR. +.Sp +Transcripts may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which +can also be used to list or search the available transcripts. +.Sp +A side effect of this mode is that it will not be possible to suspend +the command being run (because it is running in a different tty +with its own job control). If a shell is being run, commands +executed by that shell will have normal job control but the shell +itself may not be suspended. .IP "tty_tickets" 16 .IX Item "tty_tickets" If set, users must authenticate on a per-tty basis. Normally, @@ -1216,7 +1241,7 @@ people running \fBsudo\fR to have a sane \f(CW\*(C`PATH\*(C'\fR environment vari want to use this. Another use is if you want to have the \*(L"root path\*(R" be separate from the \*(L"user path.\*(R" Users in the group specified by the \&\fIexempt_group\fR option are not affected by \fIsecure_path\fR. -This is not set by default. +This option is @secure_path@ by default. .IP "syslog" 12 .IX Item "syslog" Syslog facility if syslog is being used for logging (negate to @@ -1305,6 +1330,9 @@ Local groups file .IP "\fI/etc/netgroup\fR" 24 .IX Item "/etc/netgroup" List of network groups +.IP "\fI/var/log/sudo\-session\fR" 24 +.IX Item "/var/log/sudo-session" +Transcript logs .SH "EXAMPLES" .IX Header "EXAMPLES" Below are example \fIsudoers\fR entries. Admittedly, some of -- 2.40.0