From d4f1aeb196aa5c9a45202a277842c1f9fcc3184b Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 7 Aug 2015 17:01:15 -0600 Subject: [PATCH] Explicitly tell people not to grant sudoedit to directories the user can write to. While sudoedit will no longer open symbolic links, hard links are still an issue. --- doc/sudoers.cat | 11 +++++++++++ doc/sudoers.man.in | 19 +++++++++++++++++++ doc/sudoers.mdoc.in | 19 +++++++++++++++++++ 3 files changed, 49 insertions(+) diff --git a/doc/sudoers.cat b/doc/sudoers.cat index ae7c8a95b..fca92d331 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -2310,6 +2310,17 @@ SSEECCUURRIITTYY NNOOTTEESS of _/_e_t_c_/_m_o_t_d. After the file has been edited, _/_e_t_c_/_m_o_t_d will be updated with the contents of the temporary copy. + Users should never be granted ssuuddooeeddiitt permission to edit a file that + resides in a directory the user has write access to, either directly or + via a wildcard. If the user has write access to the directory it is + possible to replace the legitimate file with a link to another file, + allowing the editing of arbitrary files. Starting with version 1.8.15, + ssuuddooeeddiitt will refuse to open a symbolic link unless either the + _s_u_d_o_e_d_i_t___f_o_l_l_o_w Defaults option is enabled or the _s_u_d_o_e_d_i_t command is + prefixed with the FOLLOW tag. However, it is still possible to create a + hard link if the directory is writable and the link target resides on the + same file system. + TTiimmee ssttaammpp ffiillee cchheecckkss _s_u_d_o_e_r_s will check the ownership of its time stamp directory (_/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s by default) and ignore the directory's contents if it diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 3ea41689f..aee2c3a3a 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -4724,6 +4724,25 @@ The editor will run as the operator user, not root, on a temporary copy of After the file has been edited, \fI/etc/motd\fR will be updated with the contents of the temporary copy. +.PP +Users should never be granted +\fBsudoedit\fR +permission to edit a file that resides in a directory the user +has write access to, either directly or via a wildcard. +If the user has write access to the directory it is possible to +replace the legitimate file with a link to another file, +allowing the editing of arbitrary files. +Starting with version 1.8.15, +\fBsudoedit\fR +will refuse to open a symbolic link unless either the +\fIsudoedit_follow\fR +Defaults option is enabled or the +\fIsudoedit\fR +command is prefixed with the +\fRFOLLOW\fR +tag. +However, it is still possible to create a hard link if the directory +is writable and the link target resides on the same file system. .SS "Time stamp file checks" \fIsudoers\fR will check the ownership of its time stamp directory diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index e704dd328..ca1ae1963 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -4356,6 +4356,25 @@ The editor will run as the operator user, not root, on a temporary copy of After the file has been edited, .Pa /etc/motd will be updated with the contents of the temporary copy. +.Pp +Users should never be granted +.Nm sudoedit +permission to edit a file that resides in a directory the user +has write access to, either directly or via a wildcard. +If the user has write access to the directory it is possible to +replace the legitimate file with a link to another file, +allowing the editing of arbitrary files. +Starting with version 1.8.15, +.Nm sudoedit +will refuse to open a symbolic link unless either the +.Em sudoedit_follow +Defaults option is enabled or the +.Em sudoedit +command is prefixed with the +.Li FOLLOW +tag. +However, it is still possible to create a hard link if the directory +is writable and the link target resides on the same file system. .Ss Time stamp file checks .Em sudoers will check the ownership of its time stamp directory -- 2.40.0