From e41a38e38c8e1cd57512e13d2bb2d1d86211acdc Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 6 Aug 2004 01:16:29 +0000 Subject: [PATCH] regen --- sudo.cat | 42 ++--- sudo.man.in | 6 +- sudoers.cat | 442 ++++++++++++++++++++++++++++--------------------- sudoers.man.in | 65 ++++++-- 4 files changed, 327 insertions(+), 228 deletions(-) diff --git a/sudo.cat b/sudo.cat index 79667a74a..94033ff03 100644 --- a/sudo.cat +++ b/sudo.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.6.8 June 10, 2004 1 +1.6.8 August 5, 2004 1 @@ -80,9 +80,9 @@ OOPPTTIIOONNSS -H The --HH (_H_O_M_E) option sets the HOME environment vari­ able to the homedir of the target user (root by - default) as specified in passwd(4). By default, ssuuddoo + default) as specified in passwd(5). By default, ssuuddoo does not modify HOME (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e - in sudoers(4)). + in sudoers(5)). -K The --KK (sure _k_i_l_l) option is like --kk except that it removes the user's timestamp entirely. Like --kk, this @@ -127,7 +127,7 @@ OOPPTTIIOONNSS -1.6.8 June 10, 2004 2 +1.6.8 August 5, 2004 2 @@ -182,7 +182,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) sage and exit. -i The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell - specified in the passwd(4) entry of the user that the + specified in the passwd(5) entry of the user that the command is being run as. The command name argument given to the shell begins with a - to tell the shell to run as a login shell. ssuuddoo attempts to change to @@ -193,7 +193,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.6.8 June 10, 2004 3 +1.6.8 August 5, 2004 3 @@ -240,7 +240,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -s The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L environment variable if it is set or the shell - as specified in passwd(4). + as specified in passwd(5). -u The --uu (_u_s_e_r) option causes ssuuddoo to run the specified command as a user other than _r_o_o_t. To specify a _u_i_d @@ -259,7 +259,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.6.8 June 10, 2004 4 +1.6.8 August 5, 2004 4 @@ -325,7 +325,7 @@ SSEECCUURRIITTYY NNOOTTEESS -1.6.8 June 10, 2004 5 +1.6.8 August 5, 2004 5 @@ -367,7 +367,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) user an effective root shell. EEXXAAMMPPLLEESS - Note: the following examples assume suitable sudoers(4) + Note: the following examples assume suitable sudoers(5) entries. To get a file listing of an unreadable directory: @@ -391,7 +391,7 @@ EEXXAAMMPPLLEESS -1.6.8 June 10, 2004 6 +1.6.8 August 5, 2004 6 @@ -416,7 +416,8 @@ EENNVVIIRROONNMMEENNTT the --enable-shell-sets-home option), set to homedir of the target user - PATH Set to a sane value if SECURE_PATH is set + PATH Set to a sane value if sudo was configured with + the --with-secure-path option SHELL Used to determine shell to run with -s option @@ -452,12 +453,11 @@ AAUUTTHHOORRSS http://www.sudo.ws/sudo/history.html for a short history of ssuuddoo. -BBUUGGSS - If you feel you have found a bug in sudo, please submit a -1.6.8 June 10, 2004 7 + +1.6.8 August 5, 2004 7 @@ -466,6 +466,8 @@ BBUUGGSS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) +BBUUGGSS + If you feel you have found a bug in sudo, please submit a bug report at http://www.sudo.ws/sudo/bugs/ DDIISSCCLLAAIIMMEERR @@ -482,7 +484,7 @@ CCAAVVEEAATTSS user to run commands via shell escapes, thus avoiding ssuuddoo's checks. However, on most systems it is possible to prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality. - See the sudoers(4) manual for details. + See the sudoers(5) manual for details. It is not meaningful to run the cd command directly via sudo, e.g. @@ -504,10 +506,8 @@ CCAAVVEEAATTSS setuid shell scripts are generally safe). SSEEEE AALLSSOO - _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), sudoers(4), - passwd(4), visudo(1m) - - + _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), sudoers(5), + passwd(5), visudo(1m) @@ -523,6 +523,6 @@ SSEEEE AALLSSOO -1.6.8 June 10, 2004 8 +1.6.8 August 5, 2004 8 diff --git a/sudo.man.in b/sudo.man.in index 5c20573c4..1e3801d1a 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "July 30, 2004" "1.6.8" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "August 5, 2004" "1.6.8" "MAINTENANCE COMMANDS" .SH "NAME" sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" @@ -510,8 +510,8 @@ to make the \f(CW\*(C`cd\*(C'\fR and file redirection work. .Ve .PP .Vb 2 -\& PATH Set to a sane value if SECURE_PATH has been -\& defined at configure time +\& PATH Set to a sane value if sudo was configured with +\& the --with-secure-path option .Ve .PP .Vb 1 diff --git a/sudoers.cat b/sudoers.cat index f348a865b..bd2d03059 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -1,7 +1,7 @@ -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) NNAAMMEE @@ -10,10 +10,17 @@ NNAAMMEE DDEESSCCRRIIPPTTIIOONN The _s_u_d_o_e_r_s file is composed of two types of entries: aliases (basically variables) and user specifications - (which specify who may run what). The grammar of _s_u_d_o_e_r_s - will be described below in Extended Backus-Naur Form - (EBNF). Don't despair if you don't know what EBNF is; it - is fairly simple, and the definitions below are annotated. + (which specify who may run what). + + When multiple entries match for a user, they are applied + in order. Where there are conflicting values, the last + match is used (which is not necessarily the most specific + match). + + The _s_u_d_o_e_r_s grammar will be described below in Extended + Backus-Naur Form (EBNF). Don't despair if you don't know + what EBNF is; it is fairly simple, and the definitions + below are annotated. QQuuiicckk gguuiiddee ttoo EEBBNNFF @@ -49,26 +56,28 @@ DDEESSCCRRIIPPTTIIOONN There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias. - Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | - 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | - 'Host_Alias' Host_Alias (':' Host_Alias)* | - 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* - User_Alias ::= NAME '=' User_List - Runas_Alias ::= NAME '=' Runas_List +1.6.8 August 5, 2004 1 + -1.6.8 June 8, 2004 1 +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | + 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | + 'Host_Alias' Host_Alias (':' Host_Alias)* | + 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* + User_Alias ::= NAME '=' User_List + + Runas_Alias ::= NAME '=' Runas_List Host_Alias ::= NAME '=' Host_List @@ -116,25 +125,25 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) '!'* +netgroup | '!'* Runas_Alias - A Runas_List is similar to a User_List except that it can - also contain uids (prefixed with '#') and instead of - User_Aliases it can contain Runas_Aliases. Note that - usernames and groups are matched as strings. In other - words, two users (groups) with the same uid (gid) are con­ - sidered to be distinct. If you wish to match all user­ - names with the same uid (e.g. root and toor), you can use - a uid instead (#0 in the example given). +1.6.8 August 5, 2004 2 -1.6.8 June 8, 2004 2 +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + A Runas_List is similar to a User_List except that it can + also contain uids (prefixed with '#') and instead of + User_Aliases it can contain Runas_Aliases. Note that + usernames and groups are matched as strings. In other + words, two users (groups) with the same uid (gid) are con­ + sidered to be distinct. If you wish to match all user­ + names with the same uid (e.g. root and toor), you can use + a uid instead (#0 in the example given). Host_List ::= Host | Host ',' Host_List @@ -181,31 +190,31 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) specify "" to indicate that the command may only be run wwiitthhoouutt command line arguments. A directory is a fully qualified pathname ending in a '/'. When you specify a - directory in a Cmnd_List, the user will be able to run any - file within that directory (but not in any subdirectories - therein). - If a Cmnd has associated command line arguments, then the - arguments in the Cmnd must match exactly those given by - the user on the command line (or match the wildcards if - there are any). Note that the following characters must - be escaped with a '\' if they are used in command +1.6.8 August 5, 2004 3 -1.6.8 June 8, 2004 3 +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + directory in a Cmnd_List, the user will be able to run any + file within that directory (but not in any subdirectories + therein). - arguments: ',', ':', '=', '\'. The special command - "sudoedit" is used to permit a user to run ssuuddoo with the - --ee flag (or as ssuuddooeeddiitt). It may take command line argu­ - ments just as a normal command does. + If a Cmnd has associated command line arguments, then the + arguments in the Cmnd must match exactly those given by + the user on the command line (or match the wildcards if + there are any). Note that the following characters must + be escaped with a '\' if they are used in command argu­ + ments: ',', ':', '=', '\'. The special command "sudoedit" + is used to permit a user to run ssuuddoo with the --ee flag (or + as ssuuddooeeddiitt). It may take command line arguments just as + a normal command does. DDeeffaauullttss @@ -213,9 +222,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) default values at runtime via one or more Default_Entry lines. These may affect all users on any host, all users on a specific host, a specific user, or commands being run - as a specific user. When multiple entries match, they are - applied in order. Where there are conflicting values, the - last value on a matching line takes effect. + as a specific user. Default_Type ::= 'Defaults' | 'Defaults' '@' Host | @@ -245,29 +252,24 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) respectively. It is not an error to use the -= operator to remove an element that does not exist in a list. - Note that since the _s_u_d_o_e_r_s file is parsed in order the - best place to put the Defaults section is after the - Host_Alias, User_Alias, and Cmnd_Alias specifications but - before any Runas_Alias or user specifications. - FFllaaggss: long_otp_prompt When validating with a One Time Password - scheme (SS//KKeeyy or OOPPIIEE), a two-line prompt is - used to make it easier to cut and paste the -1.6.8 June 8, 2004 4 +1.6.8 August 5, 2004 4 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) + scheme (SS//KKeeyy or OOPPIIEE), a two-line prompt is + used to make it easier to cut and paste the challenge to a local window. It's not as pretty as the default but some people find it more convenient. This flag is _o_f_f by default. @@ -320,20 +322,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) If set, users must authenticate themselves via a password (or other means of authentication) before they may run commands. This default - may be overridden via the PASSWD and NOPASSWD - tags. This flag is _o_n by default. -1.6.8 June 8, 2004 5 +1.6.8 August 5, 2004 5 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) + may be overridden via the PASSWD and NOPASSWD + tags. This flag is _o_n by default. + root_sudo If set, root is allowed to run ssuuddoo too. Dis­ abling this prevents users from "chaining" ssuuddoo commands to get a root shell by doing @@ -385,20 +388,19 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) tage is that if the executable is simply not in the user's PATH, ssuuddoo will tell the user that they are not allowed to run it, which can - be confusing. This flag is _o_f_f by default. +1.6.8 August 5, 2004 6 -1.6.8 June 8, 2004 6 +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - + be confusing. This flag is _o_f_f by default. preserve_groups By default ssuuddoo will initialize the group vec­ @@ -452,20 +454,20 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) specified in editor. This flag is off by default. - rootpw If set, ssuuddoo will prompt for the root password - instead of the password of the invoking user. -1.6.8 June 8, 2004 7 +1.6.8 August 5, 2004 7 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) + rootpw If set, ssuuddoo will prompt for the root password + instead of the password of the invoking user. This flag is _o_f_f by default. runaspw If set, ssuuddoo will prompt for the password of @@ -517,21 +519,22 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) variables may be preserved with the _e_n_v___k_e_e_p option. - use_loginclass - If set, ssuuddoo will apply the defaults specified - for the target user's login class if one -1.6.8 June 8, 2004 8 + +1.6.8 August 5, 2004 8 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) + use_loginclass + If set, ssuuddoo will apply the defaults specified + for the target user's login class if one exists. Only available if ssuuddoo is configured with the --with-logincap option. This flag is _o_f_f by default. @@ -543,6 +546,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) VENTING SHELL ESCAPES" section at the end of this manual. This flag is _o_f_f by default. + ignore_local_sudoers + If set via LDAP, parsing of @sysconfdir@/sudo­ + ers will be skipped. This is intended for an + Enterprises that wish to prevent the usage of + local sudoers files so that only LDAP is used. + This thwarts the efforts of rogue operators + who would attempt to add roles to + @sysconfdir@/sudoers. When this option is + present, @sysconfdir@/sudoers does not even + need to exist. Since this options tells sudo + how to behave when no specific LDAP entries + have been matched, this sudoOption is only + meaningful for the cn=defaults section. This + flag is _o_f_f by default. + IInntteeggeerrss: passwd_tries @@ -569,6 +587,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) their own timestamps via sudo -v and sudo -k respectively. + + +1.6.8 August 5, 2004 9 + + + + + +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) + + passwd_timeout Number of minutes before the ssuuddoo password prompt times out. The default is 5, set this @@ -585,19 +614,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the machine. Default is *** SECURITY informa­ tion for %h ***. - - - - -1.6.8 June 8, 2004 9 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - badpass_message Message that is displayed if a user enters an incorrect password. The default is Sorry, try @@ -637,6 +653,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The default value is Password:. + + +1.6.8 August 5, 2004 10 + + + + + +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) + + runas_default The default user to run commands as if the --uu flag is not specified on the command line. @@ -652,18 +679,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Syslog priority to use when user authenticates unsuccessfully. Defaults to alert. - - - -1.6.8 June 8, 2004 10 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - editor A colon (':') separated list of editors allowed to be used with vviissuuddoo. vviissuuddoo will choose the editor that matches the user's USER @@ -704,6 +719,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) file). Setting a path turns on logging to a file; negating this option turns it off. + + +1.6.8 August 5, 2004 11 + + + + + +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) + + syslog Syslog facility if syslog is being used for logging (negate to disable syslog logging). Defaults to local2. @@ -717,20 +743,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) mailto Address to send warning and error mail to. The address should be enclosed in double - quotes (") to protect against sudo - - - -1.6.8 June 8, 2004 11 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - interpreting the @ sign. Defaults to root. + quotes (") to protect against sudo interpret­ + ing the @ sign. Defaults to root. exempt_group Users in this group are exempt from password @@ -771,31 +785,30 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the NOPASSWD flag set to avoid enter­ ing a password. - never The user need never enter a password - to use the --ll flag. - always The user must always enter a password - to use the --ll flag. - The default value is `any'. +1.6.8 August 5, 2004 12 - LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - - env_check Environment variables to be removed from the - user's environment if the variable's value - contains % or / characters. This can be used -1.6.8 June 8, 2004 12 +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) + never The user need never enter a password + to use the --ll flag. + always The user must always enter a password + to use the --ll flag. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + The default value is `any'. + LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + env_check Environment variables to be removed from the + user's environment if the variable's value + contains % or / characters. This can be used to guard against printf-style format vulnera­ bilities in poorly-written programs. The argument may be a double-quoted, space-sepa­ @@ -837,30 +850,30 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Parameter): aauutthhpprriivv (if your OS supports it), aauutthh, ddaaee­­ mmoonn, uusseerr, llooccaall00, llooccaall11, llooccaall22, llooccaall33, llooccaall44, llooccaall55, llooccaall66, and llooccaall77. The following syslog priorities are - supported: aalleerrtt, ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, - and wwaarrnniinngg. - UUsseerr SSppeecciiffiiccaattiioonn - User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ - (':' Host_List '=' Cmnd_Spec_List)* - Cmnd_Spec_List ::= Cmnd_Spec | - Cmnd_Spec ',' Cmnd_Spec_List +1.6.8 August 5, 2004 13 - Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd -1.6.8 June 8, 2004 13 +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) + supported: aalleerrtt, ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, + and wwaarrnniinngg. + UUsseerr SSppeecciiffiiccaattiioonn + User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ + (':' Host_List '=' Cmnd_Spec_List)* -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Cmnd_Spec_List ::= Cmnd_Spec | + Cmnd_Spec ',' Cmnd_Spec_List + Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd Runas_Spec ::= '(' Runas_List ')' @@ -903,6 +916,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) There are four possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC. Once a tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless it is + + + +1.6.8 August 5, 2004 14 + + + + + +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) + + overridden by the opposite tag (ie: PASSWD overrides NOPASSWD and EXEC overrides NOEXEC). @@ -917,17 +942,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm - - -1.6.8 June 8, 2004 14 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m as root on the machine rushmore as rroooott without authenticating himself. If we only want rraayy to be @@ -968,6 +982,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob char­ acters) to be used in pathnames as well as command line arguments in the _s_u_d_o_e_r_s file. Wildcard matching is done + + + +1.6.8 August 5, 2004 15 + + + + + +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) + + via the PPOOSSIIXX _f_n_m_a_t_c_h(3) routine. Note that these are _n_o_t regular expressions. @@ -983,33 +1009,59 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) used to escape special characters such as: "*", "?", "[", and "}". + Note that a forward slash ('/') will nnoott be matched by + wildcards used in the pathname. When matching the command + line arguments, however, a slash ddooeess get matched by wild­ + cards. This is to make a path like: + /usr/bin/* -1.6.8 June 8, 2004 15 - - + match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. + WARNING: a pathname with wildcards will nnoott match a user + command that consists of a relative path. In other words, + given the following _s_u_d_o_e_r_s entry: + billy workstation = /usr/bin/* -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + user billy will be able to run any command in /usr/bin as + root, such as _/_u_s_r_/_b_i_n_/_w. The following two command will + be allowed (the first assumes that _/_u_s_r_/_b_i_n is in the + user's path): + $ sudo w + $ sudo /usr/bin/w - Note that a forward slash ('/') will nnoott be matched by - wildcards used in the pathname. When matching the command - line arguments, however, a slash ddooeess get matched by wild­ - cards. This is to make a path like: + However, this will not: - /usr/bin/* + $ cd /usr/bin + $ sudo ./w - match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. + For this reason you should only ggrraanntt access to commands + using wildcards and never rreessttrriicctt access using them. + This limitation will be removed in a future version of + ssuuddoo. EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess The following exceptions apply to the above rules: "" If the empty string "" is the only command line - argument in the _s_u_d_o_e_r_s entry it means that com­ - mand is not allowed to be run with aannyy arguments. + argument in the _s_u_d_o_e_r_s entry it means that + + + +1.6.8 August 5, 2004 16 + + + + + +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) + + + command is not allowed to be run with aannyy argu­ + ments. OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss @@ -1047,25 +1099,32 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) hostname): '@', '!', '=', ':', ',', '(', ')', '\'. EEXXAAMMPPLLEESS - Below are example _s_u_d_o_e_r_s entries. Admittedly, some of + Since the _s_u_d_o_e_r_s file is parsed in a single pass, order + is important. In general, you should structure _s_u_d_o_e_r_s + such that the Host_Alias, User_Alias, and Cmnd_Alias spec­ + ifications come first, followed by any Default_Entry + lines, and finally the Runas_Alias and user specifica­ + tions. The basic rule of thumb is you cannot reference an + Alias that has not already been defined. + Below are example _s_u_d_o_e_r_s entries. Admittedly, some of + these are a bit contrived. First, we define our _a_l_i_a_s_e_s: + # User alias specification + User_Alias FULLTIMERS = millert, mikef, dowdy + User_Alias PARTTIMERS = bostley, jwfox, crawl + User_Alias WEBMASTERS = will, wendy, wim -1.6.8 June 8, 2004 16 +1.6.8 August 5, 2004 17 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - these are a bit contrived. First, we define our _a_l_i_a_s_e_s: +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) - # User alias specification - User_Alias FULLTIMERS = millert, mikef, dowdy - User_Alias PARTTIMERS = bostley, jwfox, crawl - User_Alias WEBMASTERS = will, wendy, wim # Runas alias specification Runas_Alias OP = root, operator @@ -1098,7 +1157,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) We want ssuuddoo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt need not give a - password, and we don't want to set the LOGNAME or USER + password, and we don't want to reset the LOGNAME or USER environment variables when running commands as root. Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an additional local log file and make sure we log @@ -1115,22 +1174,23 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually deter­ mines who may run what. + root ALL = (ALL) ALL + %wheel ALL = (ALL) ALL + We let rroooott and any user in group wwhheeeell run any command on + any host as any user. -1.6.8 June 8, 2004 17 +1.6.8 August 5, 2004 18 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - root ALL = (ALL) ALL - %wheel ALL = (ALL) ALL - We let rroooott and any user in group wwhheeeell run any command on - any host as any user. +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) + FULLTIMERS ALL = NOPASSWD: ALL @@ -1180,24 +1240,24 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user listed in the _O_P Runas_Alias (rroooott + and ooppeerraattoorr). + jim +biglab = ALL + The user jjiimm may run any command on machines in the _b_i_g_l_a_b + netgroup. SSuuddoo knows that "biglab" is a netgroup due to -1.6.8 June 8, 2004 18 +1.6.8 August 5, 2004 19 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - and ooppeerraattoorr). +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) - jim +biglab = ALL - The user jjiimm may run any command on machines in the _b_i_g_l_a_b - netgroup. SSuuddoo knows that "biglab" is a netgroup due to the '+' prefix. +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser @@ -1247,22 +1307,22 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM + Any user may mount or unmount a CD-ROM on the machines in + the CDROM Host_Alias (orion, perseus, hercules) without + entering a password. This is a bit tedious for users to + type, so it is a prime candidate for encapsulating in a + shell script. -1.6.8 June 8, 2004 19 +1.6.8 August 5, 2004 20 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) - Any user may mount or unmount a CD-ROM on the machines in - the CDROM Host_Alias (orion, perseus, hercules) without - entering a password. This is a bit tedious for users to - type, so it is a prime candidate for encapsulating in a - shell script. SSEECCUURRIITTYY NNOOTTEESS It is generally not effective to "subtract" commands from @@ -1312,25 +1372,25 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS return an error. Unfortunately, there is no foolproof way to know whether or not _n_o_e_x_e_c will work at compile-time. _N_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX, + Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known nnoott to + work on AIX and UnixWare. _N_o_e_x_e_c is expected to work on + most operating systems that support the LD_PRELOAD envi­ + ronment variable. Check your operating system's manual + pages for the dynamic linker (usually ld.so, ld.so.1, + dyld, dld.sl, rld, or loader) to see if LD_PRELOAD is -1.6.8 June 8, 2004 20 +1.6.8 August 5, 2004 21 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) - Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known nnoott to - work on AIX and UnixWare. _N_o_e_x_e_c is expected to work on - most operating systems that support the LD_PRELOAD envi­ - ronment variable. Check your operating system's manual - pages for the dynamic linker (usually ld.so, ld.so.1, - dyld, dld.sl, rld, or loader) to see if LD_PRELOAD is sup­ - ported. + supported. To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as doc­ umented in the User Specification section above. Here is @@ -1381,6 +1441,12 @@ SSEEEE AALLSSOO -1.6.8 June 8, 2004 21 + + + + + + +1.6.8 August 5, 2004 22 diff --git a/sudoers.man.in b/sudoers.man.in index afa59f40a..cc81d66c5 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -149,17 +149,22 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "July 30, 2004" "1.6.8" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "August 5, 2004" "1.6.8" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" .IX Header "DESCRIPTION" -The \fIsudoers\fR file is composed of two types of entries: -aliases (basically variables) and user specifications -(which specify who may run what). The grammar of \fIsudoers\fR -will be described below in Extended Backus-Naur Form (\s-1EBNF\s0). -Don't despair if you don't know what \s-1EBNF\s0 is; it is fairly -simple, and the definitions below are annotated. +The \fIsudoers\fR file is composed of two types of entries: aliases +(basically variables) and user specifications (which specify who +may run what). +.PP +When multiple entries match for a user, they are applied in order. +Where there are conflicting values, the last match is used (which +is not necessarily the most specific match). +.PP +The \fIsudoers\fR grammar will be described below in Extended Backus-Naur +Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is +fairly simple, and the definitions below are annotated. .Sh "Quick guide to \s-1EBNF\s0" .IX Subsection "Quick guide to EBNF" \&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. @@ -349,9 +354,7 @@ a normal command does. Certain configuration options may be changed from their default values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These may affect all users on any host, all users on a specific host, a -specific user, or commands being run as a specific user. When -multiple entries match, they are applied in order. Where there are -conflicting values, the last value on a matching line takes effect. +specific user, or commands being run as a specific user. .PP .Vb 4 \& Default_Type ::= 'Defaults' | @@ -388,11 +391,6 @@ These operators are used to add to and delete from a list respectively. It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element that does not exist in a list. .PP -Note that since the \fIsudoers\fR file is parsed in order the best place -to put the Defaults section is after the \f(CW\*(C`Host_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, -and \f(CW\*(C`Cmnd_Alias\*(C'\fR specifications but before any \f(CW\*(C`Runas_Alias\*(C'\fR or user -specifications. -.PP \&\fBFlags\fR: .IP "long_otp_prompt" 12 .IX Item "long_otp_prompt" @@ -1000,6 +998,34 @@ wildcards. This is to make a path like: .Ve .PP match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR. +.PP +\&\s-1WARNING:\s0 a pathname with wildcards will \fBnot\fR match a user command +that consists of a relative path. In other words, given the +following \fIsudoers\fR entry: +.PP +.Vb 1 +\& billy workstation = /usr/bin/* +.Ve +.PP +user billy will be able to run any command in /usr/bin as root, such +as \fI/usr/bin/w\fR. The following two command will be allowed (the first +assumes that \fI/usr/bin\fR is in the user's path): +.PP +.Vb 2 +\& $ sudo w +\& $ sudo /usr/bin/w +.Ve +.PP +However, this will not: +.PP +.Vb 2 +\& $ cd /usr/bin +\& $ sudo ./w +.Ve +.PP +For this reason you should only \fBgrant\fR access to commands using +wildcards and never \fBrestrict\fR access using them. This limitation +will be removed in a future version of \fBsudo\fR. .Sh "Exceptions to wildcard rules" .IX Subsection "Exceptions to wildcard rules" The following exceptions apply to the above rules: @@ -1043,6 +1069,13 @@ used as part of a word (e.g. a username or hostname): \&'@', '!', '=', ':', ',', '(', ')', '\e'. .SH "EXAMPLES" .IX Header "EXAMPLES" +Since the \fIsudoers\fR file is parsed in a single pass, order is +important. In general, you should structure \fIsudoers\fR such that +the \f(CW\*(C`Host_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, and \f(CW\*(C`Cmnd_Alias\*(C'\fR specifications +come first, followed by any \f(CW\*(C`Default_Entry\*(C'\fR lines, and finally the +\&\f(CW\*(C`Runas_Alias\*(C'\fR and user specifications. The basic rule of thumb +is you cannot reference an Alias that has not already been defined. +.PP Below are example \fIsudoers\fR entries. Admittedly, some of these are a bit contrived. First, we define our \fIaliases\fR: .PP @@ -1090,7 +1123,7 @@ Here we override some of the compiled in default values. We want \&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all cases. We don't want to subject the full time staff to the \fBsudo\fR lecture, user \fBmillert\fR need not give a password, and we don't -want to set the \f(CW\*(C`LOGNAME\*(C'\fR or \f(CW\*(C`USER\*(C'\fR environment variables when +want to reset the \f(CW\*(C`LOGNAME\*(C'\fR or \f(CW\*(C`USER\*(C'\fR environment variables when running commands as root. Additionally, on the machines in the \&\fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional local log file and make sure we log the year in each log line since the log entries -- 2.40.0