isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mention noexec

Browse Source
This commit is contained in:
Todd C. Miller
2004-01-09 21:24:50 +00:00
parent 67ba09fccf
commit 051943b687
2 changed files with 15 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
sudo.man.in
View File

@@ -30,13 +30,13 @@
.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
.\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\"
.\" Sponsored in part by the Defense Advanced Research Projects
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.\" $Sudo$
.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.13
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -167,7 +167,7 @@
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "March 13, 2003" "1.6.7" "MAINTENANCE COMMANDS"
.TH SUDO @mansectsu@ "January 9, 2004" "1.6.8" "MAINTENANCE COMMANDS"
.SH "NAME"
sudo \- execute a command as another user
.SH "SYNOPSIS"
@@ -498,8 +498,12 @@ and fitness for a particular purpose are disclaimed.
See the \s-1LICENSE\s0 file distributed with \fBsudo\fR for complete details.
.SH "CAVEATS"
.IX Header "CAVEATS"
There is no easy way to prevent a user from gaining a root shell if
that user has access to commands allowing shell escapes.
There is no easy way to prevent a user from gaining a root shell
if that user is allowed to run arbitrary commands via \fBsudo\fR.
Also, many programs (such as editors) allow the user to run commands
via shell escapes, thus avoiding \fBsudo\fR's checks. However, on
most systems it is possible to prevent shell escapes with \fBsudo\fR's
\&\fInoexec\fR functionality. See the \fIsudoers\fR\|(@mansectform@) manual for details.
.PP
If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from creating
their own program that gives them a root shell regardless of any '!'

8
sudo.pod
View File

@@ -388,8 +388,12 @@ See the LICENSE file distributed with B<sudo> for complete details.
=head1 CAVEATS
There is no easy way to prevent a user from gaining a root shell if
that user has access to commands allowing shell escapes.
There is no easy way to prevent a user from gaining a root shell
if that user is allowed to run arbitrary commands via B<sudo>.
Also, many programs (such as editors) allow the user to run commands
via shell escapes, thus avoiding B<sudo>'s checks. However, on
most systems it is possible to prevent shell escapes with B<sudo>'s
I<noexec> functionality. See the sudoers(5) manual for details.
If users have sudo C<ALL> there is nothing to prevent them from creating
their own program that gives them a root shell regardless of any '!'