isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mention noexec

Browse Source
This commit is contained in:
Todd C. Miller
2004-01-09 21:24:50 +00:00
parent 67ba09fccf
commit 051943b687
2 changed files with 15 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
sudo.man.in
View File

@@ -36,7 +36,7 @@
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.\" $Sudo$ .\" $Sudo$
.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13 .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.13
.\" .\"
.\" Standard preamble: .\" Standard preamble:
.\" ======================================================================== .\" ========================================================================
@@ -167,7 +167,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDO @mansectsu@" .IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "March 13, 2003" "1.6.7" "MAINTENANCE COMMANDS" .TH SUDO @mansectsu@ "January 9, 2004" "1.6.8" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
sudo \- execute a command as another user sudo \- execute a command as another user
.SH "SYNOPSIS" .SH "SYNOPSIS"
@@ -498,8 +498,12 @@ and fitness for a particular purpose are disclaimed.
See the \s-1LICENSE\s0 file distributed with \fBsudo\fR for complete details. See the \s-1LICENSE\s0 file distributed with \fBsudo\fR for complete details.
.SH "CAVEATS" .SH "CAVEATS"
.IX Header "CAVEATS" .IX Header "CAVEATS"
There is no easy way to prevent a user from gaining a root shell if There is no easy way to prevent a user from gaining a root shell
that user has access to commands allowing shell escapes. if that user is allowed to run arbitrary commands via \fBsudo\fR.
Also, many programs (such as editors) allow the user to run commands
via shell escapes, thus avoiding \fBsudo\fR's checks. However, on
most systems it is possible to prevent shell escapes with \fBsudo\fR's
\&\fInoexec\fR functionality. See the \fIsudoers\fR\|(@mansectform@) manual for details.
.PP .PP
If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from creating If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from creating
their own program that gives them a root shell regardless of any '!' their own program that gives them a root shell regardless of any '!'

8
sudo.pod
View File

@@ -388,8 +388,12 @@ See the LICENSE file distributed with B<sudo> for complete details.
=head1 CAVEATS =head1 CAVEATS
There is no easy way to prevent a user from gaining a root shell if There is no easy way to prevent a user from gaining a root shell
that user has access to commands allowing shell escapes. if that user is allowed to run arbitrary commands via B<sudo>.
Also, many programs (such as editors) allow the user to run commands
via shell escapes, thus avoiding B<sudo>'s checks. However, on
most systems it is possible to prevent shell escapes with B<sudo>'s
I<noexec> functionality. See the sudoers(5) manual for details.
If users have sudo C<ALL> there is nothing to prevent them from creating If users have sudo C<ALL> there is nothing to prevent them from creating
their own program that gives them a root shell regardless of any '!' their own program that gives them a root shell regardless of any '!'