Add a note about the security implications of the fast_glob option.
This commit is contained in:
286
doc/sudoers.cat
286
doc/sudoers.cat
@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 1
|
||||
1.8.0a1 April 7, 2010 1
|
||||
|
||||
|
||||
|
||||
@@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 2
|
||||
1.8.0a1 April 7, 2010 2
|
||||
|
||||
|
||||
|
||||
@@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 3
|
||||
1.8.0a1 April 7, 2010 3
|
||||
|
||||
|
||||
|
||||
@@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 4
|
||||
1.8.0a1 April 7, 2010 4
|
||||
|
||||
|
||||
|
||||
@@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 5
|
||||
1.8.0a1 April 7, 2010 5
|
||||
|
||||
|
||||
|
||||
@@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 6
|
||||
1.8.0a1 April 7, 2010 6
|
||||
|
||||
|
||||
|
||||
@@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 7
|
||||
1.8.0a1 April 7, 2010 7
|
||||
|
||||
|
||||
|
||||
@@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 8
|
||||
1.8.0a1 April 7, 2010 8
|
||||
|
||||
|
||||
|
||||
@@ -589,7 +589,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 9
|
||||
1.8.0a1 April 7, 2010 9
|
||||
|
||||
|
||||
|
||||
@@ -615,7 +615,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
alternative is to place a colon-separated list of
|
||||
editors in the editor variable. vviissuuddoo will then only
|
||||
use the EDITOR or VISUAL if they match a value
|
||||
specified in editor. This flag is _o_f_f by default.
|
||||
specified in editor. This flag is _o_n by default.
|
||||
|
||||
env_reset If set, ssuuddoo will reset the environment to only contain
|
||||
the LOGNAME, SHELL, USER, USERNAME and the SUDO_*
|
||||
@@ -637,7 +637,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
which does not access the file system to do its
|
||||
matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is
|
||||
unable to match relative path names such as _._/_l_s or
|
||||
_._._/_b_i_n_/_l_s. This flag is _o_f_f by default.
|
||||
_._._/_b_i_n_/_l_s. This has security implications when path
|
||||
names that include globbing characters are used with
|
||||
the negation operator, '!', as such rules can be
|
||||
trivially bypassed. As such, this option should not be
|
||||
used when _s_u_d_o_e_r_s contains rules that contain negated
|
||||
path names which include globbing characters. This
|
||||
flag is _o_f_f by default.
|
||||
|
||||
fqdn Set this flag if you want to put fully qualified host
|
||||
names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you
|
||||
@@ -646,16 +652,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
that turning on _f_q_d_n requires ssuuddoo to make DNS lookups
|
||||
which may make ssuuddoo unusable if DNS stops working (for
|
||||
example if the machine is not plugged into the
|
||||
network). Also note that you must use the host's
|
||||
official name as DNS knows it. That is, you may not
|
||||
use a host alias (CNAME entry) due to performance
|
||||
issues and the fact that there is no way to get all
|
||||
aliases from DNS. If your machine's host name (as
|
||||
returned by the hostname command) is already fully
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 10
|
||||
1.8.0a1 April 7, 2010 10
|
||||
|
||||
|
||||
|
||||
@@ -664,12 +664,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
network). Also note that you must use the host's
|
||||
official name as DNS knows it. That is, you may not
|
||||
use a host alias (CNAME entry) due to performance
|
||||
issues and the fact that there is no way to get all
|
||||
aliases from DNS. If your machine's host name (as
|
||||
returned by the hostname command) is already fully
|
||||
qualified you shouldn't need to set _f_q_d_n. This flag is
|
||||
_o_f_f by default.
|
||||
|
||||
ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the
|
||||
PATH environment variable; the PATH itself is not
|
||||
modified. This flag is _o_f_f by default.
|
||||
modified. This flag is _o_n by default.
|
||||
|
||||
ignore_local_sudoers
|
||||
If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be
|
||||
@@ -685,7 +691,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
_o_f_f by default.
|
||||
|
||||
insults If set, ssuuddoo will insult users when they enter an
|
||||
incorrect password. This flag is _o_f_f by default.
|
||||
incorrect password. This flag is _o_n by default.
|
||||
|
||||
log_host If set, the host name will be logged in the (non-
|
||||
syslog) ssuuddoo log file. This flag is _o_f_f by default.
|
||||
@@ -712,16 +718,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
allowed to run commands on the current host. This flag
|
||||
is _o_f_f by default.
|
||||
|
||||
mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the
|
||||
invoking user is allowed to use ssuuddoo but the command
|
||||
they are trying is not listed in their _s_u_d_o_e_r_s file
|
||||
entry or is explicitly denied. This flag is _o_f_f by
|
||||
default.
|
||||
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 11
|
||||
1.8.0a1 April 7, 2010 11
|
||||
|
||||
|
||||
|
||||
@@ -730,6 +730,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the
|
||||
invoking user is allowed to use ssuuddoo but the command
|
||||
they are trying is not listed in their _s_u_d_o_e_r_s file
|
||||
entry or is explicitly denied. This flag is _o_f_f by
|
||||
default.
|
||||
|
||||
mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the
|
||||
invoking user is not in the _s_u_d_o_e_r_s file. This flag is
|
||||
_o_n by default.
|
||||
@@ -778,16 +784,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
to a real tty. When this flag is set, ssuuddoo can only be
|
||||
run from a login session and not via other means such
|
||||
as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by
|
||||
default.
|
||||
|
||||
root_sudo If set, root is allowed to run ssuuddoo too. Disabling
|
||||
this prevents users from "chaining" ssuuddoo commands to
|
||||
get a root shell by doing something like "sudo sudo
|
||||
/bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 12
|
||||
1.8.0a1 April 7, 2010 12
|
||||
|
||||
|
||||
|
||||
@@ -796,6 +796,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
default.
|
||||
|
||||
root_sudo If set, root is allowed to run ssuuddoo too. Disabling
|
||||
this prevents users from "chaining" ssuuddoo commands to
|
||||
get a root shell by doing something like "sudo sudo
|
||||
/bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o
|
||||
will also prevent root and from running ssuuddooeeddiitt.
|
||||
Disabling _r_o_o_t___s_u_d_o provides no real additional
|
||||
security; it exists purely for historical reasons.
|
||||
@@ -844,16 +850,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
stay_setuid Normally, when ssuuddoo executes a command the real and
|
||||
effective UIDs are set to the target user (root by
|
||||
default). This option changes that behavior such that
|
||||
the real UID is left as the invoking user's UID. In
|
||||
other words, this makes ssuuddoo act as a setuid wrapper.
|
||||
This can be useful on systems that disable some
|
||||
potentially dangerous functionality when a program is
|
||||
run setuid. This option is only effective on systems
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 13
|
||||
1.8.0a1 April 7, 2010 13
|
||||
|
||||
|
||||
|
||||
@@ -862,6 +862,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
default). This option changes that behavior such that
|
||||
the real UID is left as the invoking user's UID. In
|
||||
other words, this makes ssuuddoo act as a setuid wrapper.
|
||||
This can be useful on systems that disable some
|
||||
potentially dangerous functionality when a program is
|
||||
run setuid. This option is only effective on systems
|
||||
with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function.
|
||||
This flag is _o_f_f by default.
|
||||
|
||||
@@ -910,16 +916,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
use_loginclass If set, ssuuddoo will apply the defaults specified for the
|
||||
target user's login class if one exists. Only
|
||||
available if ssuuddoo is configured with the
|
||||
--with-logincap option. This flag is _o_f_f by default.
|
||||
|
||||
visiblepw By default, ssuuddoo will refuse to run if the user must
|
||||
enter a password but it is not possible to disable echo
|
||||
on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 14
|
||||
1.8.0a1 April 7, 2010 14
|
||||
|
||||
|
||||
|
||||
@@ -928,6 +928,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
available if ssuuddoo is configured with the
|
||||
--with-logincap option. This flag is _o_f_f by default.
|
||||
|
||||
visiblepw By default, ssuuddoo will refuse to run if the user must
|
||||
enter a password but it is not possible to disable echo
|
||||
on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo
|
||||
will prompt for a password even when it would be
|
||||
visible on the screen. This makes it possible to run
|
||||
things like "rsh somehost sudo ls" since _r_s_h(1) does
|
||||
@@ -976,16 +982,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
The actual umask that is used will be the union of the
|
||||
user's umask and 0022. This guarantees that ssuuddoo never
|
||||
lowers the umask when running a command. Note on
|
||||
systems that use PAM, the default PAM configuration may
|
||||
specify its own umask which will override the value set
|
||||
in _s_u_d_o_e_r_s.
|
||||
|
||||
SSttrriinnggss:
|
||||
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 15
|
||||
1.8.0a1 April 7, 2010 15
|
||||
|
||||
|
||||
|
||||
@@ -994,6 +994,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
systems that use PAM, the default PAM configuration may
|
||||
specify its own umask which will override the value set
|
||||
in _s_u_d_o_e_r_s.
|
||||
|
||||
SSttrriinnggss:
|
||||
|
||||
badpass_message Message that is displayed if a user enters an incorrect
|
||||
password. The default is Sorry, try again. unless
|
||||
insults are enabled.
|
||||
@@ -1042,16 +1048,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
The default value is Password:.
|
||||
|
||||
runas_default The default user to run commands as if the --uu option is
|
||||
not specified on the command line. This defaults to
|
||||
root. Note that if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur
|
||||
before any Runas_Alias specifications.
|
||||
|
||||
syslog_badpri Syslog priority to use when user authenticates
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 16
|
||||
1.8.0a1 April 7, 2010 16
|
||||
|
||||
|
||||
|
||||
@@ -1060,6 +1060,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
runas_default The default user to run commands as if the --uu option is
|
||||
not specified on the command line. This defaults to
|
||||
root. Note that if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur
|
||||
before any Runas_Alias specifications.
|
||||
|
||||
syslog_badpri Syslog priority to use when user authenticates
|
||||
unsuccessfully. Defaults to alert.
|
||||
|
||||
syslog_goodpri Syslog priority to use when user authenticates
|
||||
@@ -1109,15 +1115,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
once Only lecture the user the first time they run ssuuddoo.
|
||||
|
||||
If no value is specified, a value of _o_n_c_e is implied.
|
||||
Negating the option results in a value of _n_e_v_e_r being used.
|
||||
The default value is _o_n_c_e.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 17
|
||||
1.8.0a1 April 7, 2010 17
|
||||
|
||||
|
||||
|
||||
@@ -1126,6 +1126,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
If no value is specified, a value of _o_n_c_e is implied.
|
||||
Negating the option results in a value of _n_e_v_e_r being used.
|
||||
The default value is _o_n_c_e.
|
||||
|
||||
lecture_file
|
||||
Path to a file containing an alternate ssuuddoo lecture that
|
||||
will be used in place of the standard lecture if the named
|
||||
@@ -1176,14 +1180,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
environment variable you may want to use this. Another use
|
||||
is if you want to have the "root path" be separate from the
|
||||
"user path." Users in the group specified by the
|
||||
_e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This
|
||||
option is not set by default.
|
||||
|
||||
syslog Syslog facility if syslog is being used for logging (negate
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 18
|
||||
1.8.0a1 April 7, 2010 18
|
||||
|
||||
|
||||
|
||||
@@ -1192,7 +1192,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
to disable syslog logging). Defaults to local2.
|
||||
_e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This
|
||||
option is not set by default.
|
||||
|
||||
syslog Syslog facility if syslog is being used for logging (negate
|
||||
to disable syslog logging). Defaults to authpriv.
|
||||
|
||||
verifypw This option controls when a password will be required when
|
||||
a user runs ssuuddoo with the --vv option. It has the following
|
||||
@@ -1242,14 +1246,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
default list of environment variables to remove is
|
||||
displayed when ssuuddoo is run by root with the _-_V option.
|
||||
Note that many operating systems will remove
|
||||
potentially dangerous variables from the environment of
|
||||
any setuid process (such as ssuuddoo).
|
||||
|
||||
env_keep Environment variables to be preserved in the user's
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 19
|
||||
1.8.0a1 April 7, 2010 19
|
||||
|
||||
|
||||
|
||||
@@ -1258,6 +1258,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
potentially dangerous variables from the environment of
|
||||
any setuid process (such as ssuuddoo).
|
||||
|
||||
env_keep Environment variables to be preserved in the user's
|
||||
environment when the _e_n_v___r_e_s_e_t option is in effect.
|
||||
This allows fine-grained control over the environment
|
||||
ssuuddoo-spawned processes will receive. The argument may
|
||||
@@ -1308,14 +1312,10 @@ EEXXAAMMPPLLEESS
|
||||
Host_Alias SERVERS = master, mail, www, ns
|
||||
Host_Alias CDROM = orion, perseus, hercules
|
||||
|
||||
# Cmnd alias specification
|
||||
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
|
||||
/usr/sbin/restore, /usr/sbin/rrestore
|
||||
Cmnd_Alias KILL = /usr/bin/kill
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 20
|
||||
1.8.0a1 April 7, 2010 20
|
||||
|
||||
|
||||
|
||||
@@ -1324,6 +1324,10 @@ EEXXAAMMPPLLEESS
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
# Cmnd alias specification
|
||||
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
|
||||
/usr/sbin/restore, /usr/sbin/rrestore
|
||||
Cmnd_Alias KILL = /usr/bin/kill
|
||||
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
|
||||
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
|
||||
Cmnd_Alias HALT = /usr/sbin/halt
|
||||
@@ -1375,13 +1379,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
jack CSNETS = ALL
|
||||
|
||||
The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias
|
||||
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
|
||||
those networks, only 128.138.204.0 has an explicit netmask (in CIDR
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 21
|
||||
1.8.0a1 April 7, 2010 21
|
||||
|
||||
|
||||
|
||||
@@ -1390,6 +1390,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias
|
||||
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
|
||||
those networks, only 128.138.204.0 has an explicit netmask (in CIDR
|
||||
notation) indicating it is a class C network. For the other networks
|
||||
in _C_S_N_E_T_S, the local machine's netmask will be used during matching.
|
||||
|
||||
@@ -1442,12 +1445,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
The user ffrreedd can run commands as any user in the _D_B Runas_Alias
|
||||
(oorraaccllee or ssyybbaassee) without giving a password.
|
||||
|
||||
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
|
||||
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 22
|
||||
1.8.0a1 April 7, 2010 22
|
||||
|
||||
|
||||
|
||||
@@ -1456,6 +1456,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
|
||||
|
||||
On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is
|
||||
not allowed to specify any options to the _s_u(1) command.
|
||||
|
||||
@@ -1508,12 +1510,10 @@ SSEECCUURRIITTYY NNOOTTEESS
|
||||
kind of restrictions should be considered advisory at best (and
|
||||
reinforced by policy).
|
||||
|
||||
PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
|
||||
Once ssuuddoo executes a program, that program is free to do whatever it
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 23
|
||||
1.8.0a1 April 7, 2010 23
|
||||
|
||||
|
||||
|
||||
@@ -1522,6 +1522,23 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not possible to
|
||||
reliably negate commands where the path name includes globbing (aka
|
||||
wildcard) characters. This is because the C library's _f_n_m_a_t_c_h(3)
|
||||
function cannot resolve relative paths. While this is typically only
|
||||
an inconvenience for rules that grant privileges, it can result in a
|
||||
security issue for rules that subtract or revoke privileges.
|
||||
|
||||
For example, given the following _s_u_d_o_e_r_s entry:
|
||||
|
||||
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
|
||||
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
|
||||
|
||||
User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by
|
||||
changing to _/_u_s_r_/_b_i_n and running ./passwd root instead.
|
||||
|
||||
PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
|
||||
Once ssuuddoo executes a program, that program is free to do whatever it
|
||||
pleases, including run other programs. This can be a security issue
|
||||
since it is not uncommon for a program to allow shell escapes, which
|
||||
lets a user bypass ssuuddoo's access control and logging. Common programs
|
||||
@@ -1559,6 +1576,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
then ssuuddoo may be able to replace the exec family of functions
|
||||
in the standard library with its own that simply return an
|
||||
error. Unfortunately, there is no foolproof way to know
|
||||
|
||||
|
||||
|
||||
1.8.0a1 April 7, 2010 24
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
whether or not _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c
|
||||
should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
|
||||
MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and
|
||||
@@ -1576,18 +1605,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i
|
||||
with _n_o_e_x_e_c enabled. This will prevent those two commands
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 24
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
from executing other commands (such as a shell). If you are
|
||||
unsure whether or not your system is capable of supporting
|
||||
_n_o_e_x_e_c you can always just try it out and see if it works.
|
||||
@@ -1625,6 +1642,18 @@ DDIISSCCLLAAIIMMEERR
|
||||
ssuuddoo is provided ``AS IS'' and any express or implied warranties,
|
||||
including, but not limited to, the implied warranties of
|
||||
merchantability and fitness for a particular purpose are disclaimed.
|
||||
|
||||
|
||||
|
||||
1.8.0a1 April 7, 2010 25
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
|
||||
|
||||
|
||||
See the LICENSE file distributed with ssuuddoo or
|
||||
http://www.sudo.ws/sudo/license.html for complete details.
|
||||
|
||||
@@ -1645,6 +1674,43 @@ DDIISSCCLLAAIIMMEERR
|
||||
|
||||
|
||||
|
||||
1.7.3b2 December 19, 2009 25
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
1.8.0a1 April 7, 2010 26
|
||||
|
||||
|
||||
|
@@ -1,4 +1,4 @@
|
||||
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2009
|
||||
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010
|
||||
.\" Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
@@ -144,7 +144,7 @@
|
||||
.\" ========================================================================
|
||||
.\"
|
||||
.IX Title "SUDOERS @mansectform@"
|
||||
.TH SUDOERS @mansectform@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
|
||||
.TH SUDOERS @mansectform@ "April 7, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
|
||||
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
||||
.\" way too many mistakes in technical documents.
|
||||
.if n .ad l
|
||||
@@ -755,7 +755,12 @@ system that is mounted on demand (automounted). The \fIfast_glob\fR
|
||||
option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
|
||||
not access the file system to do its matching. The disadvantage
|
||||
of \fIfast_glob\fR is that it is unable to match relative path names
|
||||
such as \fI./ls\fR or \fI../bin/ls\fR. This flag is \fIoff\fR by default.
|
||||
such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
|
||||
when path names that include globbing characters are used with the
|
||||
negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
|
||||
As such, this option should not be used when \fIsudoers\fR contains rules
|
||||
that contain negated path names which include globbing characters.
|
||||
This flag is \fIoff\fR by default.
|
||||
.IP "fqdn" 16
|
||||
.IX Item "fqdn"
|
||||
Set this flag if you want to put fully qualified host names in the
|
||||
@@ -1568,6 +1573,24 @@ Doesn't really prevent \fBbill\fR from running the commands listed in
|
||||
different name, or use a shell escape from an editor or other
|
||||
program. Therefore, these kind of restrictions should be considered
|
||||
advisory at best (and reinforced by policy).
|
||||
.PP
|
||||
Furthermore, if the \fIfast_glob\fR option is in use, it is not possible
|
||||
to reliably negate commands where the path name includes globbing
|
||||
(aka wildcard) characters. This is because the C library's
|
||||
\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
|
||||
is typically only an inconvenience for rules that grant privileges,
|
||||
it can result in a security issue for rules that subtract or revoke
|
||||
privileges.
|
||||
.PP
|
||||
For example, given the following \fIsudoers\fR entry:
|
||||
.PP
|
||||
.Vb 2
|
||||
\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
|
||||
\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
|
||||
.Ve
|
||||
.PP
|
||||
User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
|
||||
enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
|
||||
.SH "PREVENTING SHELL ESCAPES"
|
||||
.IX Header "PREVENTING SHELL ESCAPES"
|
||||
Once \fBsudo\fR executes a program, that program is free to do whatever
|
||||
|
@@ -1,4 +1,4 @@
|
||||
Copyright (c) 1994-1996, 1998-2005, 2007-2009
|
||||
Copyright (c) 1994-1996, 1998-2005, 2007-2010
|
||||
Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
|
||||
Permission to use, copy, modify, and distribute this software for any
|
||||
@@ -628,7 +628,12 @@ system that is mounted on demand (automounted). The I<fast_glob>
|
||||
option causes B<sudo> to use the L<fnmatch(3)> function, which does
|
||||
not access the file system to do its matching. The disadvantage
|
||||
of I<fast_glob> is that it is unable to match relative path names
|
||||
such as F<./ls> or F<../bin/ls>. This flag is I<off> by default.
|
||||
such as F<./ls> or F<../bin/ls>. This has security implications
|
||||
when path names that include globbing characters are used with the
|
||||
negation operator, C<'!'>, as such rules can be trivially bypassed.
|
||||
As such, this option should not be used when I<sudoers> contains rules
|
||||
that contain negated path names which include globbing characters.
|
||||
This flag is I<off> by default.
|
||||
|
||||
=item fqdn
|
||||
|
||||
@@ -1508,6 +1513,22 @@ different name, or use a shell escape from an editor or other
|
||||
program. Therefore, these kind of restrictions should be considered
|
||||
advisory at best (and reinforced by policy).
|
||||
|
||||
Furthermore, if the I<fast_glob> option is in use, it is not possible
|
||||
to reliably negate commands where the path name includes globbing
|
||||
(aka wildcard) characters. This is because the C library's
|
||||
L<fnmatch(3)> function cannot resolve relative paths. While this
|
||||
is typically only an inconvenience for rules that grant privileges,
|
||||
it can result in a security issue for rules that subtract or revoke
|
||||
privileges.
|
||||
|
||||
For example, given the following I<sudoers> entry:
|
||||
|
||||
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
|
||||
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
|
||||
|
||||
User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is
|
||||
enabled by changing to F</usr/bin> and running C<./passwd root> instead.
|
||||
|
||||
=head1 PREVENTING SHELL ESCAPES
|
||||
|
||||
Once B<sudo> executes a program, that program is free to do whatever
|
||||
|
Reference in New Issue
Block a user