isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add a note about the security implications of the fast_glob option.

Browse Source
This commit is contained in:
Todd C. Miller
2010-04-07 10:09:31 -04:00
parent 6a5ea5be01
commit 29f22dba2d
3 changed files with 225 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

286
doc/sudoers.cat
View File

@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.7.3b2 December 19, 2009 1
1.8.0a1 April 7, 2010 1
@@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7.3b2 December 19, 2009 2
1.8.0a1 April 7, 2010 2
@@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7.3b2 December 19, 2009 3
1.8.0a1 April 7, 2010 3
@@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7.3b2 December 19, 2009 4
1.8.0a1 April 7, 2010 4
@@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7.3b2 December 19, 2009 5
1.8.0a1 April 7, 2010 5
@@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7.3b2 December 19, 2009 6
1.8.0a1 April 7, 2010 6
@@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7.3b2 December 19, 2009 7
1.8.0a1 April 7, 2010 7
@@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7.3b2 December 19, 2009 8
1.8.0a1 April 7, 2010 8
@@ -589,7 +589,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
1.7.3b2 December 19, 2009 9
1.8.0a1 April 7, 2010 9
@@ -615,7 +615,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
alternative is to place a colon-separated list of
editors in the editor variable. vviissuuddoo will then only
use the EDITOR or VISUAL if they match a value
specified in editor. This flag is _o_f_f by default.
specified in editor. This flag is _o_n by default.
env_reset If set, ssuuddoo will reset the environment to only contain
the LOGNAME, SHELL, USER, USERNAME and the SUDO_*
@@ -637,7 +637,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
which does not access the file system to do its
matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is
unable to match relative path names such as _._/_l_s or
_._._/_b_i_n_/_l_s. This flag is _o_f_f by default.
_._._/_b_i_n_/_l_s. This has security implications when path
names that include globbing characters are used with
the negation operator, '!', as such rules can be
trivially bypassed. As such, this option should not be
used when _s_u_d_o_e_r_s contains rules that contain negated
path names which include globbing characters. This
flag is _o_f_f by default.
fqdn Set this flag if you want to put fully qualified host
names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you
@@ -646,16 +652,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
that turning on _f_q_d_n requires ssuuddoo to make DNS lookups
which may make ssuuddoo unusable if DNS stops working (for
example if the machine is not plugged into the
network). Also note that you must use the host's
official name as DNS knows it. That is, you may not
use a host alias (CNAME entry) due to performance
issues and the fact that there is no way to get all
aliases from DNS. If your machine's host name (as
returned by the hostname command) is already fully
1.7.3b2 December 19, 2009 10
1.8.0a1 April 7, 2010 10
@@ -664,12 +664,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
network). Also note that you must use the host's
official name as DNS knows it. That is, you may not
use a host alias (CNAME entry) due to performance
issues and the fact that there is no way to get all
aliases from DNS. If your machine's host name (as
returned by the hostname command) is already fully
qualified you shouldn't need to set _f_q_d_n. This flag is
_o_f_f by default.
ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the
PATH environment variable; the PATH itself is not
modified. This flag is _o_f_f by default.
modified. This flag is _o_n by default.
ignore_local_sudoers
If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be
@@ -685,7 +691,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_o_f_f by default.
insults If set, ssuuddoo will insult users when they enter an
incorrect password. This flag is _o_f_f by default.
incorrect password. This flag is _o_n by default.
log_host If set, the host name will be logged in the (non-
syslog) ssuuddoo log file. This flag is _o_f_f by default.
@@ -712,16 +718,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
allowed to run commands on the current host. This flag
is _o_f_f by default.
mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the
invoking user is allowed to use ssuuddoo but the command
they are trying is not listed in their _s_u_d_o_e_r_s file
entry or is explicitly denied. This flag is _o_f_f by
default.
1.7.3b2 December 19, 2009 11
1.8.0a1 April 7, 2010 11
@@ -730,6 +730,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the
invoking user is allowed to use ssuuddoo but the command
they are trying is not listed in their _s_u_d_o_e_r_s file
entry or is explicitly denied. This flag is _o_f_f by
default.
mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the
invoking user is not in the _s_u_d_o_e_r_s file. This flag is
_o_n by default.
@@ -778,16 +784,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to a real tty. When this flag is set, ssuuddoo can only be
run from a login session and not via other means such
as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by
default.
root_sudo If set, root is allowed to run ssuuddoo too. Disabling
this prevents users from "chaining" ssuuddoo commands to
get a root shell by doing something like "sudo sudo
/bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o
1.7.3b2 December 19, 2009 12
1.8.0a1 April 7, 2010 12
@@ -796,6 +796,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
default.
root_sudo If set, root is allowed to run ssuuddoo too. Disabling
this prevents users from "chaining" ssuuddoo commands to
get a root shell by doing something like "sudo sudo
/bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o
will also prevent root and from running ssuuddooeeddiitt.
Disabling _r_o_o_t___s_u_d_o provides no real additional
security; it exists purely for historical reasons.
@@ -844,16 +850,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
stay_setuid Normally, when ssuuddoo executes a command the real and
effective UIDs are set to the target user (root by
default). This option changes that behavior such that
the real UID is left as the invoking user's UID. In
other words, this makes ssuuddoo act as a setuid wrapper.
This can be useful on systems that disable some
potentially dangerous functionality when a program is
run setuid. This option is only effective on systems
1.7.3b2 December 19, 2009 13
1.8.0a1 April 7, 2010 13
@@ -862,6 +862,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
default). This option changes that behavior such that
the real UID is left as the invoking user's UID. In
other words, this makes ssuuddoo act as a setuid wrapper.
This can be useful on systems that disable some
potentially dangerous functionality when a program is
run setuid. This option is only effective on systems
with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function.
This flag is _o_f_f by default.
@@ -910,16 +916,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
use_loginclass If set, ssuuddoo will apply the defaults specified for the
target user's login class if one exists. Only
available if ssuuddoo is configured with the
--with-logincap option. This flag is _o_f_f by default.
visiblepw By default, ssuuddoo will refuse to run if the user must
enter a password but it is not possible to disable echo
on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo
1.7.3b2 December 19, 2009 14
1.8.0a1 April 7, 2010 14
@@ -928,6 +928,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
available if ssuuddoo is configured with the
--with-logincap option. This flag is _o_f_f by default.
visiblepw By default, ssuuddoo will refuse to run if the user must
enter a password but it is not possible to disable echo
on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo
will prompt for a password even when it would be
visible on the screen. This makes it possible to run
things like "rsh somehost sudo ls" since _r_s_h(1) does
@@ -976,16 +982,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The actual umask that is used will be the union of the
user's umask and 0022. This guarantees that ssuuddoo never
lowers the umask when running a command. Note on
systems that use PAM, the default PAM configuration may
specify its own umask which will override the value set
in _s_u_d_o_e_r_s.
SSttrriinnggss:
1.7.3b2 December 19, 2009 15
1.8.0a1 April 7, 2010 15
@@ -994,6 +994,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
systems that use PAM, the default PAM configuration may
specify its own umask which will override the value set
in _s_u_d_o_e_r_s.
SSttrriinnggss:
badpass_message Message that is displayed if a user enters an incorrect
password. The default is Sorry, try again. unless
insults are enabled.
@@ -1042,16 +1048,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The default value is Password:.
runas_default The default user to run commands as if the --uu option is
not specified on the command line. This defaults to
root. Note that if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur
before any Runas_Alias specifications.
syslog_badpri Syslog priority to use when user authenticates
1.7.3b2 December 19, 2009 16
1.8.0a1 April 7, 2010 16
@@ -1060,6 +1060,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
runas_default The default user to run commands as if the --uu option is
not specified on the command line. This defaults to
root. Note that if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur
before any Runas_Alias specifications.
syslog_badpri Syslog priority to use when user authenticates
unsuccessfully. Defaults to alert.
syslog_goodpri Syslog priority to use when user authenticates
@@ -1109,15 +1115,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
once Only lecture the user the first time they run ssuuddoo.
If no value is specified, a value of _o_n_c_e is implied.
Negating the option results in a value of _n_e_v_e_r being used.
The default value is _o_n_c_e.
1.7.3b2 December 19, 2009 17
1.8.0a1 April 7, 2010 17
@@ -1126,6 +1126,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
If no value is specified, a value of _o_n_c_e is implied.
Negating the option results in a value of _n_e_v_e_r being used.
The default value is _o_n_c_e.
lecture_file
Path to a file containing an alternate ssuuddoo lecture that
will be used in place of the standard lecture if the named
@@ -1176,14 +1180,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
environment variable you may want to use this. Another use
is if you want to have the "root path" be separate from the
"user path." Users in the group specified by the
_e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This
option is not set by default.
syslog Syslog facility if syslog is being used for logging (negate
1.7.3b2 December 19, 2009 18
1.8.0a1 April 7, 2010 18
@@ -1192,7 +1192,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to disable syslog logging). Defaults to local2.
_e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This
option is not set by default.
syslog Syslog facility if syslog is being used for logging (negate
to disable syslog logging). Defaults to authpriv.
verifypw This option controls when a password will be required when
a user runs ssuuddoo with the --vv option. It has the following
@@ -1242,14 +1246,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
default list of environment variables to remove is
displayed when ssuuddoo is run by root with the _-_V option.
Note that many operating systems will remove
potentially dangerous variables from the environment of
any setuid process (such as ssuuddoo).
env_keep Environment variables to be preserved in the user's
1.7.3b2 December 19, 2009 19
1.8.0a1 April 7, 2010 19
@@ -1258,6 +1258,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
potentially dangerous variables from the environment of
any setuid process (such as ssuuddoo).
env_keep Environment variables to be preserved in the user's
environment when the _e_n_v___r_e_s_e_t option is in effect.
This allows fine-grained control over the environment
ssuuddoo-spawned processes will receive. The argument may
@@ -1308,14 +1312,10 @@ EEXXAAMMPPLLEESS
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Cmnd_Alias KILL = /usr/bin/kill
1.7.3b2 December 19, 2009 20
1.8.0a1 April 7, 2010 20
@@ -1324,6 +1324,10 @@ EEXXAAMMPPLLEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
@@ -1375,13 +1379,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
jack CSNETS = ALL
The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
those networks, only 128.138.204.0 has an explicit netmask (in CIDR
1.7.3b2 December 19, 2009 21
1.8.0a1 April 7, 2010 21
@@ -1390,6 +1390,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
those networks, only 128.138.204.0 has an explicit netmask (in CIDR
notation) indicating it is a class C network. For the other networks
in _C_S_N_E_T_S, the local machine's netmask will be used during matching.
@@ -1442,12 +1445,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The user ffrreedd can run commands as any user in the _D_B Runas_Alias
(oorraaccllee or ssyybbaassee) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1.7.3b2 December 19, 2009 22
1.8.0a1 April 7, 2010 22
@@ -1456,6 +1456,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is
not allowed to specify any options to the _s_u(1) command.
@@ -1508,12 +1510,10 @@ SSEECCUURRIITTYY NNOOTTEESS
kind of restrictions should be considered advisory at best (and
reinforced by policy).
PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
Once ssuuddoo executes a program, that program is free to do whatever it
1.7.3b2 December 19, 2009 23
1.8.0a1 April 7, 2010 23
@@ -1522,6 +1522,23 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not possible to
reliably negate commands where the path name includes globbing (aka
wildcard) characters. This is because the C library's _f_n_m_a_t_c_h(3)
function cannot resolve relative paths. While this is typically only
an inconvenience for rules that grant privileges, it can result in a
security issue for rules that subtract or revoke privileges.
For example, given the following _s_u_d_o_e_r_s entry:
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by
changing to _/_u_s_r_/_b_i_n and running ./passwd root instead.
PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
Once ssuuddoo executes a program, that program is free to do whatever it
pleases, including run other programs. This can be a security issue
since it is not uncommon for a program to allow shell escapes, which
lets a user bypass ssuuddoo's access control and logging. Common programs
@@ -1559,6 +1576,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
then ssuuddoo may be able to replace the exec family of functions
in the standard library with its own that simply return an
error. Unfortunately, there is no foolproof way to know
1.8.0a1 April 7, 2010 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
whether or not _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c
should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and
@@ -1576,18 +1605,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i
with _n_o_e_x_e_c enabled. This will prevent those two commands
1.7.3b2 December 19, 2009 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
from executing other commands (such as a shell). If you are
unsure whether or not your system is capable of supporting
_n_o_e_x_e_c you can always just try it out and see if it works.
@@ -1625,6 +1642,18 @@ DDIISSCCLLAAIIMMEERR
ssuuddoo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
1.8.0a1 April 7, 2010 25
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
See the LICENSE file distributed with ssuuddoo or
http://www.sudo.ws/sudo/license.html for complete details.
@@ -1645,6 +1674,43 @@ DDIISSCCLLAAIIMMEERR
1.7.3b2 December 19, 2009 25
1.8.0a1 April 7, 2010 26

29
doc/sudoers.man.in
View File

@@ -1,4 +1,4 @@
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2009
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@@ -144,7 +144,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
.TH SUDOERS @mansectform@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.TH SUDOERS @mansectform@ "April 7, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -755,7 +755,12 @@ system that is mounted on demand (automounted). The \fIfast_glob\fR
option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
not access the file system to do its matching. The disadvantage
of \fIfast_glob\fR is that it is unable to match relative path names
such as \fI./ls\fR or \fI../bin/ls\fR. This flag is \fIoff\fR by default.
such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
when path names that include globbing characters are used with the
negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
As such, this option should not be used when \fIsudoers\fR contains rules
that contain negated path names which include globbing characters.
This flag is \fIoff\fR by default.
.IP "fqdn" 16
.IX Item "fqdn"
Set this flag if you want to put fully qualified host names in the
@@ -1568,6 +1573,24 @@ Doesn't really prevent \fBbill\fR from running the commands listed in
different name, or use a shell escape from an editor or other
program. Therefore, these kind of restrictions should be considered
advisory at best (and reinforced by policy).
.PP
Furthermore, if the \fIfast_glob\fR option is in use, it is not possible
to reliably negate commands where the path name includes globbing
(aka wildcard) characters. This is because the C library's
\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
is typically only an inconvenience for rules that grant privileges,
it can result in a security issue for rules that subtract or revoke
privileges.
.PP
For example, given the following \fIsudoers\fR entry:
.PP
.Vb 2
\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
.Ve
.PP
User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
.SH "PREVENTING SHELL ESCAPES"
.IX Header "PREVENTING SHELL ESCAPES"
Once \fBsudo\fR executes a program, that program is free to do whatever

25
doc/sudoers.pod
View File

@@ -1,4 +1,4 @@
Copyright (c) 1994-1996, 1998-2005, 2007-2009
Copyright (c) 1994-1996, 1998-2005, 2007-2010
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
@@ -628,7 +628,12 @@ system that is mounted on demand (automounted). The I<fast_glob>
option causes B<sudo> to use the L<fnmatch(3)> function, which does
not access the file system to do its matching. The disadvantage
of I<fast_glob> is that it is unable to match relative path names
such as F<./ls> or F<../bin/ls>. This flag is I<off> by default.
such as F<./ls> or F<../bin/ls>. This has security implications
when path names that include globbing characters are used with the
negation operator, C<'!'>, as such rules can be trivially bypassed.
As such, this option should not be used when I<sudoers> contains rules
that contain negated path names which include globbing characters.
This flag is I<off> by default.
=item fqdn
@@ -1508,6 +1513,22 @@ different name, or use a shell escape from an editor or other
program. Therefore, these kind of restrictions should be considered
advisory at best (and reinforced by policy).
Furthermore, if the I<fast_glob> option is in use, it is not possible
to reliably negate commands where the path name includes globbing
(aka wildcard) characters. This is because the C library's
L<fnmatch(3)> function cannot resolve relative paths. While this
is typically only an inconvenience for rules that grant privileges,
it can result in a security issue for rules that subtract or revoke
privileges.
For example, given the following I<sudoers> entry:
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is
enabled by changing to F</usr/bin> and running C<./passwd root> instead.
=head1 PREVENTING SHELL ESCAPES
Once B<sudo> executes a program, that program is free to do whatever