isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mention that no double quotes are needed when adding/deleting/assigning

Browse Source 
a single value to a list.
This commit is contained in:
Todd C. Miller
2001-12-30 19:26:22 +00:00
parent e69a33b472
commit 412819b40a
3 changed files with 87 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
sudoers.cat
View File

@@ -61,7 +61,7 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN
December 17, 2001 1.6.4 1
December 30, 2001 1.6.4 1
@@ -127,7 +127,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 2
December 30, 2001 1.6.4 2
@@ -193,7 +193,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 3
December 30, 2001 1.6.4 3
@@ -259,7 +259,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 4
December 30, 2001 1.6.4 4
@@ -325,7 +325,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 5
December 30, 2001 1.6.4 5
@@ -391,7 +391,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 6
December 30, 2001 1.6.4 6
@@ -457,7 +457,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 7
December 30, 2001 1.6.4 7
@@ -523,7 +523,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 8
December 30, 2001 1.6.4 8
@@ -589,7 +589,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 9
December 30, 2001 1.6.4 9
@@ -655,7 +655,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 10
December 30, 2001 1.6.4 10
@@ -692,36 +692,36 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
LLLLiiiissssttttssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt:
env_check A double-quoted, space-separated list of envi<76>
ronment variables to be removed from the
env_check Environment variables to be removed from the
user's environment if the variable's value
contains % or / characters. This can be used
to guard against printf-style format vulnera<72>
bilties in poorly-written programs. The list
can be replaced, added to, deleted from, or
disabled by using the =, +=, -=, and ! opera<72>
tors respectively. The default list of envi<76>
ronment variable to check is printed when ssssuuuuddddoooo
is run by root with the _-_V option.
bilties in poorly-written programs. The argu<EFBFBD>
ment may be a double-quoted, space-separated
list or a single value without double-quotes.
The list can be replaced, added to, deleted
from, or disabled by using the =, +=, -=, and
! operators respectively. The default list of
environment variable to check is printed when
ssssuuuuddddoooo is run by root with the _-_V option.
env_delete A double-quoted, space-separated list of envi<76>
ronment variables to be removed from the
user's environment. The list can be replaced,
added to, deleted from, or disabled by using
the =, +=, -=, and ! operators respectively.
The default list of environment variable to
remove is printed when ssssuuuuddddoooo is run by root
with the _-_V option.
env_delete Environment variables to be removed from the
user's environment. The argument may be a
double-quoted, space-separated list or a sin<69>
gle value without double-quotes. The list can
be replaced, added to, deleted from, or dis<69>
abled by using the =, +=, -=, and ! operators
respectively. The default list of environment
variable to remove is printed when ssssuuuuddddoooo is run
by root with the _-_V option.
env_keep A double-quoted, space-separated list of envi<76>
ronment variables to be preserved in the
env_keep Environment variables to be preserved in the
user's environment when the _e_n_v___r_e_s_e_t option
is in effect. This allows fine-grained con<6F>
trol over the environment ssssuuuuddddoooo-spawned
is in effect. This allows fine-grained
December 17, 2001 1.6.4 11
December 30, 2001 1.6.4 11
@@ -730,10 +730,14 @@ December 17, 2001 1.6.4 11
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
processes will get. The list can be replaced,
added to, deleted from, or disabled by using
the =, +=, -=, and ! operators respectively.
This list has no default members.
control over the environment ssssuuuuddddoooo-spawned pro<72>
cesses will receive. The argument may be a
double-quoted, space-separated list or a sin<69>
gle value without double-quotes. The list can
be replaced, added to, deleted from, or dis<69>
abled by using the =, +=, -=, and ! operators
respectively. This list has no default mem<65>
bers.
When logging via _s_y_s_l_o_g(3), ssssuuuuddddoooo accepts the following
values for the syslog facility (the value of the ssssyyyysssslllloooogggg
@@ -781,13 +785,9 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
It is also possible to override a Runas_Spec later on in
an entry. If we modify the entry like so:
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user ddddggggbbbb is now allowed to run _/_b_i_n_/_l_s as ooooppppeeeerrrraaaattttoooorrrr,
December 17, 2001 1.6.4 12
December 30, 2001 1.6.4 12
@@ -796,6 +796,9 @@ December 17, 2001 1.6.4 12
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user ddddggggbbbb is now allowed to run _/_b_i_n_/_l_s as ooooppppeeeerrrraaaattttoooorrrr,
but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rrrrooooooootttt.
NNNNOOOOPPPPAAAASSSSSSSSWWWWDDDD aaaannnndddd PPPPAAAASSSSSSSSWWWWDDDD
@@ -847,13 +850,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
used to escape special characters such as: "*",
"?", "[", and "}".
Note that a forward slash ('/') will nnnnooootttt be matched by
wildcards used in the pathname. When matching the command
line arguments, however, as slash ddddooooeeeessss get matched by
December 17, 2001 1.6.4 13
December 30, 2001 1.6.4 13
@@ -862,6 +862,9 @@ December 17, 2001 1.6.4 13
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
Note that a forward slash ('/') will nnnnooootttt be matched by
wildcards used in the pathname. When matching the command
line arguments, however, as slash ddddooooeeeessss get matched by
wildcards. This is to make a path like:
/usr/bin/*
@@ -913,13 +916,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of
these are a bit contrived. First, we define our _a_l_i_a_s_e_s:
December 17, 2001 1.6.4 14
December 30, 2001 1.6.4 14
@@ -928,6 +928,8 @@ December 17, 2001 1.6.4 14
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
these are a bit contrived. First, we define our _a_l_i_a_s_e_s:
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
@@ -981,11 +983,9 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
We let rrrrooooooootttt and any user in group wwwwhhhheeeeeeeellll run any command on
December 17, 2001 1.6.4 15
December 30, 2001 1.6.4 15
@@ -994,6 +994,7 @@ December 17, 2001 1.6.4 15
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
We let rrrrooooooootttt and any user in group wwwwhhhheeeeeeeellll run any command on
any host as any user.
FULLTIMERS ALL = NOPASSWD: ALL
@@ -1050,8 +1051,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 16
December 30, 2001 1.6.4 16
@@ -1117,7 +1117,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 17
December 30, 2001 1.6.4 17
@@ -1183,6 +1183,6 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO
December 17, 2001 1.6.4 18
December 30, 2001 1.6.4 18

31
sudoers.man.in
View File

@@ -1,5 +1,5 @@
.\" Automatically generated by Pod::Man version 1.15
.\" Mon Dec 17 16:34:22 2001
.\" Sun Dec 30 12:24:30 2001
.\"
.\" Standard preamble:
.\" ======================================================================
@@ -138,7 +138,7 @@
.\" ======================================================================
.\"
.IX Title "sudoers @mansectform@"
.TH sudoers @mansectform@ "1.6.4" "December 17, 2001" "MAINTENANCE COMMANDS"
.TH sudoers @mansectform@ "1.6.4" "December 30, 2001" "MAINTENANCE COMMANDS"
.UC
.SH "NAME"
sudoers \- list of which users may execute what
@@ -678,28 +678,31 @@ The default value is `any'.
\&\fBLists that can be used in a boolean context\fR:
.Ip "env_check" 12
.IX Item "env_check"
A double-quoted, space-separated list of environment variables to
be removed from the user's environment if the variable's value
contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can be used to guard against
printf-style format vulnerabilties in poorly-written programs. The
Environment variables to be removed from the user's environment if
the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
be used to guard against printf-style format vulnerabilties in
poorly-written programs. The argument may be a double-quoted,
space-separated list or a single value without double-quotes. The
list can be replaced, added to, deleted from, or disabled by using
the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. The default
list of environment variable to check is printed when \fBsudo\fR is
run by root with the \fI\-V\fR option.
.Ip "env_delete" 12
.IX Item "env_delete"
A double-quoted, space-separated list of environment variables to
be removed from the user's environment. The list can be replaced,
added to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR,
and \f(CW\*(C`!\*(C'\fR operators respectively. The default list of environment
Environment variables to be removed from the user's environment.
The argument may be a double-quoted, space-separated list or a
single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of environment
variable to remove is printed when \fBsudo\fR is run by root with the
\&\fI\-V\fR option.
.Ip "env_keep" 12
.IX Item "env_keep"
A double-quoted, space-separated list of environment variables to
be preserved in the user's environment when the \fIenv_reset\fR option
is in effect. This allows fine-grained control over the environment
\&\fBsudo\fR\-spawned processes will get. The list can be replaced, added
Environment variables to be preserved in the user's environment
when the \fIenv_reset\fR option is in effect. This allows fine-grained
control over the environment \fBsudo\fR\-spawned processes will receive.
The argument may be a double-quoted, space-separated list or a
single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
\&\f(CW\*(C`!\*(C'\fR operators respectively. This list has no default members.
.PP

27
sudoers.pod
View File

@@ -645,10 +645,11 @@ B<Lists that can be used in a boolean context>:
=item env_check
A double-quoted, space-separated list of environment variables to
be removed from the user's environment if the variable's value
contains C<%> or C</> characters. This can be used to guard against
printf-style format vulnerabilties in poorly-written programs. The
Environment variables to be removed from the user's environment if
the variable's value contains C<%> or C</> characters. This can
be used to guard against printf-style format vulnerabilties in
poorly-written programs. The argument may be a double-quoted,
space-separated list or a single value without double-quotes. The
list can be replaced, added to, deleted from, or disabled by using
the C<=>, C<+=>, C<-=>, and C<!> operators respectively. The default
list of environment variable to check is printed when B<sudo> is
@@ -656,19 +657,21 @@ run by root with the I<-V> option.
=item env_delete
A double-quoted, space-separated list of environment variables to
be removed from the user's environment. The list can be replaced,
added to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>,
and C<!> operators respectively. The default list of environment
Environment variables to be removed from the user's environment.
The argument may be a double-quoted, space-separated list or a
single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
C<!> operators respectively. The default list of environment
variable to remove is printed when B<sudo> is run by root with the
I<-V> option.
=item env_keep
A double-quoted, space-separated list of environment variables to
be preserved in the user's environment when the I<env_reset> option
is in effect. This allows fine-grained control over the environment
B<sudo>-spawned processes will get. The list can be replaced, added
Environment variables to be preserved in the user's environment
when the I<env_reset> option is in effect. This allows fine-grained
control over the environment B<sudo>-spawned processes will receive.
The argument may be a double-quoted, space-separated list or a
single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
C<!> operators respectively. This list has no default members.