isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mention that no double quotes are needed when adding/deleting/assigning

Browse Source 
a single value to a list.
This commit is contained in:
Todd C. Miller
2001-12-30 19:26:22 +00:00
parent e69a33b472
commit 412819b40a
3 changed files with 87 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
sudoers.cat
View File

@@ -61,7 +61,7 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN
December 17, 2001 1.6.4 1 December 30, 2001 1.6.4 1
@@ -127,7 +127,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 2 December 30, 2001 1.6.4 2
@@ -193,7 +193,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 3 December 30, 2001 1.6.4 3
@@ -259,7 +259,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 4 December 30, 2001 1.6.4 4
@@ -325,7 +325,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 5 December 30, 2001 1.6.4 5
@@ -391,7 +391,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 6 December 30, 2001 1.6.4 6
@@ -457,7 +457,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 7 December 30, 2001 1.6.4 7
@@ -523,7 +523,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 8 December 30, 2001 1.6.4 8
@@ -589,7 +589,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 9 December 30, 2001 1.6.4 9
@@ -655,7 +655,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 10 December 30, 2001 1.6.4 10
@@ -692,36 +692,36 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
LLLLiiiissssttttssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt: LLLLiiiissssttttssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt:
env_check A double-quoted, space-separated list of envi<76> env_check Environment variables to be removed from the
ronment variables to be removed from the
user's environment if the variable's value user's environment if the variable's value
contains % or / characters. This can be used contains % or / characters. This can be used
to guard against printf-style format vulnera<72> to guard against printf-style format vulnera<72>
bilties in poorly-written programs. The list bilties in poorly-written programs. The argu<EFBFBD>
can be replaced, added to, deleted from, or ment may be a double-quoted, space-separated
disabled by using the =, +=, -=, and ! opera<72> list or a single value without double-quotes.
tors respectively. The default list of envi<76> The list can be replaced, added to, deleted
ronment variable to check is printed when ssssuuuuddddoooo from, or disabled by using the =, +=, -=, and
is run by root with the _-_V option. ! operators respectively. The default list of
environment variable to check is printed when
ssssuuuuddddoooo is run by root with the _-_V option.
env_delete A double-quoted, space-separated list of envi<76> env_delete Environment variables to be removed from the
ronment variables to be removed from the user's environment. The argument may be a
user's environment. The list can be replaced, double-quoted, space-separated list or a sin<69>
added to, deleted from, or disabled by using gle value without double-quotes. The list can
the =, +=, -=, and ! operators respectively. be replaced, added to, deleted from, or dis<69>
The default list of environment variable to abled by using the =, +=, -=, and ! operators
remove is printed when ssssuuuuddddoooo is run by root respectively. The default list of environment
with the _-_V option. variable to remove is printed when ssssuuuuddddoooo is run
by root with the _-_V option.
env_keep A double-quoted, space-separated list of envi<76> env_keep Environment variables to be preserved in the
ronment variables to be preserved in the
user's environment when the _e_n_v___r_e_s_e_t option user's environment when the _e_n_v___r_e_s_e_t option
is in effect. This allows fine-grained con<6F> is in effect. This allows fine-grained
trol over the environment ssssuuuuddddoooo-spawned
December 17, 2001 1.6.4 11 December 30, 2001 1.6.4 11
@@ -730,10 +730,14 @@ December 17, 2001 1.6.4 11
sudoers(4) MAINTENANCE COMMANDS sudoers(4) sudoers(4) MAINTENANCE COMMANDS sudoers(4)
processes will get. The list can be replaced, control over the environment ssssuuuuddddoooo-spawned pro<72>
added to, deleted from, or disabled by using cesses will receive. The argument may be a
the =, +=, -=, and ! operators respectively. double-quoted, space-separated list or a sin<69>
This list has no default members. gle value without double-quotes. The list can
be replaced, added to, deleted from, or dis<69>
abled by using the =, +=, -=, and ! operators
respectively. This list has no default mem<65>
bers.
When logging via _s_y_s_l_o_g(3), ssssuuuuddddoooo accepts the following When logging via _s_y_s_l_o_g(3), ssssuuuuddddoooo accepts the following
values for the syslog facility (the value of the ssssyyyysssslllloooogggg values for the syslog facility (the value of the ssssyyyysssslllloooogggg
@@ -781,13 +785,9 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
It is also possible to override a Runas_Spec later on in It is also possible to override a Runas_Spec later on in
an entry. If we modify the entry like so: an entry. If we modify the entry like so:
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user ddddggggbbbb is now allowed to run _/_b_i_n_/_l_s as ooooppppeeeerrrraaaattttoooorrrr,
December 30, 2001 1.6.4 12
December 17, 2001 1.6.4 12
@@ -796,6 +796,9 @@ December 17, 2001 1.6.4 12
sudoers(4) MAINTENANCE COMMANDS sudoers(4) sudoers(4) MAINTENANCE COMMANDS sudoers(4)
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user ddddggggbbbb is now allowed to run _/_b_i_n_/_l_s as ooooppppeeeerrrraaaattttoooorrrr,
but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rrrrooooooootttt. but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rrrrooooooootttt.
NNNNOOOOPPPPAAAASSSSSSSSWWWWDDDD aaaannnndddd PPPPAAAASSSSSSSSWWWWDDDD NNNNOOOOPPPPAAAASSSSSSSSWWWWDDDD aaaannnndddd PPPPAAAASSSSSSSSWWWWDDDD
@@ -847,13 +850,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
used to escape special characters such as: "*", used to escape special characters such as: "*",
"?", "[", and "}". "?", "[", and "}".
Note that a forward slash ('/') will nnnnooootttt be matched by
wildcards used in the pathname. When matching the command
line arguments, however, as slash ddddooooeeeessss get matched by
December 17, 2001 1.6.4 13 December 30, 2001 1.6.4 13
@@ -862,6 +862,9 @@ December 17, 2001 1.6.4 13
sudoers(4) MAINTENANCE COMMANDS sudoers(4) sudoers(4) MAINTENANCE COMMANDS sudoers(4)
Note that a forward slash ('/') will nnnnooootttt be matched by
wildcards used in the pathname. When matching the command
line arguments, however, as slash ddddooooeeeessss get matched by
wildcards. This is to make a path like: wildcards. This is to make a path like:
/usr/bin/* /usr/bin/*
@@ -913,13 +916,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of Below are example _s_u_d_o_e_r_s entries. Admittedly, some of
these are a bit contrived. First, we define our _a_l_i_a_s_e_s:
December 30, 2001 1.6.4 14
December 17, 2001 1.6.4 14
@@ -928,6 +928,8 @@ December 17, 2001 1.6.4 14
sudoers(4) MAINTENANCE COMMANDS sudoers(4) sudoers(4) MAINTENANCE COMMANDS sudoers(4)
these are a bit contrived. First, we define our _a_l_i_a_s_e_s:
# User alias specification # User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl User_Alias PARTTIMERS = bostley, jwfox, crawl
@@ -981,11 +983,9 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
root ALL = (ALL) ALL root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL %wheel ALL = (ALL) ALL
We let rrrrooooooootttt and any user in group wwwwhhhheeeeeeeellll run any command on
December 30, 2001 1.6.4 15
December 17, 2001 1.6.4 15
@@ -994,6 +994,7 @@ December 17, 2001 1.6.4 15
sudoers(4) MAINTENANCE COMMANDS sudoers(4) sudoers(4) MAINTENANCE COMMANDS sudoers(4)
We let rrrrooooooootttt and any user in group wwwwhhhheeeeeeeellll run any command on
any host as any user. any host as any user.
FULLTIMERS ALL = NOPASSWD: ALL FULLTIMERS ALL = NOPASSWD: ALL
@@ -1050,8 +1051,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 30, 2001 1.6.4 16
December 17, 2001 1.6.4 16
@@ -1117,7 +1117,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4)
December 17, 2001 1.6.4 17 December 30, 2001 1.6.4 17
@@ -1183,6 +1183,6 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO
December 17, 2001 1.6.4 18 December 30, 2001 1.6.4 18

31
sudoers.man.in
View File

@@ -1,5 +1,5 @@
.\" Automatically generated by Pod::Man version 1.15 .\" Automatically generated by Pod::Man version 1.15
.\" Mon Dec 17 16:34:22 2001 .\" Sun Dec 30 12:24:30 2001
.\" .\"
.\" Standard preamble: .\" Standard preamble:
.\" ====================================================================== .\" ======================================================================
@@ -138,7 +138,7 @@
.\" ====================================================================== .\" ======================================================================
.\" .\"
.IX Title "sudoers @mansectform@" .IX Title "sudoers @mansectform@"
.TH sudoers @mansectform@ "1.6.4" "December 17, 2001" "MAINTENANCE COMMANDS" .TH sudoers @mansectform@ "1.6.4" "December 30, 2001" "MAINTENANCE COMMANDS"
.UC .UC
.SH "NAME" .SH "NAME"
sudoers \- list of which users may execute what sudoers \- list of which users may execute what
@@ -678,28 +678,31 @@ The default value is `any'.
\&\fBLists that can be used in a boolean context\fR: \&\fBLists that can be used in a boolean context\fR:
.Ip "env_check" 12 .Ip "env_check" 12
.IX Item "env_check" .IX Item "env_check"
A double-quoted, space-separated list of environment variables to Environment variables to be removed from the user's environment if
be removed from the user's environment if the variable's value the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can be used to guard against be used to guard against printf-style format vulnerabilties in
printf-style format vulnerabilties in poorly-written programs. The poorly-written programs. The argument may be a double-quoted,
space-separated list or a single value without double-quotes. The
list can be replaced, added to, deleted from, or disabled by using list can be replaced, added to, deleted from, or disabled by using
the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. The default the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. The default
list of environment variable to check is printed when \fBsudo\fR is list of environment variable to check is printed when \fBsudo\fR is
run by root with the \fI\-V\fR option. run by root with the \fI\-V\fR option.
.Ip "env_delete" 12 .Ip "env_delete" 12
.IX Item "env_delete" .IX Item "env_delete"
A double-quoted, space-separated list of environment variables to Environment variables to be removed from the user's environment.
be removed from the user's environment. The list can be replaced, The argument may be a double-quoted, space-separated list or a
added to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, single value without double-quotes. The list can be replaced, added
and \f(CW\*(C`!\*(C'\fR operators respectively. The default list of environment to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of environment
variable to remove is printed when \fBsudo\fR is run by root with the variable to remove is printed when \fBsudo\fR is run by root with the
\&\fI\-V\fR option. \&\fI\-V\fR option.
.Ip "env_keep" 12 .Ip "env_keep" 12
.IX Item "env_keep" .IX Item "env_keep"
A double-quoted, space-separated list of environment variables to Environment variables to be preserved in the user's environment
be preserved in the user's environment when the \fIenv_reset\fR option when the \fIenv_reset\fR option is in effect. This allows fine-grained
is in effect. This allows fine-grained control over the environment control over the environment \fBsudo\fR\-spawned processes will receive.
\&\fBsudo\fR\-spawned processes will get. The list can be replaced, added The argument may be a double-quoted, space-separated list or a
single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
\&\f(CW\*(C`!\*(C'\fR operators respectively. This list has no default members. \&\f(CW\*(C`!\*(C'\fR operators respectively. This list has no default members.
.PP .PP

27
sudoers.pod
View File

@@ -645,10 +645,11 @@ B<Lists that can be used in a boolean context>:
=item env_check =item env_check
A double-quoted, space-separated list of environment variables to Environment variables to be removed from the user's environment if
be removed from the user's environment if the variable's value the variable's value contains C<%> or C</> characters. This can
contains C<%> or C</> characters. This can be used to guard against be used to guard against printf-style format vulnerabilties in
printf-style format vulnerabilties in poorly-written programs. The poorly-written programs. The argument may be a double-quoted,
space-separated list or a single value without double-quotes. The
list can be replaced, added to, deleted from, or disabled by using list can be replaced, added to, deleted from, or disabled by using
the C<=>, C<+=>, C<-=>, and C<!> operators respectively. The default the C<=>, C<+=>, C<-=>, and C<!> operators respectively. The default
list of environment variable to check is printed when B<sudo> is list of environment variable to check is printed when B<sudo> is
@@ -656,19 +657,21 @@ run by root with the I<-V> option.
=item env_delete =item env_delete
A double-quoted, space-separated list of environment variables to Environment variables to be removed from the user's environment.
be removed from the user's environment. The list can be replaced, The argument may be a double-quoted, space-separated list or a
added to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, single value without double-quotes. The list can be replaced, added
and C<!> operators respectively. The default list of environment to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
C<!> operators respectively. The default list of environment
variable to remove is printed when B<sudo> is run by root with the variable to remove is printed when B<sudo> is run by root with the
I<-V> option. I<-V> option.
=item env_keep =item env_keep
A double-quoted, space-separated list of environment variables to Environment variables to be preserved in the user's environment
be preserved in the user's environment when the I<env_reset> option when the I<env_reset> option is in effect. This allows fine-grained
is in effect. This allows fine-grained control over the environment control over the environment B<sudo>-spawned processes will receive.
B<sudo>-spawned processes will get. The list can be replaced, added The argument may be a double-quoted, space-separated list or a
single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
C<!> operators respectively. This list has no default members. C<!> operators respectively. This list has no default members.