isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Attempt to clarify how users and groups interact in Runas_Specs

Browse Source
This commit is contained in:
Todd C. Miller
2011-02-03 13:20:43 -05:00
parent 310867e4ed
commit 521ee9c539
3 changed files with 367 additions and 315 deletions
Download Patch File Download Diff File Expand all files Collapse all files

616
doc/sudoers.cat
View File

@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.8.0b3 January 28, 2011 1
1.8.0b3 February 3, 2011 1
@@ -127,7 +127,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
1.8.0b3 January 28, 2011 2
1.8.0b3 February 3, 2011 2
@@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0b3 January 28, 2011 3
1.8.0b3 February 3, 2011 3
@@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0b3 January 28, 2011 4
1.8.0b3 February 3, 2011 4
@@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0b3 January 28, 2011 5
1.8.0b3 February 3, 2011 5
@@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0b3 January 28, 2011 6
1.8.0b3 February 3, 2011 6
@@ -435,7 +435,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only
as ooppeerraattoorr. E.g.,
$ sudo -u operator /bin/ls.
$ sudo -u operator /bin/ls
It is also possible to override a Runas_Spec later on in an entry. If
we modify the entry like so:
@@ -451,13 +451,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
/usr/bin/lprm
In the following example, user ttccmm may run commands that access a modem
device file with the dialer group. Note that in this example only the
group will be set, the command still runs as user ttccmm.
Note that while the group portion of the Runas_Spec permits the user to
run as command with that group, it does not force the user to do so.
If no group is specified on the command line, the command will run with
1.8.0b3 January 28, 2011 7
1.8.0b3 February 3, 2011 7
@@ -466,9 +466,33 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
the group listed in the target user's password database entry. The
following would all be permitted by the sudoers entry above:
$ sudo -u operator /bin/ls
$ sudo -u operator -g operator /bin/ls
$ sudo -g operator /bin/ls
In the following example, user ttccmm may run commands that access a modem
device file with the dialer group.
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
Note that in this example only the group will be set, the command still
runs as user ttccmm. E.g.
$ sudo -g dialer /usr/bin/cu
Multiple users and groups may be present in a Runas_Spec, in which case
the user may select any combination of users and groups via the --uu and
--gg options. In this example:
alan ALL = (root, bin : operator, system) ALL
user aallaann may run any command as either user root or bin, optionally
setting the group to operator or system.
SSEELLiinnuuxx__SSppeecc
On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an
SELinux role and/or type associated with a command. If a role or type
@@ -496,6 +520,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m
as rroooott on the machine rushmore without authenticating himself. If we
1.8.0b3 February 3, 2011 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry
would be:
@@ -520,18 +556,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and
_/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
1.8.0b3 January 28, 2011 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more details on
@@ -561,6 +585,19 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the
"SUDOERS OPTIONS" section below.
1.8.0b3 February 3, 2011 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
WWiillddccaarrddss
ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be
used in host names, path names and command line arguments in the
@@ -586,18 +623,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Would match any file name beginning with a letter.
1.8.0b3 January 28, 2011 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Note that a forward slash ('/') will nnoott be matched by wildcards used
in the path name. When matching the command line arguments, however, a
slash ddooeess get matched by wildcards. This is to make a path like:
@@ -627,6 +652,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
#include /etc/sudoers.local
When ssuuddoo reaches this line it will suspend processing of the current
1.8.0b3 February 3, 2011 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching
the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be
processed. Files that are included may themselves include other files.
@@ -652,18 +689,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed
before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is
lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr
1.8.0b3 January 28, 2011 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes
in the file names can be used to avoid such problems.
@@ -693,6 +718,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
ALL alias to allow a user to run "all but a few" commands rarely works
as intended (see SECURITY NOTES below).
1.8.0b3 February 3, 2011 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Long lines can be continued with a backslash ('\') as the last
character on the line.
@@ -718,18 +755,6 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
enabled, so _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for
configurations where either _e_n_v___r_e_s_e_t is disabled or
HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f
1.8.0b3 January 28, 2011 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
by default.
authenticate If set, users must authenticate themselves via a
@@ -759,6 +784,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
use the EDITOR or VISUAL if they match a value
specified in editor. This flag is _o_f_f by default.
1.8.0b3 February 3, 2011 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
env_reset If set, ssuuddoo will reset the environment to only contain
the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_*
variables. Any variables in the caller's environment
@@ -784,18 +821,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
the negation operator, '!', as such rules can be
trivially bypassed. As such, this option should not be
used when _s_u_d_o_e_r_s contains rules that contain negated
1.8.0b3 January 28, 2011 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
path names which include globbing characters. This
flag is _o_f_f by default.
@@ -825,6 +850,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
prevent the usage of local sudoers files so that only
LDAP is used. This thwarts the efforts of rogue
operators who would attempt to add roles to
1.8.0b3 February 3, 2011 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_/_e_t_c_/_s_u_d_o_e_r_s. When this option is present,
_/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this
option tells ssuuddoo how to behave when no specific LDAP
@@ -851,17 +888,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
mail_always Send mail to the _m_a_i_l_t_o user every time a users runs
ssuuddoo. This flag is _o_f_f by default.
1.8.0b3 January 28, 2011 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
does not enter the correct password. This flag is _o_f_f
by default.
@@ -890,6 +916,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
path_info Normally, ssuuddoo will tell the user when a command could
not be found in their PATH environment variable. Some
sites may wish to disable this as it could be used to
1.8.0b3 February 3, 2011 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
gather information on the location of executables that
the normal user does not have access to. The
disadvantage is that if the executable is simply not in
@@ -916,18 +954,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
the return (or enter) key. Some users become confused
by this as it appears to them that ssuuddoo has hung at
this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide
1.8.0b3 January 28, 2011 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
visual feedback when the user presses a key. Note that
this does have a security impact as an onlooker may be
able to determine the length of the password being
@@ -957,6 +983,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
instead of the password of the invoking user. This
flag is _o_f_f by default.
1.8.0b3 February 3, 2011 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
set_home If enabled and ssuuddoo is invoked with the --ss option the
HOME environment variable will be set to the home
directory of the target user (which is root unless the
@@ -982,18 +1019,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
command line via the --EE option. Additionally,
environment variables set via the command line are not
subject to the restrictions imposed by _e_n_v___c_h_e_c_k,
1.8.0b3 January 28, 2011 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users
should be allowed to set variables in this manner.
This flag is _o_f_f by default.
@@ -1024,6 +1049,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
not listed in the passwd database as an argument to the
--uu option. This flag is _o_f_f by default.
1.8.0b3 February 3, 2011 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and
log all user input. If the standard input is not
connected to the user's tty, due to I/O redirection or
@@ -1048,18 +1084,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m)
utility, which can also be used to list or search the
1.8.0b3 January 28, 2011 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
available logs.
tty_tickets If set, users must authenticate on a per-tty basis.
@@ -1090,6 +1114,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
visiblepw By default, ssuuddoo will refuse to run if the user must
enter a password but it is not possible to disable echo
1.8.0b3 February 3, 2011 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo
will prompt for a password even when it would be
visible on the screen. This makes it possible to run
@@ -1114,18 +1150,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
loglinelen Number of characters per line for the file log. This
value is used to decide when to wrap lines for nicer
log files. This has no effect on the syslog log file,
1.8.0b3 January 28, 2011 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
only the file log. The default is 80 (use 0 or negate
the option to disable word wrap).
@@ -1157,6 +1181,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SSttrriinnggss:
1.8.0b3 February 3, 2011 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
badpass_message Message that is displayed if a user enters an incorrect
password. The default is Sorry, try again. unless
insults are enabled.
@@ -1180,18 +1215,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
%{seq}
expanded to a monotonically increasing base-36
1.8.0b3 January 28, 2011 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
sequence number, such as 0100A5, where every two
digits are used to form a new directory, e.g.
_0_1_/_0_0_/_A_5
@@ -1223,6 +1246,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Path names that end in six or more Xs will have the Xs
replaced with a unique combination of digits and
1.8.0b3 February 3, 2011 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
letters, similar to the _m_k_t_e_m_p_(_) function.
iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store
@@ -1246,18 +1281,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
LD_PRELOAD or its equivalent. Defaults to
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o.
1.8.0b3 January 28, 2011 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
passprompt The default prompt to use when asking for a password;
can be overridden via the --pp option or the SUDO_PROMPT
environment variable. The following percent (`%')
@@ -1290,6 +1313,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
via command line options. This option is only
available whe ssuuddoo is built with SELinux support.
1.8.0b3 February 3, 2011 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
runas_default The default user to run commands as if the --uu option is
not specified on the command line. This defaults to
root. Note that if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur
@@ -1312,18 +1346,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
timestampowner The owner of the timestamp directory and the timestamps
stored therein. The default is root.
1.8.0b3 January 28, 2011 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
type The default SELinux type to use when constructing a new
security context to run the command. The default type
may be overridden on a per-command basis in _s_u_d_o_e_r_s or
@@ -1356,6 +1378,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
group_plugin
A string containing a _s_u_d_o_e_r_s group plugin with optional
1.8.0b3 February 3, 2011 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
arguments. This can be used to implement support for the
nonunix_group syntax described earlier. The string should
consist of the plugin path, either fully-qualified or
@@ -1378,18 +1412,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
always Always lecture the user.
1.8.0b3 January 28, 2011 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
never Never lecture the user.
once Only lecture the user the first time they run ssuuddoo.
@@ -1422,6 +1444,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
option.
If no value is specified, a value of _a_n_y is implied.
1.8.0b3 February 3, 2011 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Negating the option results in a value of _n_e_v_e_r being used.
The default value is _a_n_y.
@@ -1444,18 +1478,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
ssuuddoo interpreting the @ sign. Defaults to root.
secure_path Path used for every command run from ssuuddoo. If you don't
1.8.0b3 January 28, 2011 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
trust the people running ssuuddoo to have a sane PATH
environment variable you may want to use this. Another use
is if you want to have the "root path" be separate from the
@@ -1488,6 +1510,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Negating the option results in a value of _n_e_v_e_r being used.
The default value is _a_l_l.
1.8.0b3 February 3, 2011 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
env_check Environment variables to be removed from the user's
@@ -1510,18 +1544,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The argument may be a double-quoted, space-separated
list or a single value without double-quotes. The list
can be replaced, added to, deleted from, or disabled by
1.8.0b3 January 28, 2011 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
using the =, +=, -=, and ! operators respectively. The
default list of environment variables to remove is
displayed when ssuuddoo is run by root with the _-_V option.
@@ -1554,6 +1576,18 @@ FFIILLEESS
_/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups
1.8.0b3 February 3, 2011 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files
_/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the
@@ -1577,18 +1611,6 @@ EEXXAAMMPPLLEESS
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim
1.8.0b3 January 28, 2011 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
@@ -1620,6 +1642,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Here we override some of the compiled in default values. We want ssuuddoo
to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't
1.8.0b3 February 3, 2011 25
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt
need not give a password, and we don't want to reset the LOGNAME, USER
or USERNAME environment variables when running commands as root.
@@ -1643,17 +1677,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
1.8.0b3 January 28, 2011 25
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
We let rroooott and any user in group wwhheeeell run any command on any host as
any user.
@@ -1685,6 +1708,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
sudoedit /etc/printcap, /usr/oper/bin/
The ooppeerraattoorr user may run commands limited to simple maintenance.
1.8.0b3 February 3, 2011 26
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Here, those are commands related to backups, killing processes, the
printing system, shutting down the system, and any commands in the
directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/.
@@ -1709,17 +1744,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user
listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr).
1.8.0b3 January 28, 2011 26
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
jim +biglab = ALL
The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup.
@@ -1750,6 +1774,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in
the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U
1.8.0b3 February 3, 2011 27
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
and _S_H_E_L_L_S Cmnd_Aliases.
steve CSNETS = (operator) /usr/local/op_commands/
@@ -1774,18 +1810,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Any user may mount or unmount a CD-ROM on the machines in the CDROM
Host_Alias (orion, perseus, hercules) without entering a password.
This is a bit tedious for users to type, so it is a prime candidate for
1.8.0b3 January 28, 2011 27
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
encapsulating in a shell script.
SSEECCUURRIITTYY NNOOTTEESS
@@ -1817,6 +1841,17 @@ SSEECCUURRIITTYY NNOOTTEESS
User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by
changing to _/_u_s_r_/_b_i_n and running ./passwd root instead.
1.8.0b3 February 3, 2011 28
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
Once ssuuddoo executes a program, that program is free to do whatever it
pleases, including run other programs. This can be a security issue
@@ -1840,18 +1875,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality
can be used to prevent a program run by ssuuddoo from executing
any other programs. Note, however, that this applies only to
1.8.0b3 January 28, 2011 28
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
native dynamically-linked executables. Statically-linked
executables and foreign executables running under binary
emulation are not affected.
@@ -1883,6 +1906,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1.8.0b3 February 3, 2011 29
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i
with _n_o_e_x_e_c enabled. This will prevent those two commands
from executing other commands (such as a shell). If you are
@@ -1906,18 +1941,6 @@ SSEECCUURRIITTYY NNOOTTEESS
ownership and mode of the directory and its contents, the only damage
that can be done is to "hide" files by putting them in the time stamp
dir. This is unlikely to happen since once the time stamp dir is owned
1.8.0b3 January 28, 2011 29
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
by root and inaccessible by any other user, the user placing files
there would be unable to get them back out.
@@ -1949,6 +1972,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
If users have sudo ALL there is nothing to prevent them from creating
their own program that gives them a root shell (or making their own
copy of a shell) regardless of any '!' elements in the user
1.8.0b3 February 3, 2011 30
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
specification.
SSEEEE AALLSSOO
@@ -1972,18 +2007,6 @@ BBUUGGSS
SSUUPPPPOORRTT
Limited free support is available via the sudo-users mailing list, see
1.8.0b3 January 28, 2011 30
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
@@ -2018,29 +2041,6 @@ DDIISSCCLLAAIIMMEERR
1.8.0b3 January 28, 2011 31
1.8.0b3 February 3, 2011 31

37
doc/sudoers.man.in
View File

@@ -148,7 +148,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
.TH SUDOERS @mansectform@ "January 28, 2011" "1.8.0b3" "MAINTENANCE COMMANDS"
.TH SUDOERS @mansectform@ "February 3, 2011" "1.8.0b3" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -556,7 +556,7 @@ The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
.PP
.Vb 1
\& $ sudo \-u operator /bin/ls.
\& $ sudo \-u operator /bin/ls
.Ve
.PP
It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
@@ -577,14 +577,43 @@ the user or group set to \fBoperator\fR:
\& /usr/bin/lprm
.Ve
.PP
Note that while the group portion of the \f(CW\*(C`Runas_Spec\*(C'\fR permits the
user to run as command with that group, it does not force the user
to do so. If no group is specified on the command line, the command
will run with the group listed in the target user's password database
entry. The following would all be permitted by the sudoers entry above:
.PP
.Vb 3
\& $ sudo \-u operator /bin/ls
\& $ sudo \-u operator \-g operator /bin/ls
\& $ sudo \-g operator /bin/ls
.Ve
.PP
In the following example, user \fBtcm\fR may run commands that access
a modem device file with the dialer group. Note that in this example
only the group will be set, the command still runs as user \fBtcm\fR.
a modem device file with the dialer group.
.PP
.Vb 2
\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
\& /usr/local/bin/minicom
.Ve
.PP
Note that in this example only the group will be set, the command
still runs as user \fBtcm\fR. E.g.
.PP
.Vb 1
\& $ sudo \-g dialer /usr/bin/cu
.Ve
.PP
Multiple users and groups may be present in a \f(CW\*(C`Runas_Spec\*(C'\fR, in
which case the user may select any combination of users and groups
via the \fB\-u\fR and \fB\-g\fR options. In this example:
.PP
.Vb 1
\& alan ALL = (root, bin : operator, system) ALL
.Ve
.PP
user \fBalan\fR may run any command as either user root or bin,
optionally setting the group to operator or system.
.if \n(SL \{\
.SS "SELinux_Spec"
.IX Subsection "SELinux_Spec"

29
doc/sudoers.pod
View File

@@ -421,7 +421,7 @@ What this means is that for the entry:
The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
F</usr/bin/lprm> -- but only as B<operator>. E.g.,
$ sudo -u operator /bin/ls.
$ sudo -u operator /bin/ls
It is also possible to override a C<Runas_Spec> later on in an
entry. If we modify the entry like so:
@@ -437,13 +437,36 @@ the user or group set to B<operator>:
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
/usr/bin/lprm
Note that while the group portion of the C<Runas_Spec> permits the
user to run as command with that group, it does not force the user
to do so. If no group is specified on the command line, the command
will run with the group listed in the target user's password database
entry. The following would all be permitted by the sudoers entry above:
$ sudo -u operator /bin/ls
$ sudo -u operator -g operator /bin/ls
$ sudo -g operator /bin/ls
In the following example, user B<tcm> may run commands that access
a modem device file with the dialer group. Note that in this example
only the group will be set, the command still runs as user B<tcm>.
a modem device file with the dialer group.
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
Note that in this example only the group will be set, the command
still runs as user B<tcm>. E.g.
$ sudo -g dialer /usr/bin/cu
Multiple users and groups may be present in a C<Runas_Spec>, in
which case the user may select any combination of users and groups
via the B<-u> and B<-g> options. In this example:
alan ALL = (root, bin : operator, system) ALL
user B<alan> may run any command as either user root or bin,
optionally setting the group to operator or system.
=head2 SELinux_Spec
On systems with SELinux support, I<sudoers> entries may optionally have