From 521ee9c5392a03df5b69835e7e8529034b68ce63 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 3 Feb 2011 13:20:43 -0500 Subject: [PATCH] Attempt to clarify how users and groups interact in Runas_Specs --- doc/sudoers.cat | 616 ++++++++++++++++++++++----------------------- doc/sudoers.man.in | 37 ++- doc/sudoers.pod | 29 ++- 3 files changed, 367 insertions(+), 315 deletions(-) diff --git a/doc/sudoers.cat b/doc/sudoers.cat index b97cf0cc4..7d538df13 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.8.0b3 January 28, 2011 1 +1.8.0b3 February 3, 2011 1 @@ -127,7 +127,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT -1.8.0b3 January 28, 2011 2 +1.8.0b3 February 3, 2011 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0b3 January 28, 2011 3 +1.8.0b3 February 3, 2011 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0b3 January 28, 2011 4 +1.8.0b3 February 3, 2011 4 @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0b3 January 28, 2011 5 +1.8.0b3 February 3, 2011 5 @@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0b3 January 28, 2011 6 +1.8.0b3 February 3, 2011 6 @@ -435,7 +435,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only as ooppeerraattoorr. E.g., - $ sudo -u operator /bin/ls. + $ sudo -u operator /bin/ls It is also possible to override a Runas_Spec later on in an entry. If we modify the entry like so: @@ -451,13 +451,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ /usr/bin/lprm - In the following example, user ttccmm may run commands that access a modem - device file with the dialer group. Note that in this example only the - group will be set, the command still runs as user ttccmm. + Note that while the group portion of the Runas_Spec permits the user to + run as command with that group, it does not force the user to do so. + If no group is specified on the command line, the command will run with -1.8.0b3 January 28, 2011 7 +1.8.0b3 February 3, 2011 7 @@ -466,9 +466,33 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + the group listed in the target user's password database entry. The + following would all be permitted by the sudoers entry above: + + $ sudo -u operator /bin/ls + $ sudo -u operator -g operator /bin/ls + $ sudo -g operator /bin/ls + + In the following example, user ttccmm may run commands that access a modem + device file with the dialer group. + tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ /usr/local/bin/minicom + Note that in this example only the group will be set, the command still + runs as user ttccmm. E.g. + + $ sudo -g dialer /usr/bin/cu + + Multiple users and groups may be present in a Runas_Spec, in which case + the user may select any combination of users and groups via the --uu and + --gg options. In this example: + + alan ALL = (root, bin : operator, system) ALL + + user aallaann may run any command as either user root or bin, optionally + setting the group to operator or system. + SSEELLiinnuuxx__SSppeecc On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an SELinux role and/or type associated with a command. If a role or type @@ -496,6 +520,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott on the machine rushmore without authenticating himself. If we + + + +1.8.0b3 February 3, 2011 8 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry would be: @@ -520,18 +556,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. - - - -1.8.0b3 January 28, 2011 8 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi See the "PREVENTING SHELL ESCAPES" section below for more details on @@ -561,6 +585,19 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the "SUDOERS OPTIONS" section below. + + + + +1.8.0b3 February 3, 2011 9 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + WWiillddccaarrddss ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be used in host names, path names and command line arguments in the @@ -586,18 +623,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Would match any file name beginning with a letter. - - - -1.8.0b3 January 28, 2011 9 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - Note that a forward slash ('/') will nnoott be matched by wildcards used in the path name. When matching the command line arguments, however, a slash ddooeess get matched by wildcards. This is to make a path like: @@ -627,6 +652,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) #include /etc/sudoers.local When ssuuddoo reaches this line it will suspend processing of the current + + + +1.8.0b3 February 3, 2011 10 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed. Files that are included may themselves include other files. @@ -652,18 +689,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr - - - -1.8.0b3 January 28, 2011 10 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes in the file names can be used to avoid such problems. @@ -693,6 +718,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ALL alias to allow a user to run "all but a few" commands rarely works as intended (see SECURITY NOTES below). + + + +1.8.0b3 February 3, 2011 11 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + Long lines can be continued with a backslash ('\') as the last character on the line. @@ -718,18 +755,6 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS enabled, so _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for configurations where either _e_n_v___r_e_s_e_t is disabled or HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f - - - -1.8.0b3 January 28, 2011 11 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - by default. authenticate If set, users must authenticate themselves via a @@ -759,6 +784,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) use the EDITOR or VISUAL if they match a value specified in editor. This flag is _o_f_f by default. + + + +1.8.0b3 February 3, 2011 12 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + env_reset If set, ssuuddoo will reset the environment to only contain the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_* variables. Any variables in the caller's environment @@ -784,18 +821,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the negation operator, '!', as such rules can be trivially bypassed. As such, this option should not be used when _s_u_d_o_e_r_s contains rules that contain negated - - - -1.8.0b3 January 28, 2011 12 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - path names which include globbing characters. This flag is _o_f_f by default. @@ -825,6 +850,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) prevent the usage of local sudoers files so that only LDAP is used. This thwarts the efforts of rogue operators who would attempt to add roles to + + + +1.8.0b3 February 3, 2011 13 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present, _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this option tells ssuuddoo how to behave when no specific LDAP @@ -851,17 +888,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) mail_always Send mail to the _m_a_i_l_t_o user every time a users runs ssuuddoo. This flag is _o_f_f by default. - - -1.8.0b3 January 28, 2011 13 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo does not enter the correct password. This flag is _o_f_f by default. @@ -890,6 +916,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) path_info Normally, ssuuddoo will tell the user when a command could not be found in their PATH environment variable. Some sites may wish to disable this as it could be used to + + + +1.8.0b3 February 3, 2011 14 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + gather information on the location of executables that the normal user does not have access to. The disadvantage is that if the executable is simply not in @@ -916,18 +954,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the return (or enter) key. Some users become confused by this as it appears to them that ssuuddoo has hung at this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide - - - -1.8.0b3 January 28, 2011 14 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - visual feedback when the user presses a key. Note that this does have a security impact as an onlooker may be able to determine the length of the password being @@ -957,6 +983,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) instead of the password of the invoking user. This flag is _o_f_f by default. + + +1.8.0b3 February 3, 2011 15 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + set_home If enabled and ssuuddoo is invoked with the --ss option the HOME environment variable will be set to the home directory of the target user (which is root unless the @@ -982,18 +1019,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) command line via the --EE option. Additionally, environment variables set via the command line are not subject to the restrictions imposed by _e_n_v___c_h_e_c_k, - - - -1.8.0b3 January 28, 2011 15 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set variables in this manner. This flag is _o_f_f by default. @@ -1024,6 +1049,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) not listed in the passwd database as an argument to the --uu option. This flag is _o_f_f by default. + + +1.8.0b3 February 3, 2011 16 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and log all user input. If the standard input is not connected to the user's tty, due to I/O redirection or @@ -1048,18 +1084,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m) utility, which can also be used to list or search the - - - -1.8.0b3 January 28, 2011 16 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - available logs. tty_tickets If set, users must authenticate on a per-tty basis. @@ -1090,6 +1114,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) visiblepw By default, ssuuddoo will refuse to run if the user must enter a password but it is not possible to disable echo + + + +1.8.0b3 February 3, 2011 17 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo will prompt for a password even when it would be visible on the screen. This makes it possible to run @@ -1114,18 +1150,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) loglinelen Number of characters per line for the file log. This value is used to decide when to wrap lines for nicer log files. This has no effect on the syslog log file, - - - -1.8.0b3 January 28, 2011 17 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - only the file log. The default is 80 (use 0 or negate the option to disable word wrap). @@ -1157,6 +1181,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SSttrriinnggss: + + +1.8.0b3 February 3, 2011 18 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + badpass_message Message that is displayed if a user enters an incorrect password. The default is Sorry, try again. unless insults are enabled. @@ -1180,18 +1215,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) %{seq} expanded to a monotonically increasing base-36 - - - -1.8.0b3 January 28, 2011 18 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - sequence number, such as 0100A5, where every two digits are used to form a new directory, e.g. _0_1_/_0_0_/_A_5 @@ -1223,6 +1246,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Path names that end in six or more Xs will have the Xs replaced with a unique combination of digits and + + + +1.8.0b3 February 3, 2011 19 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + letters, similar to the _m_k_t_e_m_p_(_) function. iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store @@ -1246,18 +1281,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) LD_PRELOAD or its equivalent. Defaults to _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. - - - -1.8.0b3 January 28, 2011 19 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - passprompt The default prompt to use when asking for a password; can be overridden via the --pp option or the SUDO_PROMPT environment variable. The following percent (`%') @@ -1290,6 +1313,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) via command line options. This option is only available whe ssuuddoo is built with SELinux support. + + +1.8.0b3 February 3, 2011 20 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + runas_default The default user to run commands as if the --uu option is not specified on the command line. This defaults to root. Note that if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur @@ -1312,18 +1346,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) timestampowner The owner of the timestamp directory and the timestamps stored therein. The default is root. - - - -1.8.0b3 January 28, 2011 20 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - type The default SELinux type to use when constructing a new security context to run the command. The default type may be overridden on a per-command basis in _s_u_d_o_e_r_s or @@ -1356,6 +1378,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) group_plugin A string containing a _s_u_d_o_e_r_s group plugin with optional + + + +1.8.0b3 February 3, 2011 21 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + arguments. This can be used to implement support for the nonunix_group syntax described earlier. The string should consist of the plugin path, either fully-qualified or @@ -1378,18 +1412,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) always Always lecture the user. - - - -1.8.0b3 January 28, 2011 21 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - never Never lecture the user. once Only lecture the user the first time they run ssuuddoo. @@ -1422,6 +1444,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) option. If no value is specified, a value of _a_n_y is implied. + + + +1.8.0b3 February 3, 2011 22 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + Negating the option results in a value of _n_e_v_e_r being used. The default value is _a_n_y. @@ -1444,18 +1478,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ssuuddoo interpreting the @ sign. Defaults to root. secure_path Path used for every command run from ssuuddoo. If you don't - - - -1.8.0b3 January 28, 2011 22 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - trust the people running ssuuddoo to have a sane PATH environment variable you may want to use this. Another use is if you want to have the "root path" be separate from the @@ -1488,6 +1510,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Negating the option results in a value of _n_e_v_e_r being used. The default value is _a_l_l. + + + +1.8.0b3 February 3, 2011 23 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: env_check Environment variables to be removed from the user's @@ -1510,18 +1544,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by - - - -1.8.0b3 January 28, 2011 23 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - using the =, +=, -=, and ! operators respectively. The default list of environment variables to remove is displayed when ssuuddoo is run by root with the _-_V option. @@ -1554,6 +1576,18 @@ FFIILLEESS _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups + + + +1.8.0b3 February 3, 2011 24 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the @@ -1577,18 +1611,6 @@ EEXXAAMMPPLLEESS User_Alias PARTTIMERS = bostley, jwfox, crawl User_Alias WEBMASTERS = will, wendy, wim - - -1.8.0b3 January 28, 2011 24 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - # Runas alias specification Runas_Alias OP = root, operator Runas_Alias DB = oracle, sybase @@ -1620,6 +1642,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Here we override some of the compiled in default values. We want ssuuddoo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't + + + +1.8.0b3 February 3, 2011 25 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt need not give a password, and we don't want to reset the LOGNAME, USER or USERNAME environment variables when running commands as root. @@ -1643,17 +1677,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) root ALL = (ALL) ALL %wheel ALL = (ALL) ALL - - -1.8.0b3 January 28, 2011 25 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - We let rroooott and any user in group wwhheeeell run any command on any host as any user. @@ -1685,6 +1708,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) sudoedit /etc/printcap, /usr/oper/bin/ The ooppeerraattoorr user may run commands limited to simple maintenance. + + + +1.8.0b3 February 3, 2011 26 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/. @@ -1709,17 +1744,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr). - - -1.8.0b3 January 28, 2011 26 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - jim +biglab = ALL The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. @@ -1750,6 +1774,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U + + + +1.8.0b3 February 3, 2011 27 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + and _S_H_E_L_L_S Cmnd_Aliases. steve CSNETS = (operator) /usr/local/op_commands/ @@ -1774,18 +1810,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Any user may mount or unmount a CD-ROM on the machines in the CDROM Host_Alias (orion, perseus, hercules) without entering a password. This is a bit tedious for users to type, so it is a prime candidate for - - - -1.8.0b3 January 28, 2011 27 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - encapsulating in a shell script. SSEECCUURRIITTYY NNOOTTEESS @@ -1817,6 +1841,17 @@ SSEECCUURRIITTYY NNOOTTEESS User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by changing to _/_u_s_r_/_b_i_n and running ./passwd root instead. + + +1.8.0b3 February 3, 2011 28 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS Once ssuuddoo executes a program, that program is free to do whatever it pleases, including run other programs. This can be a security issue @@ -1840,18 +1875,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality can be used to prevent a program run by ssuuddoo from executing any other programs. Note, however, that this applies only to - - - -1.8.0b3 January 28, 2011 28 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - native dynamically-linked executables. Statically-linked executables and foreign executables running under binary emulation are not affected. @@ -1883,6 +1906,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + + + +1.8.0b3 February 3, 2011 29 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will prevent those two commands from executing other commands (such as a shell). If you are @@ -1906,18 +1941,6 @@ SSEECCUURRIITTYY NNOOTTEESS ownership and mode of the directory and its contents, the only damage that can be done is to "hide" files by putting them in the time stamp dir. This is unlikely to happen since once the time stamp dir is owned - - - -1.8.0b3 January 28, 2011 29 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - by root and inaccessible by any other user, the user placing files there would be unable to get them back out. @@ -1949,6 +1972,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) If users have sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any '!' elements in the user + + + +1.8.0b3 February 3, 2011 30 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + specification. SSEEEE AALLSSOO @@ -1972,18 +2007,6 @@ BBUUGGSS SSUUPPPPOORRTT Limited free support is available via the sudo-users mailing list, see - - - -1.8.0b3 January 28, 2011 30 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. @@ -2018,29 +2041,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - - - - - - - - - - - - - - -1.8.0b3 January 28, 2011 31 +1.8.0b3 February 3, 2011 31 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index e5f361116..abf622b7a 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -148,7 +148,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "January 28, 2011" "1.8.0b3" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "February 3, 2011" "1.8.0b3" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -556,7 +556,7 @@ The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and \&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g., .PP .Vb 1 -\& $ sudo \-u operator /bin/ls. +\& $ sudo \-u operator /bin/ls .Ve .PP It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an @@ -577,14 +577,43 @@ the user or group set to \fBoperator\fR: \& /usr/bin/lprm .Ve .PP +Note that while the group portion of the \f(CW\*(C`Runas_Spec\*(C'\fR permits the +user to run as command with that group, it does not force the user +to do so. If no group is specified on the command line, the command +will run with the group listed in the target user's password database +entry. The following would all be permitted by the sudoers entry above: +.PP +.Vb 3 +\& $ sudo \-u operator /bin/ls +\& $ sudo \-u operator \-g operator /bin/ls +\& $ sudo \-g operator /bin/ls +.Ve +.PP In the following example, user \fBtcm\fR may run commands that access -a modem device file with the dialer group. Note that in this example -only the group will be set, the command still runs as user \fBtcm\fR. +a modem device file with the dialer group. .PP .Vb 2 \& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e \& /usr/local/bin/minicom .Ve +.PP +Note that in this example only the group will be set, the command +still runs as user \fBtcm\fR. E.g. +.PP +.Vb 1 +\& $ sudo \-g dialer /usr/bin/cu +.Ve +.PP +Multiple users and groups may be present in a \f(CW\*(C`Runas_Spec\*(C'\fR, in +which case the user may select any combination of users and groups +via the \fB\-u\fR and \fB\-g\fR options. In this example: +.PP +.Vb 1 +\& alan ALL = (root, bin : operator, system) ALL +.Ve +.PP +user \fBalan\fR may run any command as either user root or bin, +optionally setting the group to operator or system. .if \n(SL \{\ .SS "SELinux_Spec" .IX Subsection "SELinux_Spec" diff --git a/doc/sudoers.pod b/doc/sudoers.pod index 540966c58..8a467b9ee 100644 --- a/doc/sudoers.pod +++ b/doc/sudoers.pod @@ -421,7 +421,7 @@ What this means is that for the entry: The user B may run F, F, and F -- but only as B. E.g., - $ sudo -u operator /bin/ls. + $ sudo -u operator /bin/ls It is also possible to override a C later on in an entry. If we modify the entry like so: @@ -437,13 +437,36 @@ the user or group set to B: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ /usr/bin/lprm +Note that while the group portion of the C permits the +user to run as command with that group, it does not force the user +to do so. If no group is specified on the command line, the command +will run with the group listed in the target user's password database +entry. The following would all be permitted by the sudoers entry above: + + $ sudo -u operator /bin/ls + $ sudo -u operator -g operator /bin/ls + $ sudo -g operator /bin/ls + In the following example, user B may run commands that access -a modem device file with the dialer group. Note that in this example -only the group will be set, the command still runs as user B. +a modem device file with the dialer group. tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ /usr/local/bin/minicom +Note that in this example only the group will be set, the command +still runs as user B. E.g. + + $ sudo -g dialer /usr/bin/cu + +Multiple users and groups may be present in a C, in +which case the user may select any combination of users and groups +via the B<-u> and B<-g> options. In this example: + + alan ALL = (root, bin : operator, system) ALL + +user B may run any command as either user root or bin, +optionally setting the group to operator or system. + =head2 SELinux_Spec On systems with SELinux support, I entries may optionally have