isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

regen

Browse Source
This commit is contained in:
Todd C. Miller
2004-06-10 20:54:25 +00:00
parent 18dae902b2
commit 5f7943db50
2 changed files with 134 additions and 119 deletions
Download Patch File Download Diff File Expand all files Collapse all files

166
sudo.cat
View File

@@ -21,11 +21,14 @@ DDEESSCCRRIIPPTTIIOONN
superuser or another user, as specified in the _s_u_d_o_e_r_s
file. The real and effective uid and gid are set to match
those of the target user as specified in the passwd file
(the group vector is also initialized when the target user
is not root). By default, ssuuddoo requires that users
authenticate themselves with a password (NOTE: by default
this is the user's password, not the root password). Once
a user has been authenticated, a timestamp is updated and
and the group vector is initialized based on the group
file (unless the --PP option was specified). If the invok<6F>
ing user is root or if the target user is the same as the
invoking user, no password is required. Otherwise, ssuuddoo
requires that users authenticate themselves with a pass<73>
word by default (NOTE: in the default configuration this
is the user's password, not the root password). Once a
user has been authenticated, a timestamp is updated and
the user may then use sudo without a password for a short
period of time (5 minutes unless overridden in _s_u_d_o_e_r_s).
@@ -41,7 +44,7 @@ DDEESSCCRRIIPPTTIIOONN
If a user who is not listed in the _s_u_d_o_e_r_s file tries to
run a command via ssuuddoo, mail is sent to the proper author<6F>
ities, as defined at configure time or the _s_u_d_o_e_r_s file
ities, as defined at configure time or in the _s_u_d_o_e_r_s file
(defaults to root). Note that the mail will not be sent
if an unauthorized user tries to run sudo with the --ll or
--vv flags. This allows users to determine for themselves
@@ -56,12 +59,9 @@ DDEESSCCRRIIPPTTIIOONN
however, that the sudoers lookup is still done for root,
not the user specified by SUDO_USER.
ssuuddoo can log both successful and unsuccessful attempts (as
well as errors) to _s_y_s_l_o_g(3), a log file, or both. By
1.6.8 May 17, 2004 1
1.6.8 June 10, 2004 1
@@ -70,6 +70,8 @@ DDEESSCCRRIIPPTTIIOONN
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
ssuuddoo can log both successful and unsuccessful attempts (as
well as errors) to _s_y_s_l_o_g(3), a log file, or both. By
default ssuuddoo will log via _s_y_s_l_o_g(3) but this is changeable
at configure time or via the _s_u_d_o_e_r_s file.
@@ -79,11 +81,12 @@ OOPPTTIIOONNSS
-H The --HH (_H_O_M_E) option sets the HOME environment vari<72>
able to the homedir of the target user (root by
default) as specified in passwd(4). By default, ssuuddoo
does not modify HOME.
does not modify HOME (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e
in sudoers(4)).
-K The --KK (sure _k_i_l_l) option to ssuuddoo removes the user's
timestamp entirely. Likewise, this option does not
require a password.
-K The --KK (sure _k_i_l_l) option is like --kk except that it
removes the user's timestamp entirely. Like --kk, this
option does not require a password.
-L The --LL (_l_i_s_t defaults) option will list out the param<61>
eters that may be set in a _D_e_f_a_u_l_t_s line along with a
@@ -91,14 +94,15 @@ OOPPTTIIOONNSS
conjunction with _g_r_e_p(1).
-P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to
preserve the user's group vector unaltered. By
default, ssuuddoo will initialize the group vector to the
list of groups the target user is in. The real and
effective group IDs, however, are still set to match
the target user.
preserve the invoking user's group vector unaltered.
By default, ssuuddoo will initialize the group vector to
the list of groups the target user is in. The real
and effective group IDs, however, are still set to
match the target user.
-S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password
from standard input instead of the terminal device.
from the standard input instead of the terminal
device.
-V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the ver<65>
sion number and exit. If the invoking user is already
@@ -120,14 +124,10 @@ OOPPTTIIOONNSS
--bb option you cannot use shell job control to manipu<70>
late the process.
-c The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified
command with resources limited by the specified login
class. The _c_l_a_s_s argument can be either a class name
as defined in /etc/login.conf, or a single '-'
1.6.8 May 17, 2004 2
1.6.8 June 10, 2004 2
@@ -136,8 +136,12 @@ OOPPTTIIOONNSS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
character. Specifying a _c_l_a_s_s of - indicates that the
command should be run restricted by the default login
-c The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified
command with resources limited by the specified login
class. The _c_l_a_s_s argument can be either a class name
as defined in /etc/login.conf, or a single '-' charac<61>
ter. Specifying a _c_l_a_s_s of - indicates that the com<6F>
mand should be run restricted by the default login
capabilities for the user the command is run as. If
the _c_l_a_s_s argument specifies an existing user class,
the command must be run as root, or the ssuuddoo command
@@ -153,7 +157,8 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
authorized by _s_u_d_o_e_r_s the following steps are taken:
1. Temporary copies are made of the files to be
edited, owned by the invoking user.
edited with the owner set to the invoking
user.
2. The editor specified by the VISUAL or EDITOR
environment variables is run to edit the tem<65>
@@ -185,15 +190,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
It also initializes the environment, leaving _T_E_R_M
unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and
_P_A_T_H, and unsetting all other environment variables.
Note that because the shell to use is determined
before the _s_u_d_o_e_r_s file is parsed, a _r_u_n_a_s___d_e_f_a_u_l_t
setting in _s_u_d_o_e_r_s will specify the user to run the
shell as but will not affect which shell is actually
run.
1.6.8 May 17, 2004 3
1.6.8 June 10, 2004 3
@@ -202,6 +202,12 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
Note that because the shell to use is determined
before the _s_u_d_o_e_r_s file is parsed, a _r_u_n_a_s___d_e_f_a_u_l_t
setting in _s_u_d_o_e_r_s will specify the user to run the
shell as but will not affect which shell is actually
run.
-k The --kk (_k_i_l_l) option to ssuuddoo invalidates the user's
timestamp by setting the time on it to the epoch. The
next time ssuuddoo is run a password will be required.
@@ -250,16 +256,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
command line arguments. It is most useful in conjunc<6E>
tion with the --ss flag.
RREETTUURRNN VVAALLUUEESS
Upon successful execution of a program, the return value
from ssuuddoo will simply be the return value of the program
that was executed.
Otherwise, ssuuddoo quits with an exit value of 1 if there is
1.6.8 May 17, 2004 4
1.6.8 June 10, 2004 4
@@ -268,6 +268,12 @@ RREETTUURRNN VVAALLUUEESS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
RREETTUURRNN VVAALLUUEESS
Upon successful execution of a program, the return value
from ssuuddoo will simply be the return value of the program
that was executed.
Otherwise, ssuuddoo quits with an exit value of 1 if there is
a configuration/permission problem or if ssuuddoo cannot exe<78>
cute the given command. In the latter case the error
string is printed to stderr. If ssuuddoo cannot _s_t_a_t(2) one
@@ -316,16 +322,10 @@ SSEECCUURRIITTYY NNOOTTEESS
(_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con<6F>
tents if it is not owned by root and only writable by
root. On systems that allow non-root users to give away
files via _c_h_o_w_n(2), if the timestamp directory is located
in a directory writable by anyone (e.g.: _/_t_m_p), it is pos<6F>
sible for a user to create the timestamp directory before
ssuuddoo is run. However, because ssuuddoo checks the ownership
and mode of the directory and its contents, the only dam<61>
age that can be done is to "hide" files by putting them in
1.6.8 May 17, 2004 5
1.6.8 June 10, 2004 5
@@ -334,6 +334,12 @@ SSEECCUURRIITTYY NNOOTTEESS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
files via _c_h_o_w_n(2), if the timestamp directory is located
in a directory writable by anyone (e.g.: _/_t_m_p), it is pos<6F>
sible for a user to create the timestamp directory before
ssuuddoo is run. However, because ssuuddoo checks the ownership
and mode of the directory and its contents, the only dam<61>
age that can be done is to "hide" files by putting them in
the timestamp dir. This is unlikely to happen since once
the timestamp dir is owned by root and inaccessible by any
other user the user placing files there would be unable to
@@ -366,32 +372,26 @@ EEXXAAMMPPLLEESS
To get a file listing of an unreadable directory:
% sudo ls /usr/local/protected
$ sudo ls /usr/local/protected
To list the home directory of user yazza on a machine
where the file system holding ~yazza is not exported as
root:
% sudo -u yazza ls ~yazza
$ sudo -u yazza ls ~yazza
To edit the _i_n_d_e_x_._h_t_m_l file as user www:
% sudo -u www vi ~www/htdocs/index.html
$ sudo -u www vi ~www/htdocs/index.html
To shutdown a machine:
% sudo shutdown -r +15 "quick reboot"
To make a usage listing of the directories in the /home
partition. Note that this runs the commands in a sub-
shell to make the cd and file redirection work.
% sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
$ sudo shutdown -r +15 "quick reboot"
1.6.8 May 17, 2004 6
1.6.8 June 10, 2004 6
@@ -400,6 +400,12 @@ EEXXAAMMPPLLEESS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
To make a usage listing of the directories in the /home
partition. Note that this runs the commands in a sub-
shell to make the cd and file redirection work.
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
EENNVVIIRROONNMMEENNTT
ssuuddoo utilizes the following environment variables:
@@ -448,16 +454,10 @@ AAUUTTHHOORRSS
BBUUGGSS
If you feel you have found a bug in sudo, please submit a
bug report at http://www.sudo.ws/sudo/bugs/
DDIISSCCLLAAIIMMEERR
SSuuddoo is provided ``AS IS'' and any express or implied war<61>
ranties, including, but not limited to, the implied war<61>
ranties of merchantability and fitness for a particular
1.6.8 May 17, 2004 7
1.6.8 June 10, 2004 7
@@ -466,6 +466,12 @@ DDIISSCCLLAAIIMMEERR
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
bug report at http://www.sudo.ws/sudo/bugs/
DDIISSCCLLAAIIMMEERR
SSuuddoo is provided ``AS IS'' and any express or implied war<61>
ranties, including, but not limited to, the implied war<61>
ranties of merchantability and fitness for a particular
purpose are disclaimed. See the LICENSE file distributed
with ssuuddoo for complete details.
@@ -478,9 +484,18 @@ CCAAVVEEAATTSS
prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality.
See the sudoers(4) manual for details.
It is not meaningful to run the cd command directly via
sudo, e.g.
$ sudo cd /usr/local/protected
since when whe command exits the parent process (your
shell) will still be the same. Please see the EXAMPLES
section for more information.
If users have sudo ALL there is nothing to prevent them
from creating their own program that gives them a root
shell regardless of any '!' elements in the user specifi<66>
shell regardless of any '!' elements in the user specifi<66>
cation.
Running shell scripts via ssuuddoo can expose the same kernel
@@ -508,21 +523,6 @@ SSEEEE AALLSSOO
1.6.8 May 17, 2004 8
1.6.8 June 10, 2004 8

87
sudo.man.in
View File

@@ -149,7 +149,7 @@
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "May 17, 2004" "1.6.8" "MAINTENANCE COMMANDS"
.TH SUDO @mansectsu@ "June 10, 2004" "1.6.8" "MAINTENANCE COMMANDS"
.SH "NAME"
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
@@ -168,13 +168,16 @@ file [...]
\&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the
superuser or another user, as specified in the \fIsudoers\fR file.
The real and effective uid and gid are set to match those of the
target user as specified in the passwd file (the group vector is
also initialized when the target user is not root). By default,
target user as specified in the passwd file and the group vector
is initialized based on the group file (unless the \fB\-P\fR option was
specified). If the invoking user is root or if the target user is
the same as the invoking user, no password is required. Otherwise,
\&\fBsudo\fR requires that users authenticate themselves with a password
(\s-1NOTE:\s0 by default this is the user's password, not the root password).
Once a user has been authenticated, a timestamp is updated and the
user may then use sudo without a password for a short period of
time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless overridden in \fIsudoers\fR).
by default (\s-1NOTE:\s0 in the default configuration this is the user's
password, not the root password). Once a user has been authenticated,
a timestamp is updated and the user may then use sudo without a
password for a short period of time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless
overridden in \fIsudoers\fR).
.PP
When invoked as \fBsudoedit\fR, the \fB\-e\fR option (described below),
is implied.
@@ -188,11 +191,11 @@ entered within \f(CW\*(C`@password_timeout@\*(C'\fR minutes (unless overridden v
.PP
If a user who is not listed in the \fIsudoers\fR file tries to run a
command via \fBsudo\fR, mail is sent to the proper authorities, as
defined at configure time or the \fIsudoers\fR file (defaults to root).
Note that the mail will not be sent if an unauthorized user tries
to run sudo with the \fB\-l\fR or \fB\-v\fR flags. This allows users to
determine for themselves whether or not they are allowed to use
\&\fBsudo\fR.
defined at configure time or in the \fIsudoers\fR file (defaults to
\&\f(CW\*(C`@mailto@\*(C'\fR). Note that the mail will not be sent if an unauthorized
user tries to run sudo with the \fB\-l\fR or \fB\-v\fR flags. This allows
users to determine for themselves whether or not they are allowed
to use \fBsudo\fR.
.PP
If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable
is set, \fBsudo\fR will use this value to determine who the actual
@@ -213,11 +216,13 @@ or via the \fIsudoers\fR file.
.IX Item "-H"
The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable
to the homedir of the target user (root by default) as specified
in passwd(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR.
in passwd(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR
(see \fIset_home\fR and \fIalways_set_home\fR in sudoers(@mansectform@)).
.IP "\-K" 4
.IX Item "-K"
The \fB\-K\fR (sure \fIkill\fR) option to \fBsudo\fR removes the user's timestamp
entirely. Likewise, this option does not require a password.
The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes
the user's timestamp entirely. Like \fB\-k\fR, this option does not
require a password.
.IP "\-L" 4
.IX Item "-L"
The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters
@@ -225,21 +230,21 @@ that may be set in a \fIDefaults\fR line along with a short description
for each. This option is useful in conjunction with \fIgrep\fR\|(1).
.IP "\-P" 4
.IX Item "-P"
The \fB\-P\fR (\fIpreserve group vector\fR) option causes \fBsudo\fR to preserve
the user's group vector unaltered. By default, \fBsudo\fR will initialize
the group vector to the list of groups the target user is in.
The real and effective group IDs, however, are still set to match
the target user.
The \fB\-P\fR (\fIpreserve group vector\fR) option causes \fBsudo\fR to
preserve the invoking user's group vector unaltered. By default,
\&\fBsudo\fR will initialize the group vector to the list of groups the
target user is in. The real and effective group IDs, however, are
still set to match the target user.
.IP "\-S" 4
.IX Item "-S"
The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
standard input instead of the terminal device.
the standard input instead of the terminal device.
.IP "\-V" 4
.IX Item "-V"
The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the
version number and exit. If the invoking user is already root
the \fB\-V\fR option will print out a list of the defaults \fBsudo\fR
was compiled with as well as the machine's local network addresses.
The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version
number and exit. If the invoking user is already root the \fB\-V\fR
option will print out a list of the defaults \fBsudo\fR was compiled
with as well as the machine's local network addresses.
.IP "\-a" 4
.IX Item "-a"
The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
@@ -275,8 +280,8 @@ the \fIsudoers\fR file. If the user is authorized by \fIsudoers\fR
the following steps are taken:
.RS 4
.IP "1." 8
Temporary copies are made of the files to be edited, owned by the
invoking user.
Temporary copies are made of the files to be edited with the owner
set to the invoking user.
.IP "2." 8
The editor specified by the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment
variables is run to edit the temporary files. If neither \f(CW\*(C`VISUAL\*(C'\fR
@@ -460,26 +465,26 @@ Note: the following examples assume suitable sudoers(@mansectform@) entries.
To get a file listing of an unreadable directory:
.PP
.Vb 1
\& % sudo ls /usr/local/protected
\& $ sudo ls /usr/local/protected
.Ve
.PP
To list the home directory of user yazza on a machine where the
file system holding ~yazza is not exported as root:
.PP
.Vb 1
\& % sudo -u yazza ls ~yazza
\& $ sudo -u yazza ls ~yazza
.Ve
.PP
To edit the \fIindex.html\fR file as user www:
.PP
.Vb 1
\& % sudo -u www vi ~www/htdocs/index.html
\& $ sudo -u www vi ~www/htdocs/index.html
.Ve
.PP
To shutdown a machine:
.PP
.Vb 1
\& % sudo shutdown -r +15 "quick reboot"
\& $ sudo shutdown -r +15 "quick reboot"
.Ve
.PP
To make a usage listing of the directories in the /home
@@ -487,7 +492,7 @@ partition. Note that this runs the commands in a sub-shell
to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
.PP
.Vb 1
\& % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
\& $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
.Ve
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
@@ -580,11 +585,21 @@ if that user is allowed to run arbitrary commands via \fBsudo\fR.
Also, many programs (such as editors) allow the user to run commands
via shell escapes, thus avoiding \fBsudo\fR's checks. However, on
most systems it is possible to prevent shell escapes with \fBsudo\fR's
\&\fInoexec\fR functionality. See the sudoers(@mansectform@) manual for details.
\&\fInoexec\fR functionality. See the sudoers(@mansectform@) manual
for details.
.PP
If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from creating
their own program that gives them a root shell regardless of any '!'
elements in the user specification.
It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g.
.PP
.Vb 1
\& $ sudo cd /usr/local/protected
.Ve
.PP
since when whe command exits the parent process (your shell) will
still be the same. Please see the \s-1EXAMPLES\s0 section for more information.
.PP
If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from
creating their own program that gives them a root shell regardless
of any '!' elements in the user specification.
.PP
Running shell scripts via \fBsudo\fR can expose the same kernel bugs
that make setuid shell scripts unsafe on some operating systems