isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update env variable info in SECURITY NOTES

Browse Source
This commit is contained in:
Todd C. Miller
2004-11-11 16:30:01 +00:00
parent 74b4e439a6
commit 85d1ca15a7
3 changed files with 119 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

132
sudo.cat
View File

@@ -8,7 +8,7 @@ NNAAMMEE
sudo, sudoedit - execute a command as another user
SSYYNNOOPPSSIISS
ssuuddoo --KK | --LL | --VV | --hh | --kk | --ll [_u_s_e_r_n_a_m_e] | --vv
ssuuddoo --KK | --LL | --VV | --hh | --kk | --ll | --vv
ssuuddoo [--HHPPSSbb] [--aa _a_u_t_h___t_y_p_e] [--cc _c_l_a_s_s|_-] [--pp _p_r_o_m_p_t]
[--uu _u_s_e_r_n_a_m_e|_#_u_i_d] {--ee file [...] | --ii | --ss | _c_o_m_m_a_n_d}
@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.6.9 October 26, 2004 1
1.6.9 November 11, 2004 1
@@ -127,7 +127,7 @@ OOPPTTIIOONNSS
1.6.9 October 26, 2004 2
1.6.9 November 11, 2004 2
@@ -193,7 +193,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
1.6.9 October 26, 2004 3
1.6.9 November 11, 2004 3
@@ -209,12 +209,11 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
to allow a user to revoke ssuuddoo permissions from a
.logout file.
-l [_u_s_e_r_n_a_m_e]
The --ll (_l_i_s_t) option will list out the allowed (and
forbidden) commands for _u_s_e_r_n_a_m_e on the current host.
If _u_s_e_r_n_a_m_e is ommitted, the information listed will
be for the invoking user. Only the superuser may list
other user's commands.
-l The --ll (_l_i_s_t) option will list out the allowed (and
forbidden) commands for the user on the current host.
If the --uu flag is specified and the invoking user has
ssuuddoo ALL on the current host, the information listed
will be for the user specified by the --uu flag.
-p The --pp (_p_r_o_m_p_t) option allows you to override the
default password prompt and use a custom one. The
@@ -259,7 +258,8 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
1.6.9 October 26, 2004 4
1.6.9 November 11, 2004 4
@@ -293,17 +293,20 @@ SSEECCUURRIITTYY NNOOTTEESS
To combat this the LD_*, _RLD_*, SHLIB_PATH (HP-UX only),
and LIBPATH (AIX only) environment variables are removed
from the environment passed on to all commands executed.
ssuuddoo will also remove the IFS, ENV, BASH_ENV, KRB_CONF,
KRBCONFDIR, KRBTKFILE, KRB5_CONFIG, LOCALDOMAIN,
ssuuddoo will also remove the IFS, CDPATH, ENV, BASH_ENV,
KRB_CONF, KRBCONFDIR, KRBTKFILE, KRB5_CONFIG, LOCALDOMAIN,
RES_OPTIONS, HOSTALIASES, NLSPATH, PATH_LOCALE, TERMINFO,
TERMINFO_DIRS and TERMPATH variables as they too can pose
a threat. If the TERMCAP variable is set and is a path<74>
name, it too is ignored. Additionally, if the LC_* or
LANGUAGE variables contain the / or % characters, they are
ignored. If ssuuddoo has been compiled with SecurID support,
the VAR_ACE, USR_ACE and DLC_ACE variables are cleared as
well. The list of environment variables that ssuuddoo clears
is contained in the output of sudo -V when run as root.
ignored. Environment variables with a value beginning
with () are also removed as they could be interpreted as
bbaasshh functions. If ssuuddoo has been compiled with SecurID
support, the VAR_ACE, USR_ACE and DLC_ACE variables are
cleared as well. The list of environment variables that
ssuuddoo clears is contained in the output of sudo -V when run
as root.
To prevent command spoofing, ssuuddoo checks "." and "" (both
denoting current directory) last when searching for a com<6F>
@@ -319,13 +322,10 @@ SSEECCUURRIITTYY NNOOTTEESS
cally.
ssuuddoo will check the ownership of its timestamp directory
(_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con<6F>
tents if it is not owned by root and only writable by
root. On systems that allow non-root users to give away
1.6.9 October 26, 2004 5
1.6.9 November 11, 2004 5
@@ -334,6 +334,9 @@ SSEECCUURRIITTYY NNOOTTEESS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
(_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con<6F>
tents if it is not owned by root and only writable by
root. On systems that allow non-root users to give away
files via _c_h_o_w_n(2), if the timestamp directory is located
in a directory writable by anyone (e.g.: _/_t_m_p), it is pos<6F>
sible for a user to create the timestamp directory before
@@ -385,13 +388,10 @@ EENNVVIIRROONNMMEENNTT
SUDO_PROMPT Used as the default password prompt
SUDO_COMMAND Set to the command run by sudo
SUDO_USER Set to the login of the user who invoked sudo
1.6.9 October 26, 2004 6
1.6.9 November 11, 2004 6
@@ -400,6 +400,10 @@ EENNVVIIRROONNMMEENNTT
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO_COMMAND Set to the command run by sudo
SUDO_USER Set to the login of the user who invoked sudo
SUDO_UID Set to the uid of the user who invoked sudo
SUDO_GID Set to the gid of the user who invoked sudo
@@ -451,13 +455,9 @@ AAUUTTHHOORRSS
Many people have worked on ssuuddoo over the years; this ver<65>
sion consists of code written primarily by:
Todd Miller
Chris Jepeway
1.6.9 October 26, 2004 7
1.6.9 November 11, 2004 7
@@ -466,6 +466,9 @@ AAUUTTHHOORRSS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
Todd Miller
Chris Jepeway
See the HISTORY file in the ssuuddoo distribution or visit
http://www.sudo.ws/sudo/history.html for a short history
of ssuuddoo.
@@ -516,13 +519,76 @@ DDIISSCCLLAAIIMMEERR
ranties, including, but not limited to, the implied war<61>
ranties of merchantability and fitness for a particular
purpose are disclaimed. See the LICENSE file distributed
with ssuuddoo or http://www.sudo.ws/sudo/license.html for com<6F>
plete details.
with ssuuddoo or http://www.sudo.ws/sudo/license.html for
1.6.9 November 11, 2004 8
1.6.9 October 26, 2004 8
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
complete details.
1.6.9 November 11, 2004 9

20
sudo.man.in
View File

@@ -149,12 +149,12 @@
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "October 26, 2004" "1.6.9" "MAINTENANCE COMMANDS"
.TH SUDO @mansectsu@ "November 11, 2004" "1.6.9" "MAINTENANCE COMMANDS"
.SH "NAME"
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBsudo\fR \fB\-K\fR | \fB\-L\fR | \fB\-V\fR | \fB\-h\fR | \fB\-k\fR | \fB\-l\fR [\fIusername\fR] | \fB\-v\fR
\&\fBsudo\fR \fB\-K\fR | \fB\-L\fR | \fB\-V\fR | \fB\-h\fR | \fB\-k\fR | \fB\-l\fR | \fB\-v\fR
.PP
\&\fBsudo\fR [\fB\-HPSb\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
@@ -320,12 +320,12 @@ by setting the time on it to the epoch. The next time \fBsudo\fR is
run a password will be required. This option does not require a password
and was added to allow a user to revoke \fBsudo\fR permissions from a .logout
file.
.IP "\-l [\fIusername\fR]" 4
.IX Item "-l [username]"
.IP "\-l" 4
.IX Item "-l"
The \fB\-l\fR (\fIlist\fR) option will list out the allowed (and forbidden)
commands for \fIusername\fR on the current host. If \fIusername\fR is
ommitted, the information listed will be for the invoking user.
Only the superuser may list other user's commands.
commands for the user on the current host. If the \fB\-u\fR flag is
specified and the invoking user has \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host,
the information listed will be for the user specified by the \fB\-u\fR flag.
.IP "\-p" 4
.IX Item "-p"
The \fB\-p\fR (\fIprompt\fR) option allows you to override the default
@@ -404,13 +404,15 @@ to subvert the program that \fBsudo\fR runs. To combat this the
\&\f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`_RLD_*\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR (\s-1HP\-UX\s0 only), and \f(CW\*(C`LIBPATH\*(C'\fR (\s-1AIX\s0
only) environment variables are removed from the environment passed
on to all commands executed. \fBsudo\fR will also remove the \f(CW\*(C`IFS\*(C'\fR,
\&\f(CW\*(C`ENV\*(C'\fR, \f(CW\*(C`BASH_ENV\*(C'\fR, \f(CW\*(C`KRB_CONF\*(C'\fR, \f(CW\*(C`KRBCONFDIR\*(C'\fR, \f(CW\*(C`KRBTKFILE\*(C'\fR,
\&\f(CW\*(C`CDPATH\*(C'\fR, \f(CW\*(C`ENV\*(C'\fR, \f(CW\*(C`BASH_ENV\*(C'\fR, \f(CW\*(C`KRB_CONF\*(C'\fR, \f(CW\*(C`KRBCONFDIR\*(C'\fR, \f(CW\*(C`KRBTKFILE\*(C'\fR,
\&\f(CW\*(C`KRB5_CONFIG\*(C'\fR, \f(CW\*(C`LOCALDOMAIN\*(C'\fR, \f(CW\*(C`RES_OPTIONS\*(C'\fR, \f(CW\*(C`HOSTALIASES\*(C'\fR,
\&\f(CW\*(C`NLSPATH\*(C'\fR, \f(CW\*(C`PATH_LOCALE\*(C'\fR, \f(CW\*(C`TERMINFO\*(C'\fR, \f(CW\*(C`TERMINFO_DIRS\*(C'\fR and
\&\f(CW\*(C`TERMPATH\*(C'\fR variables as they too can pose a threat. If the
\&\f(CW\*(C`TERMCAP\*(C'\fR variable is set and is a pathname, it too is ignored.
Additionally, if the \f(CW\*(C`LC_*\*(C'\fR or \f(CW\*(C`LANGUAGE\*(C'\fR variables contain the
\&\f(CW\*(C`/\*(C'\fR or \f(CW\*(C`%\*(C'\fR characters, they are ignored. If \fBsudo\fR has been
\&\f(CW\*(C`/\*(C'\fR or \f(CW\*(C`%\*(C'\fR characters, they are ignored. Environment variables
with a value beginning with \f(CW\*(C`()\*(C'\fR are also removed as they could
be interpreted as \fBbash\fR functions. If \fBsudo\fR has been
compiled with SecurID support, the \f(CW\*(C`VAR_ACE\*(C'\fR, \f(CW\*(C`USR_ACE\*(C'\fR and
\&\f(CW\*(C`DLC_ACE\*(C'\fR variables are cleared as well. The list of environment
variables that \fBsudo\fR clears is contained in the output of

16
sudo.pod
View File

@@ -27,7 +27,7 @@ sudo, sudoedit - execute a command as another user
=head1 SYNOPSIS
B<sudo> B<-K> | B<-L> | B<-V> | B<-h> | B<-k> | B<-l> [I<username>] | B<-v>
B<sudo> B<-K> | B<-L> | B<-V> | B<-h> | B<-k> | B<-l> | B<-v>
B<sudo> [B<-HPSb>] S<[B<-a> I<auth_type>]> S<[B<-c> I<class>|I<->]>
S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]>
@@ -217,12 +217,12 @@ run a password will be required. This option does not require a password
and was added to allow a user to revoke B<sudo> permissions from a .logout
file.
=item -l [I<username>]
=item -l
The B<-l> (I<list>) option will list out the allowed (and forbidden)
commands for I<username> on the current host. If I<username> is
ommitted, the information listed will be for the invoking user.
Only the superuser may list other user's commands.
commands for the user on the current host. If the B<-u> flag is
specified and the invoking user has B<sudo> C<ALL> on the current host,
the information listed will be for the user specified by the B<-u> flag.
=item -p
@@ -311,13 +311,15 @@ to subvert the program that B<sudo> runs. To combat this the
C<LD_*>, C<_RLD_*>, C<SHLIB_PATH> (HP-UX only), and C<LIBPATH> (AIX
only) environment variables are removed from the environment passed
on to all commands executed. B<sudo> will also remove the C<IFS>,
C<ENV>, C<BASH_ENV>, C<KRB_CONF>, C<KRBCONFDIR>, C<KRBTKFILE>,
C<CDPATH>, C<ENV>, C<BASH_ENV>, C<KRB_CONF>, C<KRBCONFDIR>, C<KRBTKFILE>,
C<KRB5_CONFIG>, C<LOCALDOMAIN>, C<RES_OPTIONS>, C<HOSTALIASES>,
C<NLSPATH>, C<PATH_LOCALE>, C<TERMINFO>, C<TERMINFO_DIRS> and
C<TERMPATH> variables as they too can pose a threat. If the
C<TERMCAP> variable is set and is a pathname, it too is ignored.
Additionally, if the C<LC_*> or C<LANGUAGE> variables contain the
C</> or C<%> characters, they are ignored. If B<sudo> has been
C</> or C<%> characters, they are ignored. Environment variables
with a value beginning with C<()> are also removed as they could
be interpreted as B<bash> functions. If B<sudo> has been
compiled with SecurID support, the C<VAR_ACE>, C<USR_ACE> and
C<DLC_ACE> variables are cleared as well. The list of environment
variables that B<sudo> clears is contained in the output of