isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update env variable info in SECURITY NOTES

Browse Source
This commit is contained in:
Todd C. Miller
2004-11-11 16:30:01 +00:00
parent 74b4e439a6
commit 85d1ca15a7
3 changed files with 119 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

132
sudo.cat
View File

@@ -8,7 +8,7 @@ NNAAMMEE
sudo, sudoedit - execute a command as another user sudo, sudoedit - execute a command as another user
SSYYNNOOPPSSIISS SSYYNNOOPPSSIISS
ssuuddoo --KK | --LL | --VV | --hh | --kk | --ll [_u_s_e_r_n_a_m_e] | --vv ssuuddoo --KK | --LL | --VV | --hh | --kk | --ll | --vv
ssuuddoo [--HHPPSSbb] [--aa _a_u_t_h___t_y_p_e] [--cc _c_l_a_s_s|_-] [--pp _p_r_o_m_p_t] ssuuddoo [--HHPPSSbb] [--aa _a_u_t_h___t_y_p_e] [--cc _c_l_a_s_s|_-] [--pp _p_r_o_m_p_t]
[--uu _u_s_e_r_n_a_m_e|_#_u_i_d] {--ee file [...] | --ii | --ss | _c_o_m_m_a_n_d} [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] {--ee file [...] | --ii | --ss | _c_o_m_m_a_n_d}
@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.6.9 October 26, 2004 1 1.6.9 November 11, 2004 1
@@ -127,7 +127,7 @@ OOPPTTIIOONNSS
1.6.9 October 26, 2004 2 1.6.9 November 11, 2004 2
@@ -193,7 +193,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
1.6.9 October 26, 2004 3 1.6.9 November 11, 2004 3
@@ -209,12 +209,11 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
to allow a user to revoke ssuuddoo permissions from a to allow a user to revoke ssuuddoo permissions from a
.logout file. .logout file.
-l [_u_s_e_r_n_a_m_e] -l The --ll (_l_i_s_t) option will list out the allowed (and
The --ll (_l_i_s_t) option will list out the allowed (and forbidden) commands for the user on the current host.
forbidden) commands for _u_s_e_r_n_a_m_e on the current host. If the --uu flag is specified and the invoking user has
If _u_s_e_r_n_a_m_e is ommitted, the information listed will ssuuddoo ALL on the current host, the information listed
be for the invoking user. Only the superuser may list will be for the user specified by the --uu flag.
other user's commands.
-p The --pp (_p_r_o_m_p_t) option allows you to override the -p The --pp (_p_r_o_m_p_t) option allows you to override the
default password prompt and use a custom one. The default password prompt and use a custom one. The
@@ -259,7 +258,8 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
1.6.9 October 26, 2004 4
1.6.9 November 11, 2004 4
@@ -293,17 +293,20 @@ SSEECCUURRIITTYY NNOOTTEESS
To combat this the LD_*, _RLD_*, SHLIB_PATH (HP-UX only), To combat this the LD_*, _RLD_*, SHLIB_PATH (HP-UX only),
and LIBPATH (AIX only) environment variables are removed and LIBPATH (AIX only) environment variables are removed
from the environment passed on to all commands executed. from the environment passed on to all commands executed.
ssuuddoo will also remove the IFS, ENV, BASH_ENV, KRB_CONF, ssuuddoo will also remove the IFS, CDPATH, ENV, BASH_ENV,
KRBCONFDIR, KRBTKFILE, KRB5_CONFIG, LOCALDOMAIN, KRB_CONF, KRBCONFDIR, KRBTKFILE, KRB5_CONFIG, LOCALDOMAIN,
RES_OPTIONS, HOSTALIASES, NLSPATH, PATH_LOCALE, TERMINFO, RES_OPTIONS, HOSTALIASES, NLSPATH, PATH_LOCALE, TERMINFO,
TERMINFO_DIRS and TERMPATH variables as they too can pose TERMINFO_DIRS and TERMPATH variables as they too can pose
a threat. If the TERMCAP variable is set and is a path<74> a threat. If the TERMCAP variable is set and is a path<74>
name, it too is ignored. Additionally, if the LC_* or name, it too is ignored. Additionally, if the LC_* or
LANGUAGE variables contain the / or % characters, they are LANGUAGE variables contain the / or % characters, they are
ignored. If ssuuddoo has been compiled with SecurID support, ignored. Environment variables with a value beginning
the VAR_ACE, USR_ACE and DLC_ACE variables are cleared as with () are also removed as they could be interpreted as
well. The list of environment variables that ssuuddoo clears bbaasshh functions. If ssuuddoo has been compiled with SecurID
is contained in the output of sudo -V when run as root. support, the VAR_ACE, USR_ACE and DLC_ACE variables are
cleared as well. The list of environment variables that
ssuuddoo clears is contained in the output of sudo -V when run
as root.
To prevent command spoofing, ssuuddoo checks "." and "" (both To prevent command spoofing, ssuuddoo checks "." and "" (both
denoting current directory) last when searching for a com<6F> denoting current directory) last when searching for a com<6F>
@@ -319,13 +322,10 @@ SSEECCUURRIITTYY NNOOTTEESS
cally. cally.
ssuuddoo will check the ownership of its timestamp directory ssuuddoo will check the ownership of its timestamp directory
(_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con<6F>
tents if it is not owned by root and only writable by
root. On systems that allow non-root users to give away
1.6.9 October 26, 2004 5 1.6.9 November 11, 2004 5
@@ -334,6 +334,9 @@ SSEECCUURRIITTYY NNOOTTEESS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
(_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con<6F>
tents if it is not owned by root and only writable by
root. On systems that allow non-root users to give away
files via _c_h_o_w_n(2), if the timestamp directory is located files via _c_h_o_w_n(2), if the timestamp directory is located
in a directory writable by anyone (e.g.: _/_t_m_p), it is pos<6F> in a directory writable by anyone (e.g.: _/_t_m_p), it is pos<6F>
sible for a user to create the timestamp directory before sible for a user to create the timestamp directory before
@@ -385,13 +388,10 @@ EENNVVIIRROONNMMEENNTT
SUDO_PROMPT Used as the default password prompt SUDO_PROMPT Used as the default password prompt
SUDO_COMMAND Set to the command run by sudo
SUDO_USER Set to the login of the user who invoked sudo
1.6.9 October 26, 2004 6 1.6.9 November 11, 2004 6
@@ -400,6 +400,10 @@ EENNVVIIRROONNMMEENNTT
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO_COMMAND Set to the command run by sudo
SUDO_USER Set to the login of the user who invoked sudo
SUDO_UID Set to the uid of the user who invoked sudo SUDO_UID Set to the uid of the user who invoked sudo
SUDO_GID Set to the gid of the user who invoked sudo SUDO_GID Set to the gid of the user who invoked sudo
@@ -451,13 +455,9 @@ AAUUTTHHOORRSS
Many people have worked on ssuuddoo over the years; this ver<65> Many people have worked on ssuuddoo over the years; this ver<65>
sion consists of code written primarily by: sion consists of code written primarily by:
Todd Miller
Chris Jepeway
1.6.9 November 11, 2004 7
1.6.9 October 26, 2004 7
@@ -466,6 +466,9 @@ AAUUTTHHOORRSS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
Todd Miller
Chris Jepeway
See the HISTORY file in the ssuuddoo distribution or visit See the HISTORY file in the ssuuddoo distribution or visit
http://www.sudo.ws/sudo/history.html for a short history http://www.sudo.ws/sudo/history.html for a short history
of ssuuddoo. of ssuuddoo.
@@ -516,13 +519,76 @@ DDIISSCCLLAAIIMMEERR
ranties, including, but not limited to, the implied war<61> ranties, including, but not limited to, the implied war<61>
ranties of merchantability and fitness for a particular ranties of merchantability and fitness for a particular
purpose are disclaimed. See the LICENSE file distributed purpose are disclaimed. See the LICENSE file distributed
with ssuuddoo or http://www.sudo.ws/sudo/license.html for com<6F> with ssuuddoo or http://www.sudo.ws/sudo/license.html for
plete details.
1.6.9 November 11, 2004 8
1.6.9 October 26, 2004 8 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
complete details.
1.6.9 November 11, 2004 9

20
sudo.man.in
View File

@@ -149,12 +149,12 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDO @mansectsu@" .IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "October 26, 2004" "1.6.9" "MAINTENANCE COMMANDS" .TH SUDO @mansectsu@ "November 11, 2004" "1.6.9" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
sudo, sudoedit \- execute a command as another user sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS" .SH "SYNOPSIS"
.IX Header "SYNOPSIS" .IX Header "SYNOPSIS"
\&\fBsudo\fR \fB\-K\fR | \fB\-L\fR | \fB\-V\fR | \fB\-h\fR | \fB\-k\fR | \fB\-l\fR [\fIusername\fR] | \fB\-v\fR \&\fBsudo\fR \fB\-K\fR | \fB\-L\fR | \fB\-V\fR | \fB\-h\fR | \fB\-k\fR | \fB\-l\fR | \fB\-v\fR
.PP .PP
\&\fBsudo\fR [\fB\-HPSb\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] \&\fBsudo\fR [\fB\-HPSb\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
@@ -320,12 +320,12 @@ by setting the time on it to the epoch. The next time \fBsudo\fR is
run a password will be required. This option does not require a password run a password will be required. This option does not require a password
and was added to allow a user to revoke \fBsudo\fR permissions from a .logout and was added to allow a user to revoke \fBsudo\fR permissions from a .logout
file. file.
.IP "\-l [\fIusername\fR]" 4 .IP "\-l" 4
.IX Item "-l [username]" .IX Item "-l"
The \fB\-l\fR (\fIlist\fR) option will list out the allowed (and forbidden) The \fB\-l\fR (\fIlist\fR) option will list out the allowed (and forbidden)
commands for \fIusername\fR on the current host. If \fIusername\fR is commands for the user on the current host. If the \fB\-u\fR flag is
ommitted, the information listed will be for the invoking user. specified and the invoking user has \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host,
Only the superuser may list other user's commands. the information listed will be for the user specified by the \fB\-u\fR flag.
.IP "\-p" 4 .IP "\-p" 4
.IX Item "-p" .IX Item "-p"
The \fB\-p\fR (\fIprompt\fR) option allows you to override the default The \fB\-p\fR (\fIprompt\fR) option allows you to override the default
@@ -404,13 +404,15 @@ to subvert the program that \fBsudo\fR runs. To combat this the
\&\f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`_RLD_*\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR (\s-1HP\-UX\s0 only), and \f(CW\*(C`LIBPATH\*(C'\fR (\s-1AIX\s0 \&\f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`_RLD_*\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR (\s-1HP\-UX\s0 only), and \f(CW\*(C`LIBPATH\*(C'\fR (\s-1AIX\s0
only) environment variables are removed from the environment passed only) environment variables are removed from the environment passed
on to all commands executed. \fBsudo\fR will also remove the \f(CW\*(C`IFS\*(C'\fR, on to all commands executed. \fBsudo\fR will also remove the \f(CW\*(C`IFS\*(C'\fR,
\&\f(CW\*(C`ENV\*(C'\fR, \f(CW\*(C`BASH_ENV\*(C'\fR, \f(CW\*(C`KRB_CONF\*(C'\fR, \f(CW\*(C`KRBCONFDIR\*(C'\fR, \f(CW\*(C`KRBTKFILE\*(C'\fR, \&\f(CW\*(C`CDPATH\*(C'\fR, \f(CW\*(C`ENV\*(C'\fR, \f(CW\*(C`BASH_ENV\*(C'\fR, \f(CW\*(C`KRB_CONF\*(C'\fR, \f(CW\*(C`KRBCONFDIR\*(C'\fR, \f(CW\*(C`KRBTKFILE\*(C'\fR,
\&\f(CW\*(C`KRB5_CONFIG\*(C'\fR, \f(CW\*(C`LOCALDOMAIN\*(C'\fR, \f(CW\*(C`RES_OPTIONS\*(C'\fR, \f(CW\*(C`HOSTALIASES\*(C'\fR, \&\f(CW\*(C`KRB5_CONFIG\*(C'\fR, \f(CW\*(C`LOCALDOMAIN\*(C'\fR, \f(CW\*(C`RES_OPTIONS\*(C'\fR, \f(CW\*(C`HOSTALIASES\*(C'\fR,
\&\f(CW\*(C`NLSPATH\*(C'\fR, \f(CW\*(C`PATH_LOCALE\*(C'\fR, \f(CW\*(C`TERMINFO\*(C'\fR, \f(CW\*(C`TERMINFO_DIRS\*(C'\fR and \&\f(CW\*(C`NLSPATH\*(C'\fR, \f(CW\*(C`PATH_LOCALE\*(C'\fR, \f(CW\*(C`TERMINFO\*(C'\fR, \f(CW\*(C`TERMINFO_DIRS\*(C'\fR and
\&\f(CW\*(C`TERMPATH\*(C'\fR variables as they too can pose a threat. If the \&\f(CW\*(C`TERMPATH\*(C'\fR variables as they too can pose a threat. If the
\&\f(CW\*(C`TERMCAP\*(C'\fR variable is set and is a pathname, it too is ignored. \&\f(CW\*(C`TERMCAP\*(C'\fR variable is set and is a pathname, it too is ignored.
Additionally, if the \f(CW\*(C`LC_*\*(C'\fR or \f(CW\*(C`LANGUAGE\*(C'\fR variables contain the Additionally, if the \f(CW\*(C`LC_*\*(C'\fR or \f(CW\*(C`LANGUAGE\*(C'\fR variables contain the
\&\f(CW\*(C`/\*(C'\fR or \f(CW\*(C`%\*(C'\fR characters, they are ignored. If \fBsudo\fR has been \&\f(CW\*(C`/\*(C'\fR or \f(CW\*(C`%\*(C'\fR characters, they are ignored. Environment variables
with a value beginning with \f(CW\*(C`()\*(C'\fR are also removed as they could
be interpreted as \fBbash\fR functions. If \fBsudo\fR has been
compiled with SecurID support, the \f(CW\*(C`VAR_ACE\*(C'\fR, \f(CW\*(C`USR_ACE\*(C'\fR and compiled with SecurID support, the \f(CW\*(C`VAR_ACE\*(C'\fR, \f(CW\*(C`USR_ACE\*(C'\fR and
\&\f(CW\*(C`DLC_ACE\*(C'\fR variables are cleared as well. The list of environment \&\f(CW\*(C`DLC_ACE\*(C'\fR variables are cleared as well. The list of environment
variables that \fBsudo\fR clears is contained in the output of variables that \fBsudo\fR clears is contained in the output of

16
sudo.pod
View File

@@ -27,7 +27,7 @@ sudo, sudoedit - execute a command as another user
=head1 SYNOPSIS =head1 SYNOPSIS
B<sudo> B<-K> | B<-L> | B<-V> | B<-h> | B<-k> | B<-l> [I<username>] | B<-v> B<sudo> B<-K> | B<-L> | B<-V> | B<-h> | B<-k> | B<-l> | B<-v>
B<sudo> [B<-HPSb>] S<[B<-a> I<auth_type>]> S<[B<-c> I<class>|I<->]> B<sudo> [B<-HPSb>] S<[B<-a> I<auth_type>]> S<[B<-c> I<class>|I<->]>
S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]> S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]>
@@ -217,12 +217,12 @@ run a password will be required. This option does not require a password
and was added to allow a user to revoke B<sudo> permissions from a .logout and was added to allow a user to revoke B<sudo> permissions from a .logout
file. file.
=item -l [I<username>] =item -l
The B<-l> (I<list>) option will list out the allowed (and forbidden) The B<-l> (I<list>) option will list out the allowed (and forbidden)
commands for I<username> on the current host. If I<username> is commands for the user on the current host. If the B<-u> flag is
ommitted, the information listed will be for the invoking user. specified and the invoking user has B<sudo> C<ALL> on the current host,
Only the superuser may list other user's commands. the information listed will be for the user specified by the B<-u> flag.
=item -p =item -p
@@ -311,13 +311,15 @@ to subvert the program that B<sudo> runs. To combat this the
C<LD_*>, C<_RLD_*>, C<SHLIB_PATH> (HP-UX only), and C<LIBPATH> (AIX C<LD_*>, C<_RLD_*>, C<SHLIB_PATH> (HP-UX only), and C<LIBPATH> (AIX
only) environment variables are removed from the environment passed only) environment variables are removed from the environment passed
on to all commands executed. B<sudo> will also remove the C<IFS>, on to all commands executed. B<sudo> will also remove the C<IFS>,
C<ENV>, C<BASH_ENV>, C<KRB_CONF>, C<KRBCONFDIR>, C<KRBTKFILE>, C<CDPATH>, C<ENV>, C<BASH_ENV>, C<KRB_CONF>, C<KRBCONFDIR>, C<KRBTKFILE>,
C<KRB5_CONFIG>, C<LOCALDOMAIN>, C<RES_OPTIONS>, C<HOSTALIASES>, C<KRB5_CONFIG>, C<LOCALDOMAIN>, C<RES_OPTIONS>, C<HOSTALIASES>,
C<NLSPATH>, C<PATH_LOCALE>, C<TERMINFO>, C<TERMINFO_DIRS> and C<NLSPATH>, C<PATH_LOCALE>, C<TERMINFO>, C<TERMINFO_DIRS> and
C<TERMPATH> variables as they too can pose a threat. If the C<TERMPATH> variables as they too can pose a threat. If the
C<TERMCAP> variable is set and is a pathname, it too is ignored. C<TERMCAP> variable is set and is a pathname, it too is ignored.
Additionally, if the C<LC_*> or C<LANGUAGE> variables contain the Additionally, if the C<LC_*> or C<LANGUAGE> variables contain the
C</> or C<%> characters, they are ignored. If B<sudo> has been C</> or C<%> characters, they are ignored. Environment variables
with a value beginning with C<()> are also removed as they could
be interpreted as B<bash> functions. If B<sudo> has been
compiled with SecurID support, the C<VAR_ACE>, C<USR_ACE> and compiled with SecurID support, the C<VAR_ACE>, C<USR_ACE> and
C<DLC_ACE> variables are cleared as well. The list of environment C<DLC_ACE> variables are cleared as well. The list of environment
variables that B<sudo> clears is contained in the output of variables that B<sudo> clears is contained in the output of