isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bring back the "secure_path" Defaults option now that Defaults take

Browse Source 
effect before the path is searched.
This commit is contained in:
Todd C. Miller
2004-11-12 16:19:19 +00:00
parent 541908f1bd
commit a768dbc34f
11 changed files with 254 additions and 216 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
CHANGES
View File

@@ -1734,29 +1734,36 @@ Sudo 1.6.8 released.
Sudo 1.6.8p1 released.
549) New monitor functionality for systems with systrace(4). When tracing
549) Bash exported functions and the CDPATH variable are now stripped from
the environment passed to the program to be executed.
Sudo 1.6.8p2 released.
550) New monitor functionality for systems with systrace(4). When tracing
is enabled sudo will fork a daemon that traces the command and
intercepts and execve() calls and allows/denies the call based on
a sudoers lookup. Also updates the command's environment with
the SUDO_* variables if supported by the version of systrace(4).
550) Added support for multiple sudoers file via #include.
551) Added support for multiple sudoers file via #include.
551) An empty sudoers file is no longer a parse error.
552) An empty sudoers file is no longer a parse error.
552) Fixed error handling if the lexer runs out of memory.
553) Fixed error handling if the lexer runs out of memory.
553) Optimized lexer slightly by removing use of unput() and removing
554) Optimized lexer slightly by removing use of unput() and removing
some ambiguity with the Default keyword.
554) Wildcard matches on commands now use glob() and stat() so
555) Wildcard matches on commands now use glob() and stat() so
that relative paths work correctly in conjunction with wildcards.
555) Rewritten parser that converts sudoers into a set of data structures.
556) Rewritten parser that converts sudoers into a set of data structures.
This eliminates ordering issues and makes it possible to apply
sudoers Defaults entries before searching for the command.
556) Visudo will now warn about aliases that are defined but not used.
557) Visudo will now warn about aliases that are defined but not used.
557) "sudo -l" now takes an optional username which lets root see other
558) "sudo -l" now takes an optional username which lets root see other
users' privs.
559) The "secure_path" run-time Defaults option has been restored.

4
def_data.c
View File

@@ -219,6 +219,10 @@ struct sudo_defs_types sudo_defs_table[] = {
"Default user to run commands as: %s",
NULL,
set_runaspw,
}, {
"secure_path", T_STR|T_BOOL,
"Value to override user's $PATH with: %s",
NULL,
}, {
"editor", T_STR|T_PATH,
"Path to the editor for use by visudo: %s",

42
def_data.h
View File

@@ -96,26 +96,28 @@
#define I_PASSPROMPT 47
#define def_runas_default (sudo_defs_table[48].sd_un.str)
#define I_RUNAS_DEFAULT 48
#define def_editor (sudo_defs_table[49].sd_un.str)
#define I_EDITOR 49
#define def_listpw (sudo_defs_table[50].sd_un.tuple)
#define I_LISTPW 50
#define def_verifypw (sudo_defs_table[51].sd_un.tuple)
#define I_VERIFYPW 51
#define def_noexec (sudo_defs_table[52].sd_un.flag)
#define I_NOEXEC 52
#define def_noexec_file (sudo_defs_table[53].sd_un.str)
#define I_NOEXEC_FILE 53
#define def_env_check (sudo_defs_table[54].sd_un.list)
#define I_ENV_CHECK 54
#define def_env_delete (sudo_defs_table[55].sd_un.list)
#define I_ENV_DELETE 55
#define def_env_keep (sudo_defs_table[56].sd_un.list)
#define I_ENV_KEEP 56
#define def_ignore_local_sudoers (sudo_defs_table[57].sd_un.flag)
#define I_IGNORE_LOCAL_SUDOERS 57
#define def_monitor (sudo_defs_table[58].sd_un.flag)
#define I_MONITOR 58
#define def_secure_path (sudo_defs_table[49].sd_un.str)
#define I_SECURE_PATH 49
#define def_editor (sudo_defs_table[50].sd_un.str)
#define I_EDITOR 50
#define def_listpw (sudo_defs_table[51].sd_un.tuple)
#define I_LISTPW 51
#define def_verifypw (sudo_defs_table[52].sd_un.tuple)
#define I_VERIFYPW 52
#define def_noexec (sudo_defs_table[53].sd_un.flag)
#define I_NOEXEC 53
#define def_noexec_file (sudo_defs_table[54].sd_un.str)
#define I_NOEXEC_FILE 54
#define def_env_check (sudo_defs_table[55].sd_un.list)
#define I_ENV_CHECK 55
#define def_env_delete (sudo_defs_table[56].sd_un.list)
#define I_ENV_DELETE 56
#define def_env_keep (sudo_defs_table[57].sd_un.list)
#define I_ENV_KEEP 57
#define def_ignore_local_sudoers (sudo_defs_table[58].sd_un.flag)
#define I_IGNORE_LOCAL_SUDOERS 58
#define def_monitor (sudo_defs_table[59].sd_un.flag)
#define I_MONITOR 59
enum def_tupple {
never,

3
def_data.in
View File

@@ -156,6 +156,9 @@ runas_default
T_STR
"Default user to run commands as: %s"
*set_runaspw
secure_path
T_STR|T_BOOL
"Value to override user's $PATH with: %s"
editor
T_STR|T_PATH
"Path to the editor for use by visudo: %s"

3
defaults.c
View File

@@ -475,6 +475,9 @@ init_defaults()
#endif
#ifdef EXEMPTGROUP
def_exempt_group = estrdup(EXEMPTGROUP);
#endif
#ifdef SECURE_PATH
def_secure_path = estrdup(SECURE_PATH);
#endif
def_editor = estrdup(EDITOR);
#ifdef _PATH_SUDO_NOEXEC

5
env.c
View File

@@ -467,10 +467,9 @@ rebuild_env(envp, sudo_mode, noexec)
if (!ISSET(didvar, DID_PATH))
insert_env(format_env("PATH", _PATH_DEFPATH, VNULL), 0);
#ifdef SECURE_PATH
/* Replace the PATH envariable with a secure one. */
insert_env(format_env("PATH", SECURE_PATH, VNULL), 1);
#endif
if (def_secure_path && !user_is_exempt())
insert_env(format_env("PATH", def_secure_path, VNULL), 1);
/* Set $USER and $LOGNAME to target if "set_logname" is true. */
if (def_set_logname && runas_pw->pw_name) {

8
find_path.c
View File

@@ -92,11 +92,9 @@ find_path(infile, outfile, sbp, path)
}
/* Use PATH passed in unless SECURE_PATH is in effect. */
#ifdef SECURE_PATH
if (!user_is_exempt())
path = SECURE_PATH;
#endif /* SECURE_PATH */
if (path == NULL)
if (def_secure_path && !user_is_exempt())
path = def_secure_path;
else if (path == NULL)
return(NOT_FOUND);
path = estrdup(path);
origpath = path;

340
sudoers.cat
View File

@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.6.9 October 26, 2004 1
1.6.9 November 12, 2004 1
@@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.9 October 26, 2004 2
1.6.9 November 12, 2004 2
@@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.9 October 26, 2004 3
1.6.9 November 12, 2004 3
@@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.9 October 26, 2004 4
1.6.9 November 12, 2004 4
@@ -276,7 +276,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
ignore_dot If set, ssuuddoo will ignore '.' or '' (current
dir) in the PATH environment variable; the
PATH itself is not modified. This flag is _o_f_f
PATH itself is not modified. This flag is _o_n
by default.
mail_always Send mail to the _m_a_i_l_t_o user every time a
@@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.9 October 26, 2004 5
1.6.9 November 12, 2004 5
@@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.9 October 26, 2004 6
1.6.9 November 12, 2004 6
@@ -426,7 +426,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
set _f_q_d_n. This flag is _o_f_f by default.
insults If set, ssuuddoo will insult users when they enter
an incorrect password. This flag is _o_f_f by
an incorrect password. This flag is _o_n by
default.
requiretty If set, ssuuddoo will only run when the user is
@@ -447,7 +447,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
is to place a colon-separated list of editors
in the editor variable. vviissuuddoo will then only
use the EDITOR or VISUAL if they match a value
specified in editor. This flag is off by
specified in editor. This flag is on by
default.
rootpw If set, ssuuddoo will prompt for the root password
@@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.9 October 26, 2004 7
1.6.9 November 12, 2004 7
@@ -509,21 +509,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
TERM is copied unaltered from the old environ<6F>
ment. The other variables are set to default
values (possibly modified by the value of the
_s_e_t___l_o_g_n_a_m_e option). If ssuuddoo was compiled
with the SECURE_PATH option, its value will be
used for the PATH environment variable. Other
variables may be preserved with the _e_n_v___k_e_e_p
option.
_s_e_t___l_o_g_n_a_m_e option). If the _s_e_c_u_r_e___p_a_t_h
option is set, its value will be used for the
PATH environment variable. Other variables
may be preserved with the _e_n_v___k_e_e_p option.
use_loginclass
If set, ssuuddoo will apply the defaults specified
for the target user's login class if one
exists. Only available if ssuuddoo is configured
with the --with-logincap option. This flag is
_o_f_f by default.
1.6.9 October 26, 2004 8
1.6.9 November 12, 2004 8
@@ -532,8 +532,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_o_f_f by default.
noexec If set, all commands run via ssuuddoo will behave
as if the NOEXEC tag has been set, unless
overridden by a EXEC tag. See the description
@@ -586,10 +584,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
timestamp_timeout
Number of minutes that can elapse before ssuuddoo
will ask for a passwd again. The default is
5. Set this to 0 to always prompt for a pass<73>
word. If set to a value less than 0 the
1.6.9 October 26, 2004 9
1.6.9 November 12, 2004 9
@@ -598,8 +598,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
5. Set this to 0 to always prompt for a pass<73>
word. If set to a value less than 0 the
user's timestamp will never expire. This can
be used to allow users to create or delete
their own timestamps via sudo -v and sudo -k
@@ -652,10 +650,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
%H expanded to the local hostname includ<75>
ing the domain name (on if the
machine's hostname is fully qualified
or the _f_q_d_n option is set)
1.6.9 October 26, 2004 10
1.6.9 November 12, 2004 10
@@ -664,9 +664,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
machine's hostname is fully qualified
or the _f_q_d_n option is set)
%% two consecutive % characters are col<6F>
laped into a single % character
@@ -718,10 +715,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The default value is _o_n_c_e.
lecture_file
Path to a file containing an alternate ssuuddoo
lecture that will be used in place of the
1.6.9 October 26, 2004 11
1.6.9 November 12, 2004 11
@@ -730,9 +730,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
lecture_file
Path to a file containing an alternate ssuuddoo
lecture that will be used in place of the
standard lecture if the named file exists.
logfile Path to the ssuuddoo log file (not the syslog log
@@ -741,7 +738,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
syslog Syslog facility if syslog is being used for
logging (negate to disable syslog logging).
Defaults to local2.
Defaults to authpriv.
mailerpath Path to mail program used to send warning
mail. Defaults to the path to sendmail found
@@ -760,6 +757,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
and PATH requirements. This is not set by
default.
secure_path Path used for every command run from ssuuddoo. If
you don't trust the people running ssuuddoo to
have a sane PATH environment variable you may
want to use this. Another use is if you want
to have the "root path" be separate from the
"user path." Users in the group specified by
the _e_x_e_m_p_t___g_r_o_u_p option are not affected by
_s_e_c_u_r_e___p_a_t_h. This is not set by default.
verifypw This option controls when a password will be
required when a user runs ssuuddoo with the --vv
flag. It has the following possible values:
@@ -779,15 +785,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
always The user must always enter a password
to use the --vv flag.
The default value is `all'.
listpw This option controls when a password will be
required when a user runs ssuuddoo with the --ll
flag. It has the following possible values:
1.6.9 October 26, 2004 12
1.6.9 November 12, 2004 12
@@ -796,6 +796,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The default value is `all'.
listpw This option controls when a password will be
required when a user runs ssuuddoo with the --ll
flag. It has the following possible values:
all All the user's _s_u_d_o_e_r_s entries for the
current host must have the NOPASSWD
flag set to avoid entering a password.
@@ -844,16 +850,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
env_keep Environment variables to be preserved in the
user's environment when the _e_n_v___r_e_s_e_t option
is in effect. This allows fine-grained con<6F>
trol over the environment ssuuddoo-spawned pro<72>
cesses will receive. The argument may be a
double-quoted, space-separated list or a sin<69>
gle value without double-quotes. The list can
be replaced, added to, deleted from, or
1.6.9 October 26, 2004 13
1.6.9 November 12, 2004 13
@@ -862,9 +862,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
disabled by using the =, +=, -=, and ! opera<EFBFBD>
tors respectively. This list has no default
members.
is in effect. This allows fine-grained con<EFBFBD>
trol over the environment ssuuddoo-spawned pro<72>
cesses will receive. The argument may be a
double-quoted, space-separated list or a sin<69>
gle value without double-quotes. The list can
be replaced, added to, deleted from, or dis<69>
abled by using the =, +=, -=, and ! operators
respectively. This list has no default mem<65>
bers.
When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following
values for the syslog facility (the value of the ssyysslloogg
@@ -910,16 +916,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m
-- but only as ooppeerraattoorr. E.g.,
$ sudo -u operator /bin/ls.
It is also possible to override a Runas_Spec later on in
an entry. If we modify the entry like so:
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
1.6.9 October 26, 2004 14
1.6.9 November 12, 2004 14
@@ -928,6 +928,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
$ sudo -u operator /bin/ls.
It is also possible to override a Runas_Spec later on in
an entry. If we modify the entry like so:
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr,
but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
@@ -961,7 +968,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
Note, however, that the PASSWD tag has no effect on users
who are in the group specified by the exempt_group option.
who are in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option.
By default, if the NOPASSWD tag is applied to any of the
entries for a user on the current host, he or she will be
@@ -975,17 +982,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
If ssuuddoo has been compiled with _n_o_e_x_e_c support and the
underlying operating system supports it, the NOEXEC tag
can be used to prevent a dynamically-linked executable
from running further commands itself.
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e
and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1.6.9 October 26, 2004 15
1.6.9 November 12, 2004 15
@@ -994,6 +994,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
can be used to prevent a dynamically-linked executable
from running further commands itself.
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e
and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more
details on how NOEXEC works and whether or not it will
work on your system.
@@ -1039,19 +1047,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Note that a forward slash ('/') will nnoott be matched by
wildcards used in the pathname. When matching the command
line arguments, however, a slash ddooeess get matched by wild<6C>
cards. This is to make a path like:
/usr/bin/*
match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
line arguments, however, a slash ddooeess get matched by
1.6.9 October 26, 2004 16
1.6.9 November 12, 2004 16
@@ -1060,6 +1060,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
wildcards. This is to make a path like:
/usr/bin/*
match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
The following exceptions apply to the above rules:
@@ -1108,16 +1114,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
dangerous since in a command context, it allows the user
to run aannyy command on the system.
An exclamation point ('!') can be used as a logical _n_o_t
operator both in an _a_l_i_a_s and in front of a Cmnd. This
allows one to exclude certain values. Note, however, that
using a ! in conjunction with the built-in ALL alias to
allow a user to run "all but a few" commands rarely works
as intended (see SECURITY NOTES below).
1.6.9 October 26, 2004 17
1.6.9 November 12, 2004 17
@@ -1126,6 +1126,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
An exclamation point ('!') can be used as a logical _n_o_t
operator both in an _a_l_i_a_s and in front of a Cmnd. This
allows one to exclude certain values. Note, however, that
using a ! in conjunction with the built-in ALL alias to
allow a user to run "all but a few" commands rarely works
as intended (see SECURITY NOTES below).
Long lines can be continued with a backslash ('\') as the
last character on the line.
@@ -1165,6 +1172,26 @@ EEXXAAMMPPLLEESS
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
1.6.9 November 12, 2004 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
@@ -1180,18 +1207,6 @@ EEXXAAMMPPLLEESS
Here we override some of the compiled in default values.
We want ssuuddoo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility
1.6.9 October 26, 2004 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
in all cases. We don't want to subject the full time
staff to the ssuuddoo lecture, user mmiilllleerrtt need not give a
password, and we don't want to reset the LOGNAME or USER
@@ -1231,6 +1246,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
jack CSNETS = ALL
The user jjaacckk may run any command on the machines in the
1.6.9 November 12, 2004 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0,
and 128.138.242.0). Of those networks, only 128.138.204.0
has an explicit netmask (in CIDR notation) indicating it
@@ -1245,20 +1272,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/
The ooppeerraattoorr user may run commands limited to simple
1.6.9 October 26, 2004 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
maintenance. Here, those are commands related to backups,
The ooppeerraattoorr user may run commands limited to simple main<69>
tenance. Here, those are commands related to backups,
killing processes, the printing system, shutting down the
system, and any commands in the directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/.
@@ -1298,6 +1313,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1.6.9 November 12, 2004 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except
root but he is not allowed to give _s_u(1) any flags.
@@ -1313,17 +1339,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
any commands in the directory /usr/bin/ except for those
commands belonging to the _S_U and _S_H_E_L_L_S Cmnd_Aliases.
1.6.9 October 26, 2004 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
steve CSNETS = (operator) /usr/local/op_commands/
The user sstteevvee may run any command in the directory
@@ -1364,6 +1379,17 @@ SSEECCUURRIITTYY NNOOTTEESS
restrictions should be considered advisory at best (and
reinforced by policy).
1.6.9 November 12, 2004 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
Once ssuuddoo executes a program, that program is free to do
whatever it pleases, including run other programs. This
@@ -1378,18 +1404,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
restrict Avoid giving users access to commands that allow
the user to run arbitrary commands. Many edi<64>
tors have a restricted mode where shell escapes
1.6.9 October 26, 2004 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
are disabled, though ssuuddooeeddiitt is a better solu<6C>
tion to running editors via ssuuddoo. Due to the
large number of programs that offer shell
@@ -1430,6 +1444,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
the LD_PRELOAD environment variable. Check your
operating system's manual pages for the dynamic
linker (usually ld.so, ld.so.1, dyld, dld.sl,
1.6.9 November 12, 2004 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
rld, or loader) to see if LD_PRELOAD is sup<75>
ported.
@@ -1443,20 +1469,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will pre<72>
vent those two commands from executing other
commands (such as a shell). If you are unsure
whether or not your system is capable of
1.6.9 October 26, 2004 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
supporting _n_o_e_x_e_c you can always just try it out
whether or not your system is capable of sup<75>
porting _n_o_e_x_e_c you can always just try it out
and see if it works.
monitor On operating systems that support the ssyyssttrraaccee
@@ -1496,6 +1510,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SSEEEE AALLSSOO
_r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), sudo(1m), visudo(1m)
1.6.9 November 12, 2004 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
CCAAVVEEAATTSS
The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo
command which locks the file and does grammatical check<63>
@@ -1509,19 +1535,6 @@ CCAAVVEEAATTSS
hostname be fully qualified as returned by the hostname
command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
1.6.9 October 26, 2004 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
BBUUGGSS
If you feel you have found a bug in ssuuddoo, please submit a
bug report at http://www.sudo.ws/sudo/bugs/
@@ -1566,19 +1579,6 @@ DDIISSCCLLAAIIMMEERR
1.6.9 October 26, 2004 24
1.6.9 November 12, 2004 24

17
sudoers.man.in
View File

@@ -149,7 +149,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
.TH SUDOERS @mansectform@ "October 26, 2004" "1.6.9" "MAINTENANCE COMMANDS"
.TH SUDOERS @mansectform@ "November 12, 2004" "1.6.9" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
@@ -570,9 +570,8 @@ following variables: \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(
and \f(CW\*(C`USER\*(C'\fR (in addition to the \f(CW\*(C`SUDO_*\*(C'\fR variables).
Of these, only \f(CW\*(C`TERM\*(C'\fR is copied unaltered from the old environment.
The other variables are set to default values (possibly modified
by the value of the \fIset_logname\fR option). If \fBsudo\fR was compiled
with the \f(CW\*(C`SECURE_PATH\*(C'\fR option, its value will be used for the \f(CW\*(C`PATH\*(C'\fR
environment variable.
by the value of the \fIset_logname\fR option). If the \fIsecure_path\fR
option is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable.
Other variables may be preserved with the \fIenv_keep\fR option.
.IP "use_loginclass" 12
.IX Item "use_loginclass"
@@ -761,6 +760,14 @@ interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\
.IX Item "exempt_group"
Users in this group are exempt from password and \s-1PATH\s0 requirements.
This is not set by default.
.IP "secure_path" 12
.IX Item "secure_path"
Path used for every command run from \fBsudo\fR. If you don't trust the
people running \fBsudo\fR to have a sane \f(CW\*(C`PATH\*(C'\fR environment variable you may
want to use this. Another use is if you want to have the \*(L"root path\*(R"
be separate from the \*(L"user path.\*(R" Users in the group specified by the
\&\fIexempt_group\fR option are not affected by \fIsecure_path\fR.
This is not set by default.
.IP "verifypw" 12
.IX Item "verifypw"
This option controls when a password will be required when a user runs
@@ -942,7 +949,7 @@ run \fI/bin/kill\fR without a password the entry would be:
.Ve
.PP
Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
in the group specified by the exempt_group option.
in the group specified by the \fIexempt_group\fR option.
.PP
By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
for a user on the current host, he or she will be able to run

16
sudoers.pod
View File

@@ -435,9 +435,8 @@ following variables: C<HOME>, C<LOGNAME>, C<PATH>, C<SHELL>, C<TERM>,
and C<USER> (in addition to the C<SUDO_*> variables).
Of these, only C<TERM> is copied unaltered from the old environment.
The other variables are set to default values (possibly modified
by the value of the I<set_logname> option). If B<sudo> was compiled
with the C<SECURE_PATH> option, its value will be used for the C<PATH>
environment variable.
by the value of the I<set_logname> option). If the I<secure_path>
option is set, its value will be used for the C<PATH> environment variable.
Other variables may be preserved with the I<env_keep> option.
=item use_loginclass
@@ -675,6 +674,15 @@ interpreting the C<@> sign. Defaults to C<@mailto@>.
Users in this group are exempt from password and PATH requirements.
This is not set by default.
=item secure_path
Path used for every command run from B<sudo>. If you don't trust the
people running B<sudo> to have a sane C<PATH> environment variable you may
want to use this. Another use is if you want to have the "root path"
be separate from the "user path." Users in the group specified by the
I<exempt_group> option are not affected by I<secure_path>.
This is not set by default.
=item verifypw
This option controls when a password will be required when a user runs
@@ -856,7 +864,7 @@ run F</bin/kill> without a password the entry would be:
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
Note, however, that the C<PASSWD> tag has no effect on users who are
in the group specified by the exempt_group option.
in the group specified by the I<exempt_group> option.
By default, if the C<NOPASSWD> tag is applied to any of the entries
for a user on the current host, he or she will be able to run

7
visudo.c
View File

@@ -528,6 +528,13 @@ init_envtables()
return;
}
/* STUB */
int
user_is_exempt()
{
return(FALSE);
}
/*
* Assuming a parse error occurred, prompt the user for what they want
* to do now. Returns the first letter of their choice.