isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

regen

Browse Source
This commit is contained in:
Todd C. Miller
2004-09-30 17:25:51 +00:00
parent 2b020f9999
commit abc7ac8eef
6 changed files with 470 additions and 247 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
sudo.cat
View File

@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.6.8 September 8, 2004 1
1.6.9 September 30, 2004 1
@@ -127,7 +127,7 @@ OOPPTTIIOONNSS
1.6.8 September 8, 2004 2
1.6.9 September 30, 2004 2
@@ -193,7 +193,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
1.6.8 September 8, 2004 3
1.6.9 September 30, 2004 3
@@ -259,7 +259,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
1.6.8 September 8, 2004 4
1.6.9 September 30, 2004 4
@@ -325,7 +325,7 @@ SSEECCUURRIITTYY NNOOTTEESS
1.6.8 September 8, 2004 5
1.6.9 September 30, 2004 5
@@ -359,15 +359,17 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
timestamp with a bogus date on systems that allow users to
give away files.
Please note that ssuuddoo will only log the command it explic<69>
itly runs. If a user runs a command such as sudo su or
sudo sh, subsequent commands run from that shell will _n_o_t
be logged, nor will ssuuddoo's access control affect them.
The same is true for commands that offer shell escapes
(including most editors). Because of this, care must be
taken when giving users access to commands via ssuuddoo to
verify that the command does not inadvertently give the
user an effective root shell.
Please note that ssuuddoo will normally only log the command
it explicitly runs. If a user runs a command such as sudo
su or sudo sh, subsequent commands run from that shell
will _n_o_t be logged, nor will ssuuddoo's access control affect
them. The same is true for commands that offer shell
escapes (including most editors). Because of this, care
must be taken when giving users access to commands via
ssuuddoo to verify that the command does not inadvertently
give the user an effective root shell. For more informa<6D>
tion, please see the PREVENTING SHELL ESCAPES section in
sudoers(4).
EENNVVIIRROONNMMEENNTT
ssuuddoo utilizes the following environment variables:
@@ -386,12 +388,10 @@ EENNVVIIRROONNMMEENNTT
SUDO_PROMPT Used as the default password prompt
SUDO_COMMAND Set to the command run by sudo
1.6.8 September 8, 2004 6
1.6.9 September 30, 2004 6
@@ -400,6 +400,8 @@ EENNVVIIRROONNMMEENNTT
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO_COMMAND Set to the command run by sudo
SUDO_USER Set to the login of the user who invoked sudo
SUDO_UID Set to the uid of the user who invoked sudo
@@ -455,9 +457,7 @@ AAUUTTHHOORRSS
1.6.8 September 8, 2004 7
1.6.9 September 30, 2004 7
@@ -523,7 +523,7 @@ DDIISSCCLLAAIIMMEERR
1.6.8 September 8, 2004 8
1.6.9 September 30, 2004 8
@@ -589,6 +589,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
1.6.8 September 8, 2004 9
1.6.9 September 30, 2004 9

20
sudo.man.in
View File

@@ -149,7 +149,7 @@
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "September 8, 2004" "1.6.8" "MAINTENANCE COMMANDS"
.TH SUDO @mansectsu@ "September 30, 2004" "1.6.9" "MAINTENANCE COMMANDS"
.SH "NAME"
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
@@ -452,14 +452,16 @@ will be ignored and sudo will log and complain. This is done to
keep a user from creating his/her own timestamp with a bogus
date on systems that allow users to give away files.
.PP
Please note that \fBsudo\fR will only log the command it explicitly
runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or \f(CW\*(C`sudo sh\*(C'\fR,
subsequent commands run from that shell will \fInot\fR be logged, nor
will \fBsudo\fR's access control affect them. The same is true for
commands that offer shell escapes (including most editors). Because
of this, care must be taken when giving users access to commands
via \fBsudo\fR to verify that the command does not inadvertently give
the user an effective root shell.
Please note that \fBsudo\fR will normally only log the command it
explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or
\&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell will \fInot\fR be
logged, nor will \fBsudo\fR's access control affect them. The same
is true for commands that offer shell escapes (including most
editors). Because of this, care must be taken when giving users
access to commands via \fBsudo\fR to verify that the command does not
inadvertently give the user an effective root shell. For more
information, please see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in
sudoers(@mansectform@).
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
\&\fBsudo\fR utilizes the following environment variables:

496
sudoers.cat
View File

@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.6.8 September 6, 2004 1
1.6.9 September 30, 2004 1
@@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 2
1.6.9 September 30, 2004 2
@@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 3
1.6.9 September 30, 2004 3
@@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 4
1.6.9 September 30, 2004 4
@@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 5
1.6.9 September 30, 2004 5
@@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 6
1.6.9 September 30, 2004 6
@@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 7
1.6.9 September 30, 2004 7
@@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 8
1.6.9 September 30, 2004 8
@@ -548,6 +548,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
VENTING SHELL ESCAPES" section at the end of
this manual. This flag is _o_f_f by default.
trace If set, all commands run via sudo will behave
as if the TRACE tag has been set, unless over<65>
ridden by a NOTRACE tag. See the description
of _T_R_A_C_E _a_n_d _N_O_T_R_A_C_E below as well as the
"PREVENTING SHELL ESCAPES" section at the end
of this manual. Be aware that tracing is only
supported on certain operating systems. On
systems where it is not supported this flag
will have no effect. This flag is _o_f_f by
default.
ignore_local_sudoers
If set via LDAP, parsing of @sysconfdir@/sudo<64>
ers will be skipped. This is intended for an
@@ -575,6 +586,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
loglinelen Number of characters per line for the file
log. This value is used to decide when to
wrap lines for nicer log files. This has no
1.6.9 September 30, 2004 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
effect on the syslog log file, only the file
log. The default is 80 (use 0 or negate the
option to disable word wrap).
@@ -586,18 +609,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
word. If set to a value less than 0 the
user's timestamp will never expire. This can
be used to allow users to create or delete
1.6.8 September 6, 2004 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
their own timestamps via sudo -v and sudo -k
respectively.
@@ -641,6 +652,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
%U expanded to the login name of the user
the command will be run as (defaults
1.6.9 September 30, 2004 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to root)
%h expanded to the local hostname without
@@ -651,20 +674,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
machine's hostname is fully qualified
or the _f_q_d_n option is set)
%% two consecutive % characters are
1.6.8 September 6, 2004 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
collaped into a single % character
%% two consecutive % characters are col<6F>
laped into a single % character
The default value is Password:.
@@ -707,6 +718,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
never Never lecture the user.
1.6.9 September 30, 2004 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
once Only lecture the user the first time
they run ssuuddoo.
@@ -719,17 +742,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
lecture that will be used in place of the
standard lecture if the named file exists.
1.6.8 September 6, 2004 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
logfile Path to the ssuuddoo log file (not the syslog log
file). Setting a path turns on logging to a
file; negating this option turns it off.
@@ -772,6 +784,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to use the --vv flag.
always The user must always enter a password
1.6.9 September 30, 2004 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to use the --vv flag.
The default value is `all'.
@@ -784,18 +808,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
current host must have the NOPASSWD
flag set to avoid entering a password.
1.6.8 September 6, 2004 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
any At least one of the user's _s_u_d_o_e_r_s
entries for the current host must have
the NOPASSWD flag set to avoid enter<65>
@@ -838,6 +850,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
dangerous variables from the environment of
any setuid process (such as ssuuddoo).
1.6.9 September 30, 2004 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
env_keep Environment variables to be preserved in the
user's environment when the _e_n_v___r_e_s_e_t option
is in effect. This allows fine-grained con<6F>
@@ -850,18 +874,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
respectively. This list has no default mem<65>
bers.
1.6.8 September 6, 2004 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following
values for the syslog facility (the value of the ssyysslloogg
Parameter): aauutthhpprriivv (if your OS supports it), aauutthh, ddaaee<><08>
@@ -882,7 +894,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Runas_Spec ::= '(' Runas_List ')'
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:')
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'TRACE' | 'NOTRACE')
A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may
run (and as what user) on specified hosts. By default,
@@ -903,6 +916,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m
1.6.9 September 30, 2004 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-- but only as ooppeerraattoorr. E.g.,
$ sudo -u operator /bin/ls.
@@ -915,27 +940,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr,
but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
1.6.8 September 6, 2004 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
TTaagg__SSppeecc
A command may have zero or more tags associated with it.
There are four possible tag values, NOPASSWD, PASSWD,
NOEXEC, EXEC. Once a tag is set on a Cmnd, subsequent
Cmnds in the Cmnd_Spec_List, inherit the tag unless it is
overridden by the opposite tag (ie: PASSWD overrides
NOPASSWD and EXEC overrides NOEXEC).
NOEXEC, EXEC, TRACE and NOTRACE. Once a tag is set on a
Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the
tag unless it is overridden by the opposite tag (ie:
PASSWD overrides NOPASSWD and NOTRACE overrides TRACE).
_N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D
@@ -969,23 +981,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_N_O_E_X_E_C _a_n_d _E_X_E_C
If sudo has been compiled with _n_o_e_x_e_c support and the
underlying operating system support it, the NOEXEC tag can
be used to prevent a dynamically-linked executable from
running further commands itself.
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e
and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more
details on how _n_o_e_x_e_c works and whether or not it will
work on your system.
If ssuuddoo has been compiled with _n_o_e_x_e_c support and the
1.6.8 September 6, 2004 15
1.6.9 September 30, 2004 15
@@ -994,6 +994,38 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
underlying operating system supports it, the NOEXEC tag
can be used to prevent a dynamically-linked executable
from running further commands itself.
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e
and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more
details on how NOEXEC works and whether or not it will
work on your system.
_T_R_A_C_E _a_n_d _N_O_T_R_A_C_E
If ssuuddoo has been configured with the --with-systrace
option, the TRACE tag can be used to cause programs
spawned by a command to be checked against _s_u_d_o_e_r_s and
logged just like they would be if run through ssuuddoo
directly. This is useful in conjunction with commands
that allow shell escapes such as editors, shells and pagi<67>
nators.
In the following example, user cchhuucckk may run any command
on the machine research with tracing enabled.
chuck research = TRACE: ALL
See the "PREVENTING SHELL ESCAPES" section below for more
details on how TRACE works and whether or not it will work
on your system.
WWiillddccaarrddss
ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob char<61>
@@ -1016,6 +1048,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Note that a forward slash ('/') will nnoott be matched by
wildcards used in the pathname. When matching the command
1.6.9 September 30, 2004 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
line arguments, however, a slash ddooeess get matched by wild<6C>
cards. This is to make a path like:
@@ -1047,19 +1091,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
This limitation will be removed in a future version of
ssuuddoo.
1.6.8 September 6, 2004 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
The following exceptions apply to the above rules:
@@ -1068,13 +1099,48 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
argument in the _s_u_d_o_e_r_s entry it means that com<6F>
mand is not allowed to be run with aannyy arguments.
IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss
It is possible to include other _s_u_d_o_e_r_s files from within
the _s_u_d_o_e_r_s file currently being parsed using the #include
directive, similar to the one used by the C preprocessor.
This is useful, for example, for keeping a site-wide _s_u_d_o_<08>
_e_r_s file in addition to a per-machine local one. For the
sake of this example the site-wide _s_u_d_o_e_r_s will be
_/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be _/_e_t_c_/_s_u_d_o_<08>
_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from _/_e_t_c_/_s_u_d_o_<08>
_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
#include /etc/sudoers.local
When ssuuddoo reaches this line it will suspend processing of
1.6.9 September 30, 2004 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
the current file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_<08>
_e_r_s_._l_o_c_a_l. Upon reaching the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l,
the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed. Files that
are included may themselves include other files. A hard
limit of 128 nested include files is enforced to prevent
include file loops.
OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss
The pound sign ('#') is used to indicate a comment (unless
it occurs in the context of a user name and is followed by
one or more digits, in which case it is treated as a uid).
Both the comment character and any text after it, up to
the end of the line, are ignored.
it is part of a #include directive or unless it occurs in
the context of a user name and is followed by one or more
digits, in which case it is treated as a uid). Both the
comment character and any text after it, up to the end of
the line, are ignored.
The reserved word AALLLL is a built-in _a_l_i_a_s that always
causes a match to succeed. It can be used wherever one
@@ -1117,7 +1183,7 @@ EEXXAAMMPPLLEESS
1.6.8 September 6, 2004 17
1.6.9 September 30, 2004 18
@@ -1183,7 +1249,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 18
1.6.9 September 30, 2004 19
@@ -1249,7 +1315,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 19
1.6.9 September 30, 2004 20
@@ -1315,7 +1381,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 20
1.6.9 September 30, 2004 21
@@ -1359,29 +1425,29 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
whatever it pleases, including run other programs. This
can be a security issue since it is not uncommon for a
program to allow shell escapes, which lets a user bypass
ssuuddoo's restrictions. Common programs that permit shell
escapes include shells (obviously), editors, paginators,
mail and terminal programs.
ssuuddoo's access control and logging. Common programs that
permit shell escapes include shells (obviously), editors,
paginators, mail and terminal programs.
Many systems that support shared libraries have the abil<69>
ity to override default library functions by pointing an
environment variable (usually LD_PRELOAD) to an alternate
shared library. On such systems, ssuuddoo's _n_o_e_x_e_c function<6F>
ality can be used to prevent a program run by sudo from
executing any other programs. Note, however, that this
applies only to native dynamically-linked executables.
Statically-linked executables and foreign executables run<75>
ning under binary emulation are not affected.
There are three basic approaches to this problem:
To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run
the following as root:
restrict Avoid giving users access to commands that allow
the user to run arbitrary commands. Many edi<64>
tors have a restricted mode where shell escapes
are disabled, though ssuuddooeeddiitt is a better solu<6C>
tion to running editors via sudo. Due to the
large number of programs that offer shell
escapes, restricting users to the set of pro<72>
grams that do not if often unworkable.
sudo -V | grep "dummy exec"
noexec Many systems that support shared libraries have
the ability to override default library func<6E>
tions by pointing an environment variable (usu<73>
ally LD_PRELOAD) to an alternate shared library.
1.6.8 September 6, 2004 21
1.6.9 September 30, 2004 22
@@ -1390,38 +1456,95 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
If the resulting output contains a line that begins with:
On such systems, ssuuddoo's _n_o_e_x_e_c functionality can
be used to prevent a program run by sudo from
executing any other programs. Note, however,
that this applies only to native dynamically-
linked executables. Statically-linked executa<74>
bles and foreign executables running under
binary emulation are not affected.
File containing dummy exec functions:
To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you
can run the following as root:
then ssuuddoo may be able to replace the exec family of func<6E>
tions in the standard library with its own that simply
return an error. Unfortunately, there is no foolproof way
to know whether or not _n_o_e_x_e_c will work at compile-time.
_N_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX,
Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known nnoott to
work on AIX and UnixWare. _N_o_e_x_e_c is expected to work on
most operating systems that support the LD_PRELOAD envi<76>
ronment variable. Check your operating system's manual
pages for the dynamic linker (usually ld.so, ld.so.1,
dyld, dld.sl, rld, or loader) to see if LD_PRELOAD is sup<75>
ported.
sudo -V | grep "dummy exec"
To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as doc<6F>
umented in the User Specification section above. Here is
that example again:
If the resulting output contains a line that
begins with:
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
File containing dummy exec functions:
This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and
_/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will prevent those
two commands from executing other commands (such as a
shell). If you are unsure whether or not your system is
capable of supporting _n_o_e_x_e_c you can always just try it
out and see if it works.
then ssuuddoo may be able to replace the exec family
of functions in the standard library with its
own that simply return an error. Unfortunately,
there is no foolproof way to know whether or not
_n_o_e_x_e_c will work at compile-time. _N_o_e_x_e_c should
work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
UNIX, MacOS X, and HP-UX 11.x. It is known nnoott
to work on AIX and UnixWare. _N_o_e_x_e_c is expected
to work on most operating systems that support
the LD_PRELOAD environment variable. Check your
operating system's manual pages for the dynamic
linker (usually ld.so, ld.so.1, dyld, dld.sl,
rld, or loader) to see if LD_PRELOAD is sup<75>
ported.
Note that disabling shell escapes is not a panacea. Pro<72>
grams running as root are still capable of many poten<EFBFBD>
To enable _n_o_e_x_e_c for a command, use the NOEXEC
tag as documented in the User Specification sec<EFBFBD>
tion above. Here is that example again:
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and
_/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will pre<72>
vent those two commands from executing other
commands (such as a shell). If you are unsure
whether or not your system is capable of sup<75>
porting _n_o_e_x_e_c you can always just try it out
and see if it works.
tracing On operating systems that support the ssyyssttrraaccee
pseudo-device, the --with-systrace configure
option can be used to compile support for com<6F>
mand tracing in ssuuddoo. With ssyyssttrraaccee support
ssuuddoo can transparently intercept a new command,
allow or deny it based on _s_u_d_o_e_r_s, and log the
result. This does require that ssuuddoo become a
1.6.9 September 30, 2004 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
daemon that persists until the command and all
its descendents have finished.
To enable tracing on a per-command basis, use
the TRACE tag as documented in the User Specifi<66>
cation section above. Here is that example
again:
chuck research = TRACE: ALL
This allows user cchhuucckk to run any command on the
machine research with tracing enabled. Any com<6F>
mands run via shell escapes will be logged by
sudo.
At the time of this writing the ssyyssttrraaccee pseudo-
device comes standard with OpenBSD and NetBSD
and is available as patches to FreeBSD, MacOS X
and Linux. See <http://www.systrace.org/> for
more information.
Note that restricting shell escapes is not a panacea.
Programs running as root are still capable of many poten<65>
tially hazardous operations (such as changing or overwrit<69>
ing files) that could lead to unintended privilege escala<6C>
tion. In the specific case of an editor, a safer approach
@@ -1443,19 +1566,6 @@ CCAAVVEEAATTSS
hostname be fully qualified as returned by the hostname
command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
1.6.8 September 6, 2004 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
BBUUGGSS
If you feel you have found a bug in ssuuddoo, please submit a
bug report at http://www.sudo.ws/sudo/bugs/
@@ -1465,9 +1575,21 @@ SSUUPPPPOORRTT
http://www.sudo.ws/sudo/support.html for details.
Limited free support is available via the sudo-users mail<69>
ing list, see http://www.sudo.ws/mail<69>
man/listinfo/sudo-users to subscribe or search the
archives.
ing list, see
1.6.9 September 30, 2004 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
http://www.sudo.ws/mailman/listinfo/sudo-users to sub<75>
scribe or search the archives.
DDIISSCCLLAAIIMMEERR
SSuuddoo is provided ``AS IS'' and any express or implied war<61>
@@ -1513,6 +1635,16 @@ DDIISSCCLLAAIIMMEERR
1.6.8 September 6, 2004 23
1.6.9 September 30, 2004 25

149
sudoers.man.in
View File

@@ -149,7 +149,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
.TH SUDOERS @mansectform@ "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS"
.TH SUDOERS @mansectform@ "September 30, 2004" "1.6.9" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
@@ -589,6 +589,14 @@ the \-\-with\-logincap option. This flag is \fIoff\fR by default.
If set, all commands run via sudo will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
.IP "trace" 12
.IX Item "trace"
If set, all commands run via sudo will behave as if the \f(CW\*(C`TRACE\*(C'\fR
tag has been set, unless overridden by a \f(CW\*(C`NOTRACE\*(C'\fR tag. See the
description of \fI\s-1TRACE\s0 and \s-1NOTRACE\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. Be aware that
tracing is only supported on certain operating systems. On systems
where it is not supported this flag will have no effect.
This flag is \fIoff\fR by default.
.IP "ignore_local_sudoers" 12
.IX Item "ignore_local_sudoers"
If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped.
@@ -867,8 +875,9 @@ supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo
\& Runas_Spec ::= '(' Runas_List ')'
.Ve
.PP
.Vb 1
\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:')
.Vb 2
\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
\& 'TRACE' | 'NOTRACE')
.Ve
.PP
A \fBuser specification\fR determines which commands a user may run
@@ -907,11 +916,12 @@ but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
.Sh "Tag_Spec"
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
four possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR.
four possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
\&\f(CW\*(C`TRACE\*(C'\fR and \f(CW\*(C`NOTRACE\*(C'\fR.
Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
opposite tag (ie: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`EXEC\*(C'\fR
overrides \f(CW\*(C`NOEXEC\*(C'\fR).
opposite tag (ie: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOTRACE\*(C'\fR
overrides \f(CW\*(C`TRACE\*(C'\fR).
.PP
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
.IX Subsection "NOPASSWD and PASSWD"
@@ -949,8 +959,8 @@ This behavior may be overridden via the verifypw and listpw options.
\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
.IX Subsection "NOEXEC and EXEC"
.PP
If sudo has been compiled with \fInoexec\fR support and the underlying
operating system support it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
a dynamically-linked executable from running further commands itself.
.PP
In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
@@ -961,7 +971,27 @@ and \fI/usr/bin/vi\fR but shell escapes will be disabled.
.Ve
.PP
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
on how \fInoexec\fR works and whether or not it will work on your system.
on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
.PP
\fI\s-1TRACE\s0 and \s-1NOTRACE\s0\fR
.IX Subsection "TRACE and NOTRACE"
.PP
If \fBsudo\fR has been configured with the \f(CW\*(C`\-\-with\-systrace\*(C'\fR option,
the \f(CW\*(C`TRACE\*(C'\fR tag can be used to cause programs spawned by a command
to be checked against \fIsudoers\fR and logged just like they would
be if run through \fBsudo\fR directly. This is useful in conjunction
with commands that allow shell escapes such as editors, shells and
paginators.
.PP
In the following example, user \fBchuck\fR may run any command on the
machine research with tracing enabled.
.PP
.Vb 1
\& chuck research = TRACE: ALL
.Ve
.PP
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
on how \f(CW\*(C`TRACE\*(C'\fR works and whether or not it will work on your system.
.Sh "Wildcards"
.IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
@@ -1037,13 +1067,34 @@ The following exceptions apply to the above rules:
If the empty string \f(CW""\fR is the only command line argument in the
\&\fIsudoers\fR entry it means that command is not allowed to be run
with \fBany\fR arguments.
.Sh "Including other files from within sudoers"
.IX Subsection "Including other files from within sudoers"
It is possible to include other \fIsudoers\fR files from within the
\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR
directive, similar to the one used by the C preprocessor. This is
useful, for example, for keeping a site-wide \fIsudoers\fR file in
addition to a per-machine local one. For the sake of this example
the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the per-machine
one will be \fI/etc/sudoers.local\fR. To include \fI/etc/sudoers.local\fR
from \fI/etc/sudoers\fR we would use the following line in \fI/etc/sudoers\fR:
.PP
.Vb 1
\& #include /etc/sudoers.local
.Ve
.PP
When \fBsudo\fR reaches this line it will suspend processing of the
current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
\&\fI/etc/sudoers\fR will be processed. Files that are included may
themselves include other files. A hard limit of 128 nested include
files is enforced to prevent include file loops.
.Sh "Other special characters and reserved words"
.IX Subsection "Other special characters and reserved words"
The pound sign ('#') is used to indicate a comment (unless it
occurs in the context of a user name and is followed by one or
more digits, in which case it is treated as a uid). Both the
comment character and any text after it, up to the end of the line,
are ignored.
The pound sign ('#') is used to indicate a comment (unless it is
part of a #include directive or unless it occurs in the context of
a user name and is followed by one or more digits, in which case
it is treated as a uid). Both the comment character and any text
after it, up to the end of the line, are ignored.
.PP
The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
a match to succeed. It can be used wherever one might otherwise
@@ -1318,10 +1369,21 @@ advisory at best (and reinforced by policy).
Once \fBsudo\fR executes a program, that program is free to do whatever
it pleases, including run other programs. This can be a security
issue since it is not uncommon for a program to allow shell escapes,
which lets a user bypass \fBsudo\fR's restrictions. Common programs
that permit shell escapes include shells (obviously), editors,
paginators, mail and terminal programs.
which lets a user bypass \fBsudo\fR's access control and logging.
Common programs that permit shell escapes include shells (obviously),
editors, paginators, mail and terminal programs.
.PP
There are three basic approaches to this problem:
.IP "restrict" 10
.IX Item "restrict"
Avoid giving users access to commands that allow the user to run
arbitrary commands. Many editors have a restricted mode where shell
escapes are disabled, though \fBsudoedit\fR is a better solution to
running editors via sudo. Due to the large number of programs that
offer shell escapes, restricting users to the set of programs that
do not if often unworkable.
.IP "noexec" 10
.IX Item "noexec"
Many systems that support shared libraries have the ability to
override default library functions by pointing an environment
variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library.
@@ -1330,20 +1392,20 @@ prevent a program run by sudo from executing any other programs.
Note, however, that this applies only to native dynamically-linked
executables. Statically-linked executables and foreign executables
running under binary emulation are not affected.
.PP
.Sp
To tell whether or not \fBsudo\fR supports \fInoexec\fR, you can run
the following as root:
.PP
.Sp
.Vb 1
\& sudo -V | grep "dummy exec"
.Ve
.PP
.Sp
If the resulting output contains a line that begins with:
.PP
.Sp
.Vb 1
\& File containing dummy exec functions:
.Ve
.PP
.Sp
then \fBsudo\fR may be able to replace the exec family of functions
in the standard library with its own that simply return an error.
Unfortunately, there is no foolproof way to know whether or not
@@ -1354,25 +1416,52 @@ is expected to work on most operating systems that support the
\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.
.PP
.Sp
To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented
in the User Specification section above. Here is that example again:
.PP
.Sp
.Vb 1
\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
.Ve
.PP
.Sp
This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR
with \fInoexec\fR enabled. This will prevent those two commands from
executing other commands (such as a shell). If you are unsure
whether or not your system is capable of supporting \fInoexec\fR you
can always just try it out and see if it works.
.IP "tracing" 10
.IX Item "tracing"
On operating systems that support the \fBsystrace\fR pseudo\-device,
the \f(CW\*(C`\-\-with\-systrace\*(C'\fR configure option can be used to compile
support for command tracing in \fBsudo\fR. With \fBsystrace\fR support
\&\fBsudo\fR can transparently intercept a new command, allow or deny
it based on \fIsudoers\fR, and log the result. This does require that
\&\fBsudo\fR become a daemon that persists until the command and all its
descendents have finished.
.Sp
To enable tracing on a per-command basis, use the \f(CW\*(C`TRACE\*(C'\fR tag as
documented in the User Specification section above. Here is that
example again:
.Sp
.Vb 1
\& chuck research = TRACE: ALL
.Ve
.Sp
This allows user \fBchuck\fR to run any command on the machine research
with tracing enabled. Any commands run via shell escapes will be
logged by sudo.
.Sp
At the time of this writing the \fBsystrace\fR pseudo-device comes
standard with OpenBSD and NetBSD and is available as patches to
FreeBSD, MacOS X and Linux. See <http://www.systrace.org/> for
more information.
.PP
Note that disabling shell escapes is not a panacea. Programs running
as root are still capable of many potentially hazardous operations
(such as changing or overwriting files) that could lead to unintended
privilege escalation. In the specific case of an editor, a safer
approach is to give the user permission to run \fBsudoedit\fR.
Note that restricting shell escapes is not a panacea. Programs
running as root are still capable of many potentially hazardous
operations (such as changing or overwriting files) that could lead
to unintended privilege escalation. In the specific case of an
editor, a safer approach is to give the user permission to run
\&\fBsudoedit\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(@mansectsu@), visudo(@mansectsu@)

6
visudo.cat
View File

@@ -61,7 +61,7 @@ OOPPTTIIOONNSS
1.6.8 September 6, 2004 1
1.6.8p1 September 27, 2004 1
@@ -127,7 +127,7 @@ DDIIAAGGNNOOSSTTIICCSS
1.6.8 September 6, 2004 2
1.6.8p1 September 27, 2004 2
@@ -193,6 +193,6 @@ DDIISSCCLLAAIIMMEERR
1.6.8 September 6, 2004 3
1.6.8p1 September 27, 2004 3

2
visudo.man.in
View File

@@ -149,7 +149,7 @@
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
.TH VISUDO @mansectsu@ "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS"
.TH VISUDO @mansectsu@ "September 27, 2004" "1.6.8p1" "MAINTENANCE COMMANDS"
.SH "NAME"
visudo \- edit the sudoers file
.SH "SYNOPSIS"