isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

regen

Browse Source
This commit is contained in:
Todd C. Miller
2004-09-30 17:25:51 +00:00
parent 2b020f9999
commit abc7ac8eef
6 changed files with 470 additions and 247 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
sudo.cat
View File

@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.6.8 September 8, 2004 1 1.6.9 September 30, 2004 1
@@ -127,7 +127,7 @@ OOPPTTIIOONNSS
1.6.8 September 8, 2004 2 1.6.9 September 30, 2004 2
@@ -193,7 +193,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
1.6.8 September 8, 2004 3 1.6.9 September 30, 2004 3
@@ -259,7 +259,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
1.6.8 September 8, 2004 4 1.6.9 September 30, 2004 4
@@ -325,7 +325,7 @@ SSEECCUURRIITTYY NNOOTTEESS
1.6.8 September 8, 2004 5 1.6.9 September 30, 2004 5
@@ -359,15 +359,17 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
timestamp with a bogus date on systems that allow users to timestamp with a bogus date on systems that allow users to
give away files. give away files.
Please note that ssuuddoo will only log the command it explic<69> Please note that ssuuddoo will normally only log the command
itly runs. If a user runs a command such as sudo su or it explicitly runs. If a user runs a command such as sudo
sudo sh, subsequent commands run from that shell will _n_o_t su or sudo sh, subsequent commands run from that shell
be logged, nor will ssuuddoo's access control affect them. will _n_o_t be logged, nor will ssuuddoo's access control affect
The same is true for commands that offer shell escapes them. The same is true for commands that offer shell
(including most editors). Because of this, care must be escapes (including most editors). Because of this, care
taken when giving users access to commands via ssuuddoo to must be taken when giving users access to commands via
verify that the command does not inadvertently give the ssuuddoo to verify that the command does not inadvertently
user an effective root shell. give the user an effective root shell. For more informa<6D>
tion, please see the PREVENTING SHELL ESCAPES section in
sudoers(4).
EENNVVIIRROONNMMEENNTT EENNVVIIRROONNMMEENNTT
ssuuddoo utilizes the following environment variables: ssuuddoo utilizes the following environment variables:
@@ -386,12 +388,10 @@ EENNVVIIRROONNMMEENNTT
SUDO_PROMPT Used as the default password prompt SUDO_PROMPT Used as the default password prompt
SUDO_COMMAND Set to the command run by sudo
1.6.9 September 30, 2004 6
1.6.8 September 8, 2004 6
@@ -400,6 +400,8 @@ EENNVVIIRROONNMMEENNTT
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO_COMMAND Set to the command run by sudo
SUDO_USER Set to the login of the user who invoked sudo SUDO_USER Set to the login of the user who invoked sudo
SUDO_UID Set to the uid of the user who invoked sudo SUDO_UID Set to the uid of the user who invoked sudo
@@ -455,9 +457,7 @@ AAUUTTHHOORRSS
1.6.9 September 30, 2004 7
1.6.8 September 8, 2004 7
@@ -523,7 +523,7 @@ DDIISSCCLLAAIIMMEERR
1.6.8 September 8, 2004 8 1.6.9 September 30, 2004 8
@@ -589,6 +589,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
1.6.8 September 8, 2004 9 1.6.9 September 30, 2004 9

20
sudo.man.in
View File

@@ -149,7 +149,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDO @mansectsu@" .IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "September 8, 2004" "1.6.8" "MAINTENANCE COMMANDS" .TH SUDO @mansectsu@ "September 30, 2004" "1.6.9" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
sudo, sudoedit \- execute a command as another user sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS" .SH "SYNOPSIS"
@@ -452,14 +452,16 @@ will be ignored and sudo will log and complain. This is done to
keep a user from creating his/her own timestamp with a bogus keep a user from creating his/her own timestamp with a bogus
date on systems that allow users to give away files. date on systems that allow users to give away files.
.PP .PP
Please note that \fBsudo\fR will only log the command it explicitly Please note that \fBsudo\fR will normally only log the command it
runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or \f(CW\*(C`sudo sh\*(C'\fR, explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or
subsequent commands run from that shell will \fInot\fR be logged, nor \&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell will \fInot\fR be
will \fBsudo\fR's access control affect them. The same is true for logged, nor will \fBsudo\fR's access control affect them. The same
commands that offer shell escapes (including most editors). Because is true for commands that offer shell escapes (including most
of this, care must be taken when giving users access to commands editors). Because of this, care must be taken when giving users
via \fBsudo\fR to verify that the command does not inadvertently give access to commands via \fBsudo\fR to verify that the command does not
the user an effective root shell. inadvertently give the user an effective root shell. For more
information, please see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in
sudoers(@mansectform@).
.SH "ENVIRONMENT" .SH "ENVIRONMENT"
.IX Header "ENVIRONMENT" .IX Header "ENVIRONMENT"
\&\fBsudo\fR utilizes the following environment variables: \&\fBsudo\fR utilizes the following environment variables:

488
sudoers.cat
View File

@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.6.8 September 6, 2004 1 1.6.9 September 30, 2004 1
@@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 2 1.6.9 September 30, 2004 2
@@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 3 1.6.9 September 30, 2004 3
@@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 4 1.6.9 September 30, 2004 4
@@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 5 1.6.9 September 30, 2004 5
@@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 6 1.6.9 September 30, 2004 6
@@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 7 1.6.9 September 30, 2004 7
@@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 8 1.6.9 September 30, 2004 8
@@ -548,6 +548,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
VENTING SHELL ESCAPES" section at the end of VENTING SHELL ESCAPES" section at the end of
this manual. This flag is _o_f_f by default. this manual. This flag is _o_f_f by default.
trace If set, all commands run via sudo will behave
as if the TRACE tag has been set, unless over<65>
ridden by a NOTRACE tag. See the description
of _T_R_A_C_E _a_n_d _N_O_T_R_A_C_E below as well as the
"PREVENTING SHELL ESCAPES" section at the end
of this manual. Be aware that tracing is only
supported on certain operating systems. On
systems where it is not supported this flag
will have no effect. This flag is _o_f_f by
default.
ignore_local_sudoers ignore_local_sudoers
If set via LDAP, parsing of @sysconfdir@/sudo<64> If set via LDAP, parsing of @sysconfdir@/sudo<64>
ers will be skipped. This is intended for an ers will be skipped. This is intended for an
@@ -575,6 +586,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
loglinelen Number of characters per line for the file loglinelen Number of characters per line for the file
log. This value is used to decide when to log. This value is used to decide when to
wrap lines for nicer log files. This has no wrap lines for nicer log files. This has no
1.6.9 September 30, 2004 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
effect on the syslog log file, only the file effect on the syslog log file, only the file
log. The default is 80 (use 0 or negate the log. The default is 80 (use 0 or negate the
option to disable word wrap). option to disable word wrap).
@@ -586,18 +609,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
word. If set to a value less than 0 the word. If set to a value less than 0 the
user's timestamp will never expire. This can user's timestamp will never expire. This can
be used to allow users to create or delete be used to allow users to create or delete
1.6.8 September 6, 2004 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
their own timestamps via sudo -v and sudo -k their own timestamps via sudo -v and sudo -k
respectively. respectively.
@@ -641,6 +652,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
%U expanded to the login name of the user %U expanded to the login name of the user
the command will be run as (defaults the command will be run as (defaults
1.6.9 September 30, 2004 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to root) to root)
%h expanded to the local hostname without %h expanded to the local hostname without
@@ -651,20 +674,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
machine's hostname is fully qualified machine's hostname is fully qualified
or the _f_q_d_n option is set) or the _f_q_d_n option is set)
%% two consecutive % characters are %% two consecutive % characters are col<6F>
laped into a single % character
1.6.8 September 6, 2004 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
collaped into a single % character
The default value is Password:. The default value is Password:.
@@ -707,6 +718,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
never Never lecture the user. never Never lecture the user.
1.6.9 September 30, 2004 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
once Only lecture the user the first time once Only lecture the user the first time
they run ssuuddoo. they run ssuuddoo.
@@ -719,17 +742,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
lecture that will be used in place of the lecture that will be used in place of the
standard lecture if the named file exists. standard lecture if the named file exists.
1.6.8 September 6, 2004 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
logfile Path to the ssuuddoo log file (not the syslog log logfile Path to the ssuuddoo log file (not the syslog log
file). Setting a path turns on logging to a file). Setting a path turns on logging to a
file; negating this option turns it off. file; negating this option turns it off.
@@ -772,6 +784,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to use the --vv flag. to use the --vv flag.
always The user must always enter a password always The user must always enter a password
1.6.9 September 30, 2004 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to use the --vv flag. to use the --vv flag.
The default value is `all'. The default value is `all'.
@@ -784,18 +808,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
current host must have the NOPASSWD current host must have the NOPASSWD
flag set to avoid entering a password. flag set to avoid entering a password.
1.6.8 September 6, 2004 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
any At least one of the user's _s_u_d_o_e_r_s any At least one of the user's _s_u_d_o_e_r_s
entries for the current host must have entries for the current host must have
the NOPASSWD flag set to avoid enter<65> the NOPASSWD flag set to avoid enter<65>
@@ -838,6 +850,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
dangerous variables from the environment of dangerous variables from the environment of
any setuid process (such as ssuuddoo). any setuid process (such as ssuuddoo).
1.6.9 September 30, 2004 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
env_keep Environment variables to be preserved in the env_keep Environment variables to be preserved in the
user's environment when the _e_n_v___r_e_s_e_t option user's environment when the _e_n_v___r_e_s_e_t option
is in effect. This allows fine-grained con<6F> is in effect. This allows fine-grained con<6F>
@@ -850,18 +874,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
respectively. This list has no default mem<65> respectively. This list has no default mem<65>
bers. bers.
1.6.8 September 6, 2004 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following
values for the syslog facility (the value of the ssyysslloogg values for the syslog facility (the value of the ssyysslloogg
Parameter): aauutthhpprriivv (if your OS supports it), aauutthh, ddaaee<><08> Parameter): aauutthhpprriivv (if your OS supports it), aauutthh, ddaaee<><08>
@@ -882,7 +894,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Runas_Spec ::= '(' Runas_List ')' Runas_Spec ::= '(' Runas_List ')'
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:') Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'TRACE' | 'NOTRACE')
A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may
run (and as what user) on specified hosts. By default, run (and as what user) on specified hosts. By default,
@@ -903,6 +916,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m
1.6.9 September 30, 2004 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-- but only as ooppeerraattoorr. E.g., -- but only as ooppeerraattoorr. E.g.,
$ sudo -u operator /bin/ls. $ sudo -u operator /bin/ls.
@@ -915,27 +940,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr,
but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
1.6.8 September 6, 2004 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
TTaagg__SSppeecc TTaagg__SSppeecc
A command may have zero or more tags associated with it. A command may have zero or more tags associated with it.
There are four possible tag values, NOPASSWD, PASSWD, There are four possible tag values, NOPASSWD, PASSWD,
NOEXEC, EXEC. Once a tag is set on a Cmnd, subsequent NOEXEC, EXEC, TRACE and NOTRACE. Once a tag is set on a
Cmnds in the Cmnd_Spec_List, inherit the tag unless it is Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the
overridden by the opposite tag (ie: PASSWD overrides tag unless it is overridden by the opposite tag (ie:
NOPASSWD and EXEC overrides NOEXEC). PASSWD overrides NOPASSWD and NOTRACE overrides TRACE).
_N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D
@@ -969,23 +981,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_N_O_E_X_E_C _a_n_d _E_X_E_C _N_O_E_X_E_C _a_n_d _E_X_E_C
If sudo has been compiled with _n_o_e_x_e_c support and the If ssuuddoo has been compiled with _n_o_e_x_e_c support and the
underlying operating system support it, the NOEXEC tag can
be used to prevent a dynamically-linked executable from
running further commands itself.
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e
and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more
details on how _n_o_e_x_e_c works and whether or not it will
work on your system.
1.6.8 September 6, 2004 15 1.6.9 September 30, 2004 15
@@ -994,6 +994,38 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
underlying operating system supports it, the NOEXEC tag
can be used to prevent a dynamically-linked executable
from running further commands itself.
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e
and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more
details on how NOEXEC works and whether or not it will
work on your system.
_T_R_A_C_E _a_n_d _N_O_T_R_A_C_E
If ssuuddoo has been configured with the --with-systrace
option, the TRACE tag can be used to cause programs
spawned by a command to be checked against _s_u_d_o_e_r_s and
logged just like they would be if run through ssuuddoo
directly. This is useful in conjunction with commands
that allow shell escapes such as editors, shells and pagi<67>
nators.
In the following example, user cchhuucckk may run any command
on the machine research with tracing enabled.
chuck research = TRACE: ALL
See the "PREVENTING SHELL ESCAPES" section below for more
details on how TRACE works and whether or not it will work
on your system.
WWiillddccaarrddss WWiillddccaarrddss
ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob char<61> ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob char<61>
@@ -1016,6 +1048,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Note that a forward slash ('/') will nnoott be matched by Note that a forward slash ('/') will nnoott be matched by
wildcards used in the pathname. When matching the command wildcards used in the pathname. When matching the command
1.6.9 September 30, 2004 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
line arguments, however, a slash ddooeess get matched by wild<6C> line arguments, however, a slash ddooeess get matched by wild<6C>
cards. This is to make a path like: cards. This is to make a path like:
@@ -1047,19 +1091,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
This limitation will be removed in a future version of This limitation will be removed in a future version of
ssuuddoo. ssuuddoo.
1.6.8 September 6, 2004 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
The following exceptions apply to the above rules: The following exceptions apply to the above rules:
@@ -1068,13 +1099,48 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
argument in the _s_u_d_o_e_r_s entry it means that com<6F> argument in the _s_u_d_o_e_r_s entry it means that com<6F>
mand is not allowed to be run with aannyy arguments. mand is not allowed to be run with aannyy arguments.
IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss
It is possible to include other _s_u_d_o_e_r_s files from within
the _s_u_d_o_e_r_s file currently being parsed using the #include
directive, similar to the one used by the C preprocessor.
This is useful, for example, for keeping a site-wide _s_u_d_o_<08>
_e_r_s file in addition to a per-machine local one. For the
sake of this example the site-wide _s_u_d_o_e_r_s will be
_/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be _/_e_t_c_/_s_u_d_o_<08>
_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from _/_e_t_c_/_s_u_d_o_<08>
_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
#include /etc/sudoers.local
When ssuuddoo reaches this line it will suspend processing of
1.6.9 September 30, 2004 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
the current file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_<08>
_e_r_s_._l_o_c_a_l. Upon reaching the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l,
the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed. Files that
are included may themselves include other files. A hard
limit of 128 nested include files is enforced to prevent
include file loops.
OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss
The pound sign ('#') is used to indicate a comment (unless The pound sign ('#') is used to indicate a comment (unless
it occurs in the context of a user name and is followed by it is part of a #include directive or unless it occurs in
one or more digits, in which case it is treated as a uid). the context of a user name and is followed by one or more
Both the comment character and any text after it, up to digits, in which case it is treated as a uid). Both the
the end of the line, are ignored. comment character and any text after it, up to the end of
the line, are ignored.
The reserved word AALLLL is a built-in _a_l_i_a_s that always The reserved word AALLLL is a built-in _a_l_i_a_s that always
causes a match to succeed. It can be used wherever one causes a match to succeed. It can be used wherever one
@@ -1117,7 +1183,7 @@ EEXXAAMMPPLLEESS
1.6.8 September 6, 2004 17 1.6.9 September 30, 2004 18
@@ -1183,7 +1249,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 18 1.6.9 September 30, 2004 19
@@ -1249,7 +1315,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 19 1.6.9 September 30, 2004 20
@@ -1315,7 +1381,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 September 6, 2004 20 1.6.9 September 30, 2004 21
@@ -1359,29 +1425,29 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
whatever it pleases, including run other programs. This whatever it pleases, including run other programs. This
can be a security issue since it is not uncommon for a can be a security issue since it is not uncommon for a
program to allow shell escapes, which lets a user bypass program to allow shell escapes, which lets a user bypass
ssuuddoo's restrictions. Common programs that permit shell ssuuddoo's access control and logging. Common programs that
escapes include shells (obviously), editors, paginators, permit shell escapes include shells (obviously), editors,
mail and terminal programs. paginators, mail and terminal programs.
Many systems that support shared libraries have the abil<69> There are three basic approaches to this problem:
ity to override default library functions by pointing an
environment variable (usually LD_PRELOAD) to an alternate
shared library. On such systems, ssuuddoo's _n_o_e_x_e_c function<6F>
ality can be used to prevent a program run by sudo from
executing any other programs. Note, however, that this
applies only to native dynamically-linked executables.
Statically-linked executables and foreign executables run<75>
ning under binary emulation are not affected.
To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run restrict Avoid giving users access to commands that allow
the following as root: the user to run arbitrary commands. Many edi<64>
tors have a restricted mode where shell escapes
are disabled, though ssuuddooeeddiitt is a better solu<6C>
tion to running editors via sudo. Due to the
large number of programs that offer shell
escapes, restricting users to the set of pro<72>
grams that do not if often unworkable.
sudo -V | grep "dummy exec" noexec Many systems that support shared libraries have
the ability to override default library func<6E>
tions by pointing an environment variable (usu<73>
ally LD_PRELOAD) to an alternate shared library.
1.6.9 September 30, 2004 22
1.6.8 September 6, 2004 21
@@ -1390,38 +1456,95 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
If the resulting output contains a line that begins with: On such systems, ssuuddoo's _n_o_e_x_e_c functionality can
be used to prevent a program run by sudo from
executing any other programs. Note, however,
that this applies only to native dynamically-
linked executables. Statically-linked executa<74>
bles and foreign executables running under
binary emulation are not affected.
To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you
can run the following as root:
sudo -V | grep "dummy exec"
If the resulting output contains a line that
begins with:
File containing dummy exec functions: File containing dummy exec functions:
then ssuuddoo may be able to replace the exec family of func<6E> then ssuuddoo may be able to replace the exec family
tions in the standard library with its own that simply of functions in the standard library with its
return an error. Unfortunately, there is no foolproof way own that simply return an error. Unfortunately,
to know whether or not _n_o_e_x_e_c will work at compile-time. there is no foolproof way to know whether or not
_N_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX, _n_o_e_x_e_c will work at compile-time. _N_o_e_x_e_c should
Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known nnoott to work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
work on AIX and UnixWare. _N_o_e_x_e_c is expected to work on UNIX, MacOS X, and HP-UX 11.x. It is known nnoott
most operating systems that support the LD_PRELOAD envi<76> to work on AIX and UnixWare. _N_o_e_x_e_c is expected
ronment variable. Check your operating system's manual to work on most operating systems that support
pages for the dynamic linker (usually ld.so, ld.so.1, the LD_PRELOAD environment variable. Check your
dyld, dld.sl, rld, or loader) to see if LD_PRELOAD is sup<75> operating system's manual pages for the dynamic
linker (usually ld.so, ld.so.1, dyld, dld.sl,
rld, or loader) to see if LD_PRELOAD is sup<75>
ported. ported.
To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as doc<6F> To enable _n_o_e_x_e_c for a command, use the NOEXEC
umented in the User Specification section above. Here is tag as documented in the User Specification sec<EFBFBD>
that example again: tion above. Here is that example again:
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and
_/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will prevent those _/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will pre<EFBFBD>
two commands from executing other commands (such as a vent those two commands from executing other
shell). If you are unsure whether or not your system is commands (such as a shell). If you are unsure
capable of supporting _n_o_e_x_e_c you can always just try it whether or not your system is capable of sup<75>
out and see if it works. porting _n_o_e_x_e_c you can always just try it out
and see if it works.
Note that disabling shell escapes is not a panacea. Pro<72> tracing On operating systems that support the ssyyssttrraaccee
grams running as root are still capable of many poten<65> pseudo-device, the --with-systrace configure
option can be used to compile support for com<6F>
mand tracing in ssuuddoo. With ssyyssttrraaccee support
ssuuddoo can transparently intercept a new command,
allow or deny it based on _s_u_d_o_e_r_s, and log the
result. This does require that ssuuddoo become a
1.6.9 September 30, 2004 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
daemon that persists until the command and all
its descendents have finished.
To enable tracing on a per-command basis, use
the TRACE tag as documented in the User Specifi<66>
cation section above. Here is that example
again:
chuck research = TRACE: ALL
This allows user cchhuucckk to run any command on the
machine research with tracing enabled. Any com<6F>
mands run via shell escapes will be logged by
sudo.
At the time of this writing the ssyyssttrraaccee pseudo-
device comes standard with OpenBSD and NetBSD
and is available as patches to FreeBSD, MacOS X
and Linux. See <http://www.systrace.org/> for
more information.
Note that restricting shell escapes is not a panacea.
Programs running as root are still capable of many poten<65>
tially hazardous operations (such as changing or overwrit<69> tially hazardous operations (such as changing or overwrit<69>
ing files) that could lead to unintended privilege escala<6C> ing files) that could lead to unintended privilege escala<6C>
tion. In the specific case of an editor, a safer approach tion. In the specific case of an editor, a safer approach
@@ -1443,19 +1566,6 @@ CCAAVVEEAATTSS
hostname be fully qualified as returned by the hostname hostname be fully qualified as returned by the hostname
command or use the _f_q_d_n option in _s_u_d_o_e_r_s. command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
1.6.8 September 6, 2004 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
BBUUGGSS BBUUGGSS
If you feel you have found a bug in ssuuddoo, please submit a If you feel you have found a bug in ssuuddoo, please submit a
bug report at http://www.sudo.ws/sudo/bugs/ bug report at http://www.sudo.ws/sudo/bugs/
@@ -1465,9 +1575,21 @@ SSUUPPPPOORRTT
http://www.sudo.ws/sudo/support.html for details. http://www.sudo.ws/sudo/support.html for details.
Limited free support is available via the sudo-users mail<69> Limited free support is available via the sudo-users mail<69>
ing list, see http://www.sudo.ws/mail<69> ing list, see
man/listinfo/sudo-users to subscribe or search the
archives.
1.6.9 September 30, 2004 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
http://www.sudo.ws/mailman/listinfo/sudo-users to sub<75>
scribe or search the archives.
DDIISSCCLLAAIIMMEERR DDIISSCCLLAAIIMMEERR
SSuuddoo is provided ``AS IS'' and any express or implied war<61> SSuuddoo is provided ``AS IS'' and any express or implied war<61>
@@ -1513,6 +1635,16 @@ DDIISSCCLLAAIIMMEERR
1.6.8 September 6, 2004 23
1.6.9 September 30, 2004 25

149
sudoers.man.in
View File

@@ -149,7 +149,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDOERS @mansectform@" .IX Title "SUDOERS @mansectform@"
.TH SUDOERS @mansectform@ "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS" .TH SUDOERS @mansectform@ "September 30, 2004" "1.6.9" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
sudoers \- list of which users may execute what sudoers \- list of which users may execute what
.SH "DESCRIPTION" .SH "DESCRIPTION"
@@ -589,6 +589,14 @@ the \-\-with\-logincap option. This flag is \fIoff\fR by default.
If set, all commands run via sudo will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR If set, all commands run via sudo will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default. description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
.IP "trace" 12
.IX Item "trace"
If set, all commands run via sudo will behave as if the \f(CW\*(C`TRACE\*(C'\fR
tag has been set, unless overridden by a \f(CW\*(C`NOTRACE\*(C'\fR tag. See the
description of \fI\s-1TRACE\s0 and \s-1NOTRACE\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. Be aware that
tracing is only supported on certain operating systems. On systems
where it is not supported this flag will have no effect.
This flag is \fIoff\fR by default.
.IP "ignore_local_sudoers" 12 .IP "ignore_local_sudoers" 12
.IX Item "ignore_local_sudoers" .IX Item "ignore_local_sudoers"
If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped. If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped.
@@ -867,8 +875,9 @@ supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo
\& Runas_Spec ::= '(' Runas_List ')' \& Runas_Spec ::= '(' Runas_List ')'
.Ve .Ve
.PP .PP
.Vb 1 .Vb 2
\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:') \& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
\& 'TRACE' | 'NOTRACE')
.Ve .Ve
.PP .PP
A \fBuser specification\fR determines which commands a user may run A \fBuser specification\fR determines which commands a user may run
@@ -907,11 +916,12 @@ but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
.Sh "Tag_Spec" .Sh "Tag_Spec"
.IX Subsection "Tag_Spec" .IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are A command may have zero or more tags associated with it. There are
four possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR. four possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
\&\f(CW\*(C`TRACE\*(C'\fR and \f(CW\*(C`NOTRACE\*(C'\fR.
Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the \&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
opposite tag (ie: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`EXEC\*(C'\fR opposite tag (ie: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOTRACE\*(C'\fR
overrides \f(CW\*(C`NOEXEC\*(C'\fR). overrides \f(CW\*(C`TRACE\*(C'\fR).
.PP .PP
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR \fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
.IX Subsection "NOPASSWD and PASSWD" .IX Subsection "NOPASSWD and PASSWD"
@@ -949,8 +959,8 @@ This behavior may be overridden via the verifypw and listpw options.
\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
.IX Subsection "NOEXEC and EXEC" .IX Subsection "NOEXEC and EXEC"
.PP .PP
If sudo has been compiled with \fInoexec\fR support and the underlying If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
operating system support it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
a dynamically-linked executable from running further commands itself. a dynamically-linked executable from running further commands itself.
.PP .PP
In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
@@ -961,7 +971,27 @@ and \fI/usr/bin/vi\fR but shell escapes will be disabled.
.Ve .Ve
.PP .PP
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
on how \fInoexec\fR works and whether or not it will work on your system. on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
.PP
\fI\s-1TRACE\s0 and \s-1NOTRACE\s0\fR
.IX Subsection "TRACE and NOTRACE"
.PP
If \fBsudo\fR has been configured with the \f(CW\*(C`\-\-with\-systrace\*(C'\fR option,
the \f(CW\*(C`TRACE\*(C'\fR tag can be used to cause programs spawned by a command
to be checked against \fIsudoers\fR and logged just like they would
be if run through \fBsudo\fR directly. This is useful in conjunction
with commands that allow shell escapes such as editors, shells and
paginators.
.PP
In the following example, user \fBchuck\fR may run any command on the
machine research with tracing enabled.
.PP
.Vb 1
\& chuck research = TRACE: ALL
.Ve
.PP
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
on how \f(CW\*(C`TRACE\*(C'\fR works and whether or not it will work on your system.
.Sh "Wildcards" .Sh "Wildcards"
.IX Subsection "Wildcards" .IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters) \&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
@@ -1037,13 +1067,34 @@ The following exceptions apply to the above rules:
If the empty string \f(CW""\fR is the only command line argument in the If the empty string \f(CW""\fR is the only command line argument in the
\&\fIsudoers\fR entry it means that command is not allowed to be run \&\fIsudoers\fR entry it means that command is not allowed to be run
with \fBany\fR arguments. with \fBany\fR arguments.
.Sh "Including other files from within sudoers"
.IX Subsection "Including other files from within sudoers"
It is possible to include other \fIsudoers\fR files from within the
\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR
directive, similar to the one used by the C preprocessor. This is
useful, for example, for keeping a site-wide \fIsudoers\fR file in
addition to a per-machine local one. For the sake of this example
the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the per-machine
one will be \fI/etc/sudoers.local\fR. To include \fI/etc/sudoers.local\fR
from \fI/etc/sudoers\fR we would use the following line in \fI/etc/sudoers\fR:
.PP
.Vb 1
\& #include /etc/sudoers.local
.Ve
.PP
When \fBsudo\fR reaches this line it will suspend processing of the
current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
\&\fI/etc/sudoers\fR will be processed. Files that are included may
themselves include other files. A hard limit of 128 nested include
files is enforced to prevent include file loops.
.Sh "Other special characters and reserved words" .Sh "Other special characters and reserved words"
.IX Subsection "Other special characters and reserved words" .IX Subsection "Other special characters and reserved words"
The pound sign ('#') is used to indicate a comment (unless it The pound sign ('#') is used to indicate a comment (unless it is
occurs in the context of a user name and is followed by one or part of a #include directive or unless it occurs in the context of
more digits, in which case it is treated as a uid). Both the a user name and is followed by one or more digits, in which case
comment character and any text after it, up to the end of the line, it is treated as a uid). Both the comment character and any text
are ignored. after it, up to the end of the line, are ignored.
.PP .PP
The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
a match to succeed. It can be used wherever one might otherwise a match to succeed. It can be used wherever one might otherwise
@@ -1318,10 +1369,21 @@ advisory at best (and reinforced by policy).
Once \fBsudo\fR executes a program, that program is free to do whatever Once \fBsudo\fR executes a program, that program is free to do whatever
it pleases, including run other programs. This can be a security it pleases, including run other programs. This can be a security
issue since it is not uncommon for a program to allow shell escapes, issue since it is not uncommon for a program to allow shell escapes,
which lets a user bypass \fBsudo\fR's restrictions. Common programs which lets a user bypass \fBsudo\fR's access control and logging.
that permit shell escapes include shells (obviously), editors, Common programs that permit shell escapes include shells (obviously),
paginators, mail and terminal programs. editors, paginators, mail and terminal programs.
.PP .PP
There are three basic approaches to this problem:
.IP "restrict" 10
.IX Item "restrict"
Avoid giving users access to commands that allow the user to run
arbitrary commands. Many editors have a restricted mode where shell
escapes are disabled, though \fBsudoedit\fR is a better solution to
running editors via sudo. Due to the large number of programs that
offer shell escapes, restricting users to the set of programs that
do not if often unworkable.
.IP "noexec" 10
.IX Item "noexec"
Many systems that support shared libraries have the ability to Many systems that support shared libraries have the ability to
override default library functions by pointing an environment override default library functions by pointing an environment
variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library. variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library.
@@ -1330,20 +1392,20 @@ prevent a program run by sudo from executing any other programs.
Note, however, that this applies only to native dynamically-linked Note, however, that this applies only to native dynamically-linked
executables. Statically-linked executables and foreign executables executables. Statically-linked executables and foreign executables
running under binary emulation are not affected. running under binary emulation are not affected.
.PP .Sp
To tell whether or not \fBsudo\fR supports \fInoexec\fR, you can run To tell whether or not \fBsudo\fR supports \fInoexec\fR, you can run
the following as root: the following as root:
.PP .Sp
.Vb 1 .Vb 1
\& sudo -V | grep "dummy exec" \& sudo -V | grep "dummy exec"
.Ve .Ve
.PP .Sp
If the resulting output contains a line that begins with: If the resulting output contains a line that begins with:
.PP .Sp
.Vb 1 .Vb 1
\& File containing dummy exec functions: \& File containing dummy exec functions:
.Ve .Ve
.PP .Sp
then \fBsudo\fR may be able to replace the exec family of functions then \fBsudo\fR may be able to replace the exec family of functions
in the standard library with its own that simply return an error. in the standard library with its own that simply return an error.
Unfortunately, there is no foolproof way to know whether or not Unfortunately, there is no foolproof way to know whether or not
@@ -1354,25 +1416,52 @@ is expected to work on most operating systems that support the
\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's \&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported. dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.
.PP .Sp
To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented
in the User Specification section above. Here is that example again: in the User Specification section above. Here is that example again:
.PP .Sp
.Vb 1 .Vb 1
\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi \& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
.Ve .Ve
.PP .Sp
This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR
with \fInoexec\fR enabled. This will prevent those two commands from with \fInoexec\fR enabled. This will prevent those two commands from
executing other commands (such as a shell). If you are unsure executing other commands (such as a shell). If you are unsure
whether or not your system is capable of supporting \fInoexec\fR you whether or not your system is capable of supporting \fInoexec\fR you
can always just try it out and see if it works. can always just try it out and see if it works.
.IP "tracing" 10
.IX Item "tracing"
On operating systems that support the \fBsystrace\fR pseudo\-device,
the \f(CW\*(C`\-\-with\-systrace\*(C'\fR configure option can be used to compile
support for command tracing in \fBsudo\fR. With \fBsystrace\fR support
\&\fBsudo\fR can transparently intercept a new command, allow or deny
it based on \fIsudoers\fR, and log the result. This does require that
\&\fBsudo\fR become a daemon that persists until the command and all its
descendents have finished.
.Sp
To enable tracing on a per-command basis, use the \f(CW\*(C`TRACE\*(C'\fR tag as
documented in the User Specification section above. Here is that
example again:
.Sp
.Vb 1
\& chuck research = TRACE: ALL
.Ve
.Sp
This allows user \fBchuck\fR to run any command on the machine research
with tracing enabled. Any commands run via shell escapes will be
logged by sudo.
.Sp
At the time of this writing the \fBsystrace\fR pseudo-device comes
standard with OpenBSD and NetBSD and is available as patches to
FreeBSD, MacOS X and Linux. See <http://www.systrace.org/> for
more information.
.PP .PP
Note that disabling shell escapes is not a panacea. Programs running Note that restricting shell escapes is not a panacea. Programs
as root are still capable of many potentially hazardous operations running as root are still capable of many potentially hazardous
(such as changing or overwriting files) that could lead to unintended operations (such as changing or overwriting files) that could lead
privilege escalation. In the specific case of an editor, a safer to unintended privilege escalation. In the specific case of an
approach is to give the user permission to run \fBsudoedit\fR. editor, a safer approach is to give the user permission to run
\&\fBsudoedit\fR.
.SH "SEE ALSO" .SH "SEE ALSO"
.IX Header "SEE ALSO" .IX Header "SEE ALSO"
\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(@mansectsu@), visudo(@mansectsu@) \&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(@mansectsu@), visudo(@mansectsu@)

6
visudo.cat
View File

@@ -61,7 +61,7 @@ OOPPTTIIOONNSS
1.6.8 September 6, 2004 1 1.6.8p1 September 27, 2004 1
@@ -127,7 +127,7 @@ DDIIAAGGNNOOSSTTIICCSS
1.6.8 September 6, 2004 2 1.6.8p1 September 27, 2004 2
@@ -193,6 +193,6 @@ DDIISSCCLLAAIIMMEERR
1.6.8 September 6, 2004 3 1.6.8p1 September 27, 2004 3

2
visudo.man.in
View File

@@ -149,7 +149,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "VISUDO @mansectsu@" .IX Title "VISUDO @mansectsu@"
.TH VISUDO @mansectsu@ "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS" .TH VISUDO @mansectsu@ "September 27, 2004" "1.6.8p1" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
visudo \- edit the sudoers file visudo \- edit the sudoers file
.SH "SYNOPSIS" .SH "SYNOPSIS"