From b51afe62493d7edc4ef1766733a04356d0575b0f Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 14 Sep 2010 17:18:55 -0400 Subject: [PATCH] Implement --with-umask-override configure flag. --- INSTALL | 5 + config.h.in | 6 +- configure | 51 +++++-- configure.in | 16 ++- doc/sudoers.cat | 270 +++++++++++++++++++++++-------------- doc/sudoers.man.in | 12 +- doc/sudoers.pod | 2 +- plugins/sudoers/defaults.c | 3 + 8 files changed, 241 insertions(+), 124 deletions(-) diff --git a/INSTALL b/INSTALL index b8fc6bf3b..3d982b269 100644 --- a/INSTALL +++ b/INSTALL @@ -453,6 +453,11 @@ The following options are also configurable at runtime: --without-umask Preserves the umask of the user invoking sudo. + --with-umask-override + Use the umask specified in sudoers even if it is less restrictive + than the user's. The default is to use the intersection of the + user's umask and the umask specified in sudoers. + --with-runas-default=USER The default user to run commands as if the -u flag is not specified on the command line. This defaults to "root". diff --git a/config.h.in b/config.h.in index 6b7e3f46b..54a603ef6 100644 --- a/config.h.in +++ b/config.h.in @@ -671,7 +671,7 @@ /* The name of the sudoers plugin, including extension. */ #undef SUDOERS_PLUGIN -/* The umask that the root-run prog should use. */ +/* The umask that the sudo-run prog should use. */ #undef SUDO_UMASK /* The number of minutes before sudo asks for a password again. */ @@ -683,6 +683,10 @@ /* The number of tries a user gets to enter their password. */ #undef TRIES_FOR_PASSWORD +/* Define to 1 to use the umask specified in sudoers even when it is less + restrictive than the invoking user's. */ +#undef UMASK_OVERRIDE + /* Define to 1 if the `unsetenv' function returns void instead of `int'. */ #undef UNSETENV_VOID diff --git a/configure b/configure index 35981dea3..a1c87737d 100755 --- a/configure +++ b/configure @@ -812,6 +812,7 @@ logfac lecture long_otp_prompt passprompt +umask_override sudo_umask password_timeout timeout @@ -956,6 +957,7 @@ with_sudoers_mode with_sudoers_uid with_sudoers_gid with_umask +with_umask_override with_runas_default with_exempt with_editor @@ -1717,6 +1719,8 @@ Optional Packages: --with-umask umask with which the prog should run (default is 022) --without-umask Preserves the umask of the user invoking sudo. + --with-umask-override Use the umask specified in sudoers even if it is + less restrictive than the user's. --with-runas-default User to run commands as (default is "root") --with-exempt=group no passwd needed for users in this group --with-editor=path Default editor for visudo (defaults to vi) @@ -2961,6 +2965,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;} + # @@ -2971,6 +2976,7 @@ timedir=/var/adm/sudo timeout=5 password_timeout=5 sudo_umask=0022 +umask_override=off passprompt="Password:" long_otp_prompt=off lecture=once @@ -4787,6 +4793,22 @@ else $as_echo "$sudo_umask" >&6; } fi + +# Check whether --with-umask-override was given. +if test "${with_umask_override+set}" = set; then : + withval=$with_umask_override; case $with_umask_override in + yes) $as_echo "#define UMASK_OVERRIDE 1" >>confdefs.h + + umask_override=on + ;; + no) umask_override=off + ;; + *) as_fn_error "\"--with-umask-override does not take an argument.\"" "$LINENO" 5 + ;; +esac +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for default user to run commands as" >&5 $as_echo_n "checking for default user to run commands as... " >&6; } @@ -6748,13 +6770,13 @@ if test "${lt_cv_nm_interface+set}" = set; then : else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:6751: $ac_compile\"" >&5) + (eval echo "\"\$as_me:6773: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:6754: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:6776: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:6757: output\"" >&5) + (eval echo "\"\$as_me:6779: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -7959,7 +7981,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 7962 "configure"' > conftest.$ac_ext + echo '#line 7984 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9351,11 +9373,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9354: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9376: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9358: \$? = $ac_status" >&5 + echo "$as_me:9380: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9690,11 +9712,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9693: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9715: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9697: \$? = $ac_status" >&5 + echo "$as_me:9719: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9795,11 +9817,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9798: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9820: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9802: \$? = $ac_status" >&5 + echo "$as_me:9824: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -9850,11 +9872,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9853: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9875: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9857: \$? = $ac_status" >&5 + echo "$as_me:9879: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12217,7 +12239,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12220 "configure" +#line 12242 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12313,7 +12335,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12316 "configure" +#line 12338 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -20537,5 +20559,6 @@ fi + diff --git a/configure.in b/configure.in index eb6c9cb90..6a4a2c74d 100644 --- a/configure.in +++ b/configure.in @@ -69,6 +69,7 @@ AC_SUBST([timedir])dnl real initial value from SUDO_TIMEDIR AC_SUBST([timeout]) AC_SUBST([password_timeout]) AC_SUBST([sudo_umask]) +AC_SUBST([umask_override]) AC_SUBST([passprompt]) AC_SUBST([long_otp_prompt]) AC_SUBST([lecture]) @@ -105,6 +106,7 @@ timedir=/var/adm/sudo timeout=5 password_timeout=5 sudo_umask=0022 +umask_override=off passprompt="Password:" long_otp_prompt=off lecture=once @@ -796,13 +798,24 @@ AS_HELP_STRING([--without-umask], [Preserves the umask of the user invoking sudo *) AC_MSG_ERROR(["you must enter a numeric mask."]) ;; esac]) -AC_DEFINE_UNQUOTED(SUDO_UMASK, $sudo_umask, [The umask that the root-run prog should use.]) +AC_DEFINE_UNQUOTED(SUDO_UMASK, $sudo_umask, [The umask that the sudo-run prog should use.]) if test "$sudo_umask" = "0777"; then AC_MSG_RESULT(user) else AC_MSG_RESULT($sudo_umask) fi +AC_ARG_WITH(umask-override, [AS_HELP_STRING([--with-umask-override], [Use the umask specified in sudoers even if it is less restrictive than the user's.])], +[case $with_umask_override in + yes) AC_DEFINE(UMASK_OVERRIDE) + umask_override=on + ;; + no) umask_override=off + ;; + *) AC_MSG_ERROR(["--with-umask-override does not take an argument."]) + ;; +esac]) + AC_MSG_CHECKING(for default user to run commands as) AC_ARG_WITH(runas-default, [AS_HELP_STRING([--with-runas-default], [User to run commands as (default is "root")])], [case $with_runas_default in @@ -2868,6 +2881,7 @@ AH_TEMPLATE(SEND_MAIL_WHEN_NO_USER, [Define to 1 to send mail when the user is n AH_TEMPLATE(SHELL_IF_NO_ARGS, [Define to 1 if you want sudo to start a shell if given no arguments.]) AH_TEMPLATE(SHELL_SETS_HOME, [Define to 1 if you want sudo to set $HOME in shell mode.]) AH_TEMPLATE(STUB_LOAD_INTERFACES, [Define to 1 if the code in interfaces.c does not compile for you.]) +AH_TEMPLATE(UMASK_OVERRIDE, [Define to 1 to use the umask specified in sudoers even when it is less restrictive than the invoking user's.]) AH_TEMPLATE(USE_ADMIN_FLAG, [Define to 1 if you want to create ~/.sudo_as_admin_successful if the user is in the admin group the first time they run sudo.]) AH_TEMPLATE(USE_INSULTS, [Define to 1 if you want to insult the user for entering an incorrect password.]) AH_TEMPLATE(USE_STOW, [Define to 1 if you use GNU stow packaging.]) diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 602c328bd..b0a2acaf4 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.8.0b1 July 21, 2010 1 +1.8.0b1 September 14, 2010 1 @@ -127,7 +127,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT -1.8.0b1 July 21, 2010 2 +1.8.0b1 September 14, 2010 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0b1 July 21, 2010 3 +1.8.0b1 September 14, 2010 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0b1 July 21, 2010 4 +1.8.0b1 September 14, 2010 4 @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0b1 July 21, 2010 5 +1.8.0b1 September 14, 2010 5 @@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0b1 July 21, 2010 6 +1.8.0b1 September 14, 2010 6 @@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0b1 July 21, 2010 7 +1.8.0b1 September 14, 2010 7 @@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0b1 July 21, 2010 8 +1.8.0b1 September 14, 2010 8 @@ -589,7 +589,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0b1 July 21, 2010 9 +1.8.0b1 September 14, 2010 9 @@ -655,7 +655,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0b1 July 21, 2010 10 +1.8.0b1 September 14, 2010 10 @@ -716,12 +716,12 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS that the --HH option is always implied. Note that HOME is already set when the the _e_n_v___r_e_s_e_t option is enabled, so _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for - configurations where _e_n_v___r_e_s_e_t is disabled. This flag - is _o_f_f by default. + configurations where either _e_n_v___r_e_s_e_t is disabled or + HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f -1.8.0b1 July 21, 2010 11 +1.8.0b1 September 14, 2010 11 @@ -730,6 +730,8 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + by default. + authenticate If set, users must authenticate themselves via a password (or other means of authentication) before they may run commands. This default may be overridden via @@ -782,12 +784,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the negation operator, '!', as such rules can be trivially bypassed. As such, this option should not be used when _s_u_d_o_e_r_s contains rules that contain negated - path names which include globbing characters. This - flag is _o_f_f by default. -1.8.0b1 July 21, 2010 12 +1.8.0b1 September 14, 2010 12 @@ -796,6 +796,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + path names which include globbing characters. This + flag is _o_f_f by default. + fqdn Set this flag if you want to put fully qualified host names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you would use myhost.mydomain.edu. You may still use the @@ -848,12 +851,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) mail_always Send mail to the _m_a_i_l_t_o user every time a users runs ssuuddoo. This flag is _o_f_f by default. - mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo - does not enter the correct password. This flag is _o_f_f - -1.8.0b1 July 21, 2010 13 +1.8.0b1 September 14, 2010 13 @@ -862,6 +862,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo + does not enter the correct password. This flag is _o_f_f by default. mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the @@ -914,12 +916,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the return (or enter) key. Some users become confused by this as it appears to them that ssuuddoo has hung at this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide - visual feedback when the user presses a key. Note that - this does have a security impact as an onlooker may be -1.8.0b1 July 21, 2010 14 +1.8.0b1 September 14, 2010 14 @@ -928,6 +928,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + visual feedback when the user presses a key. Note that + this does have a security impact as an onlooker may be able to determine the length of the password being entered. This flag is _o_f_f by default. @@ -961,8 +963,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) --uu option is used). This effectively makes the --ss option imply --HH. Note that HOME is already set when the the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is - only effective for configurations where _e_n_v___r_e_s_e_t is - disabled. This flag is _o_f_f by default. + only effective for configurations where either + _e_n_v___r_e_s_e_t is disabled or HOME is present in the + _e_n_v___k_e_e_p list. This flag is _o_f_f by default. set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME environment variables to the name of the target user @@ -979,13 +982,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) command line via the --EE option. Additionally, environment variables set via the command line are not subject to the restrictions imposed by _e_n_v___c_h_e_c_k, - _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users - should be allowed to set variables in this manner. - This flag is _o_f_f by default. -1.8.0b1 July 21, 2010 15 +1.8.0b1 September 14, 2010 15 @@ -994,6 +994,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users + should be allowed to set variables in this manner. + This flag is _o_f_f by default. + shell_noargs If set and ssuuddoo is invoked with no arguments it acts as if the --ss option had been given. That is, it runs a shell as root (the shell is determined by the SHELL @@ -1044,14 +1048,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m) utility, which can also be used to list or search the - available logs. - - tty_tickets If set, users must authenticate on a per-tty basis. - With this flag enabled, ssuuddoo will use a file named for -1.8.0b1 July 21, 2010 16 +1.8.0b1 September 14, 2010 16 @@ -1060,6 +1060,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + available logs. + + tty_tickets If set, users must authenticate on a per-tty basis. + With this flag enabled, ssuuddoo will use a file named for the tty the user is logged in on in the user's time stamp directory. If disabled, the time stamp of the directory is used instead. This flag is _o_n by default. @@ -1110,14 +1114,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) loglinelen Number of characters per line for the file log. This value is used to decide when to wrap lines for nicer log files. This has no effect on the syslog log file, - only the file log. The default is 80 (use 0 or negate - the option to disable word wrap). - - passwd_timeout Number of minutes before the ssuuddoo password prompt times -1.8.0b1 July 21, 2010 17 +1.8.0b1 September 14, 2010 17 @@ -1126,6 +1126,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + only the file log. The default is 80 (use 0 or negate + the option to disable word wrap). + + passwd_timeout Number of minutes before the ssuuddoo password prompt times out, or 0 for no timeout. The timeout may include a fractional component if minute granularity is insufficient, for example 2.5. The default is 5. @@ -1176,14 +1180,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) passprompt The default prompt to use when asking for a password; can be overridden via the --pp option or the SUDO_PROMPT environment variable. The following percent (`%') - escapes are supported: - - %H expanded to the local host name including the - domain name (on if the machine's host name is fully -1.8.0b1 July 21, 2010 18 +1.8.0b1 September 14, 2010 18 @@ -1192,6 +1192,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + escapes are supported: + + %H expanded to the local host name including the + domain name (on if the machine's host name is fully qualified or the _f_q_d_n option is set) %h expanded to the local host name without the domain @@ -1242,14 +1246,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) security context to run the command. The default type may be overridden on a per-command basis in _s_u_d_o_e_r_s or via command line options. This option is only - available whe ssuuddoo is built with SELinux support. - - SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - -1.8.0b1 July 21, 2010 19 +1.8.0b1 September 14, 2010 19 @@ -1258,6 +1258,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + available whe ssuuddoo is built with SELinux support. + + SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + askpass The _a_s_k_p_a_s_s option specifies the fully qualified path to a helper program used to read the user's password when no terminal is available. This may be the case when ssuuddoo is @@ -1308,14 +1312,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) once Only lecture the user the first time they run ssuuddoo. - If no value is specified, a value of _o_n_c_e is implied. - Negating the option results in a value of _n_e_v_e_r being used. - The default value is _o_n_c_e. - -1.8.0b1 July 21, 2010 20 +1.8.0b1 September 14, 2010 20 @@ -1324,6 +1324,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + If no value is specified, a value of _o_n_c_e is implied. + Negating the option results in a value of _n_e_v_e_r being used. + The default value is _o_n_c_e. + lecture_file Path to a file containing an alternate ssuuddoo lecture that will be used in place of the standard lecture if the named @@ -1374,14 +1378,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) environment variable you may want to use this. Another use is if you want to have the "root path" be separate from the "user path." Users in the group specified by the - _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This - option is not set by default. - - syslog Syslog facility if syslog is being used for logging (negate -1.8.0b1 July 21, 2010 21 +1.8.0b1 September 14, 2010 21 @@ -1390,6 +1390,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This + option is not set by default. + + syslog Syslog facility if syslog is being used for logging (negate to disable syslog logging). Defaults to auth. verifypw This option controls when a password will be required when @@ -1440,14 +1444,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) default list of environment variables to remove is displayed when ssuuddoo is run by root with the _-_V option. Note that many operating systems will remove - potentially dangerous variables from the environment of - any setuid process (such as ssuuddoo). - - env_keep Environment variables to be preserved in the user's -1.8.0b1 July 21, 2010 22 +1.8.0b1 September 14, 2010 22 @@ -1456,6 +1456,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + potentially dangerous variables from the environment of + any setuid process (such as ssuuddoo). + + env_keep Environment variables to be preserved in the user's environment when the _e_n_v___r_e_s_e_t option is in effect. This allows fine-grained control over the environment ssuuddoo-spawned processes will receive. The argument may @@ -1506,14 +1510,10 @@ EEXXAAMMPPLLEESS # Runas alias specification Runas_Alias OP = root, operator Runas_Alias DB = oracle, sybase - Runas_Alias ADMINGRP = adm, oper - - # Host alias specification - Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ -1.8.0b1 July 21, 2010 23 +1.8.0b1 September 14, 2010 23 @@ -1522,6 +1522,10 @@ EEXXAAMMPPLLEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Runas_Alias ADMINGRP = adm, oper + + # Host alias specification + Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ SGI = grolsch, dandelion, black :\ ALPHA = widget, thalamus, foobar :\ HPPA = boa, nag, python @@ -1572,14 +1576,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) We let rroooott and any user in group wwhheeeell run any command on any host as any user. - FULLTIMERS ALL = NOPASSWD: ALL - - Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on - any host without authenticating themselves. -1.8.0b1 July 21, 2010 24 +1.8.0b1 September 14, 2010 24 @@ -1588,6 +1588,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + FULLTIMERS ALL = NOPASSWD: ALL + + Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on + any host without authenticating themselves. + PARTTIMERS ALL = ALL Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on @@ -1637,15 +1642,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) jim +biglab = ALL - The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. - ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. - - +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser - -1.8.0b1 July 21, 2010 25 +1.8.0b1 September 14, 2010 25 @@ -1654,6 +1654,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. + ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. + + +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser + Users in the sseeccrreettaarriieess netgroup need to help manage the printers as well as add and remove users, so they are allowed to run those commands on all machines. @@ -1703,15 +1708,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) This is a bit tedious for users to type, so it is a prime candidate for encapsulating in a shell script. -SSEECCUURRIITTYY NNOOTTEESS - It is generally not effective to "subtract" commands from ALL using the - '!' operator. A user can trivially circumvent this by copying the - desired command to a different name and then executing that. For - example: -1.8.0b1 July 21, 2010 26 +1.8.0b1 September 14, 2010 26 @@ -1720,6 +1720,12 @@ SSEECCUURRIITTYY NNOOTTEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SSEECCUURRIITTYY NNOOTTEESS + It is generally not effective to "subtract" commands from ALL using the + '!' operator. A user can trivially circumvent this by copying the + desired command to a different name and then executing that. For + example: + bill ALL = ALL, !SU, !SHELLS Doesn't really prevent bbiillll from running the commands listed in _S_U or @@ -1768,16 +1774,10 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS any other programs. Note, however, that this applies only to native dynamically-linked executables. Statically-linked executables and foreign executables running under binary - emulation are not affected. - - To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run the - following as root: - - sudo -V | grep "dummy exec" -1.8.0b1 July 21, 2010 27 +1.8.0b1 September 14, 2010 27 @@ -1786,6 +1786,13 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + emulation are not affected. + + To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run the + following as root: + + sudo -V | grep "dummy exec" + If the resulting output contains a line that begins with: File containing dummy exec functions: @@ -1834,16 +1841,9 @@ SSEECCUURRIITTYY NNOOTTEESS by root and inaccessible by any other user, the user placing files there would be unable to get them back out. - _s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps - with a date greater than current_time + 2 * TIMEOUT will be ignored and - sudo will log and complain. This is done to keep a user from creating - his/her own time stamp with a bogus date on systems that allow users to - give away files if the time stamp directory is located in a world- - writable directory. - -1.8.0b1 July 21, 2010 28 +1.8.0b1 September 14, 2010 28 @@ -1852,6 +1852,13 @@ SSEECCUURRIITTYY NNOOTTEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + _s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps + with a date greater than current_time + 2 * TIMEOUT will be ignored and + sudo will log and complain. This is done to keep a user from creating + his/her own time stamp with a bogus date on systems that allow users to + give away files if the time stamp directory is located in a world- + writable directory. + On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time stamps that date from before the machine booted. @@ -1899,6 +1906,18 @@ SSUUPPPPOORRTT http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. + + + +1.8.0b1 September 14, 2010 29 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + DDIISSCCLLAAIIMMEERR ssuuddoo is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of @@ -1909,6 +1928,53 @@ DDIISSCCLLAAIIMMEERR -1.8.0b1 July 21, 2010 29 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +1.8.0b1 September 14, 2010 30 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index e89c403f5..a4c169a1a 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -22,7 +22,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .\" -.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) +.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) .\" .\" Standard preamble: .\" ======================================================================== @@ -148,7 +148,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "July 21, 2010" "1.8.0b1" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "September 14, 2010" "1.8.0b1" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -837,7 +837,8 @@ home directory of the target user (which is root unless the \fB\-u\fR option is used). This effectively means that the \fB\-H\fR option is always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the \&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only -effective for configurations where \fIenv_reset\fR is disabled. +effective for configurations where either \fIenv_reset\fR is disabled +or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list. This flag is \fIoff\fR by default. .IP "authenticate" 16 .IX Item "authenticate" @@ -1033,7 +1034,8 @@ environment variable will be set to the home directory of the target user (which is root unless the \fB\-u\fR option is used). This effectively makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is -only effective for configurations where \fIenv_reset\fR is disabled. +only effective for configurations where either \fIenv_reset\fR is disabled +or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list. This flag is \fIoff\fR by default. .IP "set_logname" 16 .IX Item "set_logname" @@ -1119,7 +1121,7 @@ modification. This makes it possible to specify a more permissive umask in \fIsudoers\fR than the user's own umask and matches historical behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the umask to be the union of the user's umask and what is specified in -\&\fIsudoers\fR. This flag is \fIoff\fR by default. +\&\fIsudoers\fR. This flag is \fI@umask_override@\fR by default. .if \n(LC \{\ .IP "use_loginclass" 16 .IX Item "use_loginclass" diff --git a/doc/sudoers.pod b/doc/sudoers.pod index 3d794212f..ee8755a55 100644 --- a/doc/sudoers.pod +++ b/doc/sudoers.pod @@ -1019,7 +1019,7 @@ modification. This makes it possible to specify a more permissive umask in I than the user's own umask and matches historical behavior. If I is not set, B will set the umask to be the union of the user's umask and what is specified in -I. This flag is I by default. +I. This flag is I<@umask_override@> by default. =item use_loginclass diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c index 8f39242a9..d204da565 100644 --- a/plugins/sudoers/defaults.c +++ b/plugins/sudoers/defaults.c @@ -439,6 +439,9 @@ init_defaults(void) #endif #ifdef ENV_EDITOR def_env_editor = TRUE; +#endif +#ifdef UMASK_OVERRIDE + def_umask_override = TRUE; #endif def_sudoers_locale = estrdup("C"); def_env_reset = TRUE;