isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement --with-umask-override configure flag.

Browse Source
This commit is contained in:
Todd C. Miller
2010-09-14 17:18:55 -04:00
parent ed45e68da9
commit b51afe6249
8 changed files with 241 additions and 124 deletions
Download Patch File Download Diff File Expand all files Collapse all files

270
doc/sudoers.cat
View File

@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.8.0b1 July 21, 2010 1
1.8.0b1 September 14, 2010 1
@@ -127,7 +127,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
1.8.0b1 July 21, 2010 2
1.8.0b1 September 14, 2010 2
@@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0b1 July 21, 2010 3
1.8.0b1 September 14, 2010 3
@@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0b1 July 21, 2010 4
1.8.0b1 September 14, 2010 4
@@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0b1 July 21, 2010 5
1.8.0b1 September 14, 2010 5
@@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0b1 July 21, 2010 6
1.8.0b1 September 14, 2010 6
@@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0b1 July 21, 2010 7
1.8.0b1 September 14, 2010 7
@@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0b1 July 21, 2010 8
1.8.0b1 September 14, 2010 8
@@ -589,7 +589,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0b1 July 21, 2010 9
1.8.0b1 September 14, 2010 9
@@ -655,7 +655,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0b1 July 21, 2010 10
1.8.0b1 September 14, 2010 10
@@ -716,12 +716,12 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
that the --HH option is always implied. Note that HOME
is already set when the the _e_n_v___r_e_s_e_t option is
enabled, so _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for
configurations where _e_n_v___r_e_s_e_t is disabled. This flag
is _o_f_f by default.
configurations where either _e_n_v___r_e_s_e_t is disabled or
HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f
1.8.0b1 July 21, 2010 11
1.8.0b1 September 14, 2010 11
@@ -730,6 +730,8 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
by default.
authenticate If set, users must authenticate themselves via a
password (or other means of authentication) before they
may run commands. This default may be overridden via
@@ -782,12 +784,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
the negation operator, '!', as such rules can be
trivially bypassed. As such, this option should not be
used when _s_u_d_o_e_r_s contains rules that contain negated
path names which include globbing characters. This
flag is _o_f_f by default.
1.8.0b1 July 21, 2010 12
1.8.0b1 September 14, 2010 12
@@ -796,6 +796,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
path names which include globbing characters. This
flag is _o_f_f by default.
fqdn Set this flag if you want to put fully qualified host
names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you
would use myhost.mydomain.edu. You may still use the
@@ -848,12 +851,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
mail_always Send mail to the _m_a_i_l_t_o user every time a users runs
ssuuddoo. This flag is _o_f_f by default.
mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
does not enter the correct password. This flag is _o_f_f
1.8.0b1 July 21, 2010 13
1.8.0b1 September 14, 2010 13
@@ -862,6 +862,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
does not enter the correct password. This flag is _o_f_f
by default.
mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the
@@ -914,12 +916,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
the return (or enter) key. Some users become confused
by this as it appears to them that ssuuddoo has hung at
this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide
visual feedback when the user presses a key. Note that
this does have a security impact as an onlooker may be
1.8.0b1 July 21, 2010 14
1.8.0b1 September 14, 2010 14
@@ -928,6 +928,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
visual feedback when the user presses a key. Note that
this does have a security impact as an onlooker may be
able to determine the length of the password being
entered. This flag is _o_f_f by default.
@@ -961,8 +963,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
--uu option is used). This effectively makes the --ss
option imply --HH. Note that HOME is already set when
the the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is
only effective for configurations where _e_n_v___r_e_s_e_t is
disabled. This flag is _o_f_f by default.
only effective for configurations where either
_e_n_v___r_e_s_e_t is disabled or HOME is present in the
_e_n_v___k_e_e_p list. This flag is _o_f_f by default.
set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME
environment variables to the name of the target user
@@ -979,13 +982,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
command line via the --EE option. Additionally,
environment variables set via the command line are not
subject to the restrictions imposed by _e_n_v___c_h_e_c_k,
_e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users
should be allowed to set variables in this manner.
This flag is _o_f_f by default.
1.8.0b1 July 21, 2010 15
1.8.0b1 September 14, 2010 15
@@ -994,6 +994,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users
should be allowed to set variables in this manner.
This flag is _o_f_f by default.
shell_noargs If set and ssuuddoo is invoked with no arguments it acts as
if the --ss option had been given. That is, it runs a
shell as root (the shell is determined by the SHELL
@@ -1044,14 +1048,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m)
utility, which can also be used to list or search the
available logs.
tty_tickets If set, users must authenticate on a per-tty basis.
With this flag enabled, ssuuddoo will use a file named for
1.8.0b1 July 21, 2010 16
1.8.0b1 September 14, 2010 16
@@ -1060,6 +1060,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
available logs.
tty_tickets If set, users must authenticate on a per-tty basis.
With this flag enabled, ssuuddoo will use a file named for
the tty the user is logged in on in the user's time
stamp directory. If disabled, the time stamp of the
directory is used instead. This flag is _o_n by default.
@@ -1110,14 +1114,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
loglinelen Number of characters per line for the file log. This
value is used to decide when to wrap lines for nicer
log files. This has no effect on the syslog log file,
only the file log. The default is 80 (use 0 or negate
the option to disable word wrap).
passwd_timeout Number of minutes before the ssuuddoo password prompt times
1.8.0b1 July 21, 2010 17
1.8.0b1 September 14, 2010 17
@@ -1126,6 +1126,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
only the file log. The default is 80 (use 0 or negate
the option to disable word wrap).
passwd_timeout Number of minutes before the ssuuddoo password prompt times
out, or 0 for no timeout. The timeout may include a
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5.
@@ -1176,14 +1180,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
passprompt The default prompt to use when asking for a password;
can be overridden via the --pp option or the SUDO_PROMPT
environment variable. The following percent (`%')
escapes are supported:
%H expanded to the local host name including the
domain name (on if the machine's host name is fully
1.8.0b1 July 21, 2010 18
1.8.0b1 September 14, 2010 18
@@ -1192,6 +1192,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
escapes are supported:
%H expanded to the local host name including the
domain name (on if the machine's host name is fully
qualified or the _f_q_d_n option is set)
%h expanded to the local host name without the domain
@@ -1242,14 +1246,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
security context to run the command. The default type
may be overridden on a per-command basis in _s_u_d_o_e_r_s or
via command line options. This option is only
available whe ssuuddoo is built with SELinux support.
SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
1.8.0b1 July 21, 2010 19
1.8.0b1 September 14, 2010 19
@@ -1258,6 +1258,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
available whe ssuuddoo is built with SELinux support.
SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
askpass The _a_s_k_p_a_s_s option specifies the fully qualified path to a
helper program used to read the user's password when no
terminal is available. This may be the case when ssuuddoo is
@@ -1308,14 +1312,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
once Only lecture the user the first time they run ssuuddoo.
If no value is specified, a value of _o_n_c_e is implied.
Negating the option results in a value of _n_e_v_e_r being used.
The default value is _o_n_c_e.
1.8.0b1 July 21, 2010 20
1.8.0b1 September 14, 2010 20
@@ -1324,6 +1324,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
If no value is specified, a value of _o_n_c_e is implied.
Negating the option results in a value of _n_e_v_e_r being used.
The default value is _o_n_c_e.
lecture_file
Path to a file containing an alternate ssuuddoo lecture that
will be used in place of the standard lecture if the named
@@ -1374,14 +1378,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
environment variable you may want to use this. Another use
is if you want to have the "root path" be separate from the
"user path." Users in the group specified by the
_e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This
option is not set by default.
syslog Syslog facility if syslog is being used for logging (negate
1.8.0b1 July 21, 2010 21
1.8.0b1 September 14, 2010 21
@@ -1390,6 +1390,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This
option is not set by default.
syslog Syslog facility if syslog is being used for logging (negate
to disable syslog logging). Defaults to auth.
verifypw This option controls when a password will be required when
@@ -1440,14 +1444,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
default list of environment variables to remove is
displayed when ssuuddoo is run by root with the _-_V option.
Note that many operating systems will remove
potentially dangerous variables from the environment of
any setuid process (such as ssuuddoo).
env_keep Environment variables to be preserved in the user's
1.8.0b1 July 21, 2010 22
1.8.0b1 September 14, 2010 22
@@ -1456,6 +1456,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
potentially dangerous variables from the environment of
any setuid process (such as ssuuddoo).
env_keep Environment variables to be preserved in the user's
environment when the _e_n_v___r_e_s_e_t option is in effect.
This allows fine-grained control over the environment
ssuuddoo-spawned processes will receive. The argument may
@@ -1506,14 +1510,10 @@ EEXXAAMMPPLLEESS
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
Runas_Alias ADMINGRP = adm, oper
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1.8.0b1 July 21, 2010 23
1.8.0b1 September 14, 2010 23
@@ -1522,6 +1522,10 @@ EEXXAAMMPPLLEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Runas_Alias ADMINGRP = adm, oper
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
SGI = grolsch, dandelion, black :\
ALPHA = widget, thalamus, foobar :\
HPPA = boa, nag, python
@@ -1572,14 +1576,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
We let rroooott and any user in group wwhheeeell run any command on any host as
any user.
FULLTIMERS ALL = NOPASSWD: ALL
Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on
any host without authenticating themselves.
1.8.0b1 July 21, 2010 24
1.8.0b1 September 14, 2010 24
@@ -1588,6 +1588,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
FULLTIMERS ALL = NOPASSWD: ALL
Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on
any host without authenticating themselves.
PARTTIMERS ALL = ALL
Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on
@@ -1637,15 +1642,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
jim +biglab = ALL
The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup.
ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix.
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1.8.0b1 July 21, 2010 25
1.8.0b1 September 14, 2010 25
@@ -1654,6 +1654,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup.
ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix.
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
Users in the sseeccrreettaarriieess netgroup need to help manage the printers as
well as add and remove users, so they are allowed to run those commands
on all machines.
@@ -1703,15 +1708,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
This is a bit tedious for users to type, so it is a prime candidate for
encapsulating in a shell script.
SSEECCUURRIITTYY NNOOTTEESS
It is generally not effective to "subtract" commands from ALL using the
'!' operator. A user can trivially circumvent this by copying the
desired command to a different name and then executing that. For
example:
1.8.0b1 July 21, 2010 26
1.8.0b1 September 14, 2010 26
@@ -1720,6 +1720,12 @@ SSEECCUURRIITTYY NNOOTTEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SSEECCUURRIITTYY NNOOTTEESS
It is generally not effective to "subtract" commands from ALL using the
'!' operator. A user can trivially circumvent this by copying the
desired command to a different name and then executing that. For
example:
bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bbiillll from running the commands listed in _S_U or
@@ -1768,16 +1774,10 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
any other programs. Note, however, that this applies only to
native dynamically-linked executables. Statically-linked
executables and foreign executables running under binary
emulation are not affected.
To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run the
following as root:
sudo -V | grep "dummy exec"
1.8.0b1 July 21, 2010 27
1.8.0b1 September 14, 2010 27
@@ -1786,6 +1786,13 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
emulation are not affected.
To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run the
following as root:
sudo -V | grep "dummy exec"
If the resulting output contains a line that begins with:
File containing dummy exec functions:
@@ -1834,16 +1841,9 @@ SSEECCUURRIITTYY NNOOTTEESS
by root and inaccessible by any other user, the user placing files
there would be unable to get them back out.
_s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps
with a date greater than current_time + 2 * TIMEOUT will be ignored and
sudo will log and complain. This is done to keep a user from creating
his/her own time stamp with a bogus date on systems that allow users to
give away files if the time stamp directory is located in a world-
writable directory.
1.8.0b1 July 21, 2010 28
1.8.0b1 September 14, 2010 28
@@ -1852,6 +1852,13 @@ SSEECCUURRIITTYY NNOOTTEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps
with a date greater than current_time + 2 * TIMEOUT will be ignored and
sudo will log and complain. This is done to keep a user from creating
his/her own time stamp with a bogus date on systems that allow users to
give away files if the time stamp directory is located in a world-
writable directory.
On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time
stamps that date from before the machine booted.
@@ -1899,6 +1906,18 @@ SSUUPPPPOORRTT
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
1.8.0b1 September 14, 2010 29
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
DDIISSCCLLAAIIMMEERR
ssuuddoo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
@@ -1909,6 +1928,53 @@ DDIISSCCLLAAIIMMEERR
1.8.0b1 July 21, 2010 29
1.8.0b1 September 14, 2010 30

12
doc/sudoers.man.in
View File

@@ -22,7 +22,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.\"
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -148,7 +148,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
.TH SUDOERS @mansectform@ "July 21, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
.TH SUDOERS @mansectform@ "September 14, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -837,7 +837,8 @@ home directory of the target user (which is root unless the \fB\-u\fR
option is used). This effectively means that the \fB\-H\fR option is
always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the
\&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only
effective for configurations where \fIenv_reset\fR is disabled.
effective for configurations where either \fIenv_reset\fR is disabled
or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
This flag is \fIoff\fR by default.
.IP "authenticate" 16
.IX Item "authenticate"
@@ -1033,7 +1034,8 @@ environment variable will be set to the home directory of the target
user (which is root unless the \fB\-u\fR option is used). This effectively
makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already
set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is
only effective for configurations where \fIenv_reset\fR is disabled.
only effective for configurations where either \fIenv_reset\fR is disabled
or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
This flag is \fIoff\fR by default.
.IP "set_logname" 16
.IX Item "set_logname"
@@ -1119,7 +1121,7 @@ modification. This makes it possible to specify a more permissive
umask in \fIsudoers\fR than the user's own umask and matches historical
behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the
umask to be the union of the user's umask and what is specified in
\&\fIsudoers\fR. This flag is \fIoff\fR by default.
\&\fIsudoers\fR. This flag is \fI@umask_override@\fR by default.
.if \n(LC \{\
.IP "use_loginclass" 16
.IX Item "use_loginclass"

2
doc/sudoers.pod
View File

@@ -1019,7 +1019,7 @@ modification. This makes it possible to specify a more permissive
umask in I<sudoers> than the user's own umask and matches historical
behavior. If I<umask_override> is not set, B<sudo> will set the
umask to be the union of the user's umask and what is specified in
I<sudoers>. This flag is I<off> by default.
I<sudoers>. This flag is I<@umask_override@> by default.
=item use_loginclass