isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mention that 127.0.0.1 will not match, nor will localhost unless

Browse Source 
that is the actual host name.
This commit is contained in:
Todd C. Miller
2010-07-21 15:19:56 -04:00
parent a72965e64c
commit bdecb14ea6
3 changed files with 74 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
doc/sudoers.cat
View File

@@ -286,6 +286,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
shell-style wildcards (see the Wildcards section below), but unless the
host name command on your machine returns the fully qualified host
name, you'll need to use the _f_q_d_n option for wildcards to be useful.
Note ssuuddoo only inspects actual network interfaces; this means that IP
address 127.0.0.1 (localhost) will never match. Also, the host name
"localhost" will only match if that is the actual host name, which is
usually only the case for non-networked systems.
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
@@ -318,10 +322,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It
may take command line arguments just as a normal command does.
DDeeffaauullttss
Certain configuration options may be changed from their default values
at runtime via one or more Default_Entry lines. These may affect all
users on any host, all users on a specific host, a specific user, a
@@ -334,6 +334,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
DDeeffaauullttss
Certain configuration options may be changed from their default values
at runtime via one or more Default_Entry lines. These may affect all
users on any host, all users on a specific host, a specific user, a
specific command, or commands being run as a specific user. Note that
per-command entries may not include command line arguments. If you
need to specify arguments, define a Cmnd_Alias and reference that
@@ -385,10 +389,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
1.8.0b1 July 21, 2010 6
@@ -400,6 +400,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as
what user) on specified hosts. By default, commands are run as rroooott,
but this can be changed on a per-command basis.
@@ -450,11 +455,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
device file with the dialer group. Note that in this example only the
group will be set, the command still runs as user ttccmm.
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
1.8.0b1 July 21, 2010 7
@@ -466,6 +466,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
SSEELLiinnuuxx__SSppeecc
On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an
SELinux role and/or type associated with a command. If a role or type
@@ -517,9 +520,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and
_/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more details on
@@ -532,6 +532,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more details on
how NOEXEC works and whether or not it will work on your system.
_S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V
@@ -583,9 +586,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Would match any file name beginning with a letter.
Note that a forward slash ('/') will nnoott be matched by wildcards used
in the path name. When matching the command line arguments, however, a
slash ddooeess get matched by wildcards. This is to make a path like:
@@ -598,6 +598,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Note that a forward slash ('/') will nnoott be matched by wildcards used
in the path name. When matching the command line arguments, however, a
slash ddooeess get matched by wildcards. This is to make a path like:
/usr/bin/*
match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
@@ -648,10 +652,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed
before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is
lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr
_/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes
in the file names can be used to avoid such problems.
Note that unlike files included via #include, vviissuuddoo will not edit the
@@ -664,6 +664,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes
in the file names can be used to avoid such problems.
Note that unlike files included via #include, vviissuuddoo will not edit the
files in a #includedir directory unless one of them contains a syntax
error. It is still possible to run vviissuuddoo with the -f flag to edit the
files directly.
@@ -715,10 +719,6 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
configurations where _e_n_v___r_e_s_e_t is disabled. This flag
is _o_f_f by default.
authenticate If set, users must authenticate themselves via a
password (or other means of authentication) before they
may run commands. This default may be overridden via
1.8.0b1 July 21, 2010 11
@@ -730,6 +730,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
authenticate If set, users must authenticate themselves via a
password (or other means of authentication) before they
may run commands. This default may be overridden via
the PASSWD and NOPASSWD tags. This flag is _o_n by
default.
@@ -782,9 +785,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
path names which include globbing characters. This
flag is _o_f_f by default.
fqdn Set this flag if you want to put fully qualified host
names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you
1.8.0b1 July 21, 2010 12
@@ -796,6 +796,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
fqdn Set this flag if you want to put fully qualified host
names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you
would use myhost.mydomain.edu. You may still use the
short form if you wish (and even mix the two). Beware
that turning on _f_q_d_n requires ssuuddoo to make DNS lookups
@@ -848,8 +850,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
does not enter the correct password. This flag is _o_f_f
by default.
@@ -862,6 +862,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
by default.
mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the
invoking user exists in the _s_u_d_o_e_r_s file, but is not
allowed to run commands on the current host. This flag
@@ -914,8 +916,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide
visual feedback when the user presses a key. Note that
this does have a security impact as an onlooker may be
able to determine the length of the password being
entered. This flag is _o_f_f by default.
@@ -928,6 +928,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
able to determine the length of the password being
entered. This flag is _o_f_f by default.
requiretty If set, ssuuddoo will only run when the user is logged in
to a real tty. When this flag is set, ssuuddoo can only be
run from a login session and not via other means such
@@ -980,9 +983,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
should be allowed to set variables in this manner.
This flag is _o_f_f by default.
shell_noargs If set and ssuuddoo is invoked with no arguments it acts as
if the --ss option had been given. That is, it runs a
1.8.0b1 July 21, 2010 15
@@ -994,6 +994,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
shell_noargs If set and ssuuddoo is invoked with no arguments it acts as
if the --ss option had been given. That is, it runs a
shell as root (the shell is determined by the SHELL
environment variable if it is set, falling back on the
shell listed in the invoking user's /etc/passwd entry
@@ -1046,8 +1048,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
tty_tickets If set, users must authenticate on a per-tty basis.
With this flag enabled, ssuuddoo will use a file named for
the tty the user is logged in on in the user's time
stamp directory. If disabled, the time stamp of the
@@ -1060,6 +1060,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
the tty the user is logged in on in the user's time
stamp directory. If disabled, the time stamp of the
directory is used instead. This flag is _o_n by default.
umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s
@@ -1112,8 +1114,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
the option to disable word wrap).
passwd_timeout Number of minutes before the ssuuddoo password prompt times
out, or 0 for no timeout. The timeout may include a
fractional component if minute granularity is
@@ -1126,6 +1126,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
out, or 0 for no timeout. The timeout may include a
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5.
timestamp_timeout
@@ -1178,8 +1180,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
%H expanded to the local host name including the
domain name (on if the machine's host name is fully
qualified or the _f_q_d_n option is set)
@@ -1192,6 +1192,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
qualified or the _f_q_d_n option is set)
%h expanded to the local host name without the domain
name
@@ -1244,8 +1246,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
askpass The _a_s_k_p_a_s_s option specifies the fully qualified path to a
helper program used to read the user's password when no
@@ -1258,6 +1258,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
askpass The _a_s_k_p_a_s_s option specifies the fully qualified path to a
helper program used to read the user's password when no
terminal is available. This may be the case when ssuuddoo is
executed from a graphical (as opposed to text-based)
application. The program specified by _a_s_k_p_a_s_s should
@@ -1310,8 +1312,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Negating the option results in a value of _n_e_v_e_r being used.
The default value is _o_n_c_e.
lecture_file
Path to a file containing an alternate ssuuddoo lecture that
@@ -1324,6 +1324,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
lecture_file
Path to a file containing an alternate ssuuddoo lecture that
will be used in place of the standard lecture if the named
file exists. By default, ssuuddoo uses a built-in lecture.
@@ -1376,8 +1378,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
option is not set by default.
syslog Syslog facility if syslog is being used for logging (negate
to disable syslog logging). Defaults to local2.
@@ -1390,6 +1390,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to disable syslog logging). Defaults to local2.
verifypw This option controls when a password will be required when
a user runs ssuuddoo with the --vv option. It has the following
possible values:
@@ -1442,8 +1444,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
any setuid process (such as ssuuddoo).
env_keep Environment variables to be preserved in the user's
environment when the _e_n_v___r_e_s_e_t option is in effect.
This allows fine-grained control over the environment
@@ -1456,6 +1456,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
environment when the _e_n_v___r_e_s_e_t option is in effect.
This allows fine-grained control over the environment
ssuuddoo-spawned processes will receive. The argument may
be a double-quoted, space-separated list or a single
value without double-quotes. The list can be replaced,
@@ -1508,8 +1510,6 @@ EEXXAAMMPPLLEESS
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
SGI = grolsch, dandelion, black :\
ALPHA = widget, thalamus, foobar :\
@@ -1522,6 +1522,8 @@ EEXXAAMMPPLLEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SGI = grolsch, dandelion, black :\
ALPHA = widget, thalamus, foobar :\
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
@@ -1575,8 +1577,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on
any host without authenticating themselves.
PARTTIMERS ALL = ALL
1.8.0b1 July 21, 2010 24
@@ -1588,6 +1588,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
PARTTIMERS ALL = ALL
Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on
any host but they must authenticate themselves first (since the entry
lacks the NOPASSWD tag).
@@ -1640,8 +1642,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
Users in the sseeccrreettaarriieess netgroup need to help manage the printers as
well as add and remove users, so they are allowed to run those commands
@@ -1654,6 +1654,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Users in the sseeccrreettaarriieess netgroup need to help manage the printers as
well as add and remove users, so they are allowed to run those commands
on all machines.
fred ALL = (DB) NOPASSWD: ALL
@@ -1707,8 +1709,6 @@ SSEECCUURRIITTYY NNOOTTEESS
desired command to a different name and then executing that. For
example:
bill ALL = ALL, !SU, !SHELLS
1.8.0b1 July 21, 2010 26
@@ -1720,6 +1720,8 @@ SSEECCUURRIITTYY NNOOTTEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bbiillll from running the commands listed in _S_U or
_S_H_E_L_L_S since he can simply copy those commands to a different name, or
use a shell escape from an editor or other program. Therefore, these
@@ -1773,8 +1775,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
sudo -V | grep "dummy exec"
If the resulting output contains a line that begins with:
1.8.0b1 July 21, 2010 27
@@ -1786,6 +1786,8 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
If the resulting output contains a line that begins with:
File containing dummy exec functions:
then ssuuddoo may be able to replace the exec family of functions
@@ -1839,8 +1841,6 @@ SSEECCUURRIITTYY NNOOTTEESS
give away files if the time stamp directory is located in a world-
writable directory.
On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time
1.8.0b1 July 21, 2010 28
@@ -1852,6 +1852,7 @@ SSEECCUURRIITTYY NNOOTTEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time
stamps that date from before the machine booted.
Since time stamp files live in the file system, they can outlive a
@@ -1908,7 +1909,6 @@ DDIISSCCLLAAIIMMEERR
1.8.0b1 July 21, 2010 29

6
doc/sudoers.man.in
View File

@@ -414,7 +414,11 @@ or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may
include shell-style wildcards (see the Wildcards section below),
but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully
qualified host name, you'll need to use the \fIfqdn\fR option for
wildcards to be useful.
wildcards to be useful. Note \fBsudo\fR only inspects actual network
interfaces; this means that \s-1IP\s0 address 127.0.0.1 (localhost) will
never match. Also, the host name \*(L"localhost\*(R" will only match if
that is the actual host name, which is usually only the case for
non-networked systems.
.PP
.Vb 2
\& Cmnd_List ::= Cmnd |

6
doc/sudoers.pod
View File

@@ -288,7 +288,11 @@ or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A host name may
include shell-style wildcards (see the L<Wildcards> section below),
but unless the C<host name> command on your machine returns the fully
qualified host name, you'll need to use the I<fqdn> option for
wildcards to be useful.
wildcards to be useful. Note B<sudo> only inspects actual network
interfaces; this means that IP address 127.0.0.1 (localhost) will
never match. Also, the host name "localhost" will only match if
that is the actual host name, which is usually only the case for
non-networked systems.
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List