isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add FreeBSD login.conf support (untested on BSD/OS) based on a patch from

Browse Source 
Michael D. Marchionna.
configure now does substitution on the man pages, allowing us to
fix up the paths and set the section correctly.  Based on an idea
from Michael D. Marchionna.
This commit is contained in:
Todd C. Miller
2000-03-23 00:35:59 +00:00
parent 4d4ed8c166
commit d168a21cee
14 changed files with 776 additions and 671 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
INSTALL
View File

@@ -186,6 +186,13 @@ Special features/options:
`configure' changes; you should check to see if your platform can
access DCE via PAM before using this option.
--with-logincap
Enable support for BSD login classes on FreeBSD. This adds support
for the login classes specified in /etc/login.conf. By default,
a login class is not applied unless the 'use_loginclass' option
is defined in sudoers or the user specifies a class on the command
line.
--disable-sia
Disable SIA support. This is the "Security Integration Architecture"
on Digital UNIX. If you disable SIA sudo will use its own

38
Makefile.in
View File

@@ -85,12 +85,11 @@ visudodir = $(sbindir)
sudoersdir = $(sysconfdir)
# Directory in which to install the man page
# set mansect5 to 4 on sysV machines.
mantype = @MANTYPE@
mansect8 = 8
mansect5 = 5
mandir8 = $(mandir)/$(mantype)$(mansect8)
mandir5 = $(mandir)/$(mantype)$(mansect5)
mansectsu = @mansectsu@
mansectform = @mansectform@
mandirsu = $(mandir)/$(mantype)$(mansectsu)
mandirform = $(mandir)/$(mantype)$(mansectform)
# User and group ids the installed files should be "owned" by
install_uid = 0
@@ -145,8 +144,9 @@ DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES FAQ HISTORY INSTALL INSTALL.configure \
UPGRADE acsite.m4 aixcrypt.exp config.guess config.h.in config.sub \
configure configure.in fnmatch.3 indent.pro install-sh \
mkinstalldirs pathnames.h.in sample.pam sample.syslog.conf \
sample.sudoers sudo.cat sudo.man sudo.pod sudoers sudoers.cat \
sudoers.man sudoers.pod visudo.cat visudo.man visudo.pod auth/API
sample.sudoers sudo.cat sudo.man.in sudo.pod sudoers sudoers.cat \
sudoers.man.in sudoers.pod visudo.cat visudo.man.in visudo.pod \
auth/API
BINFILES= BUGS CHANGES HISTORY LICENSE README TODO TROUBLESHOOTING \
UPGRADE install-sh mkinstalldirs sample.syslog.conf sample.sudoers \
@@ -251,35 +251,35 @@ securid.o: $(authdir)/securid.c $(AUTHDEP)
sia.o: $(authdir)/sia.c $(AUTHDEP)
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c
sudo.man: $(srcdir)/sudo.pod
sudo.man.in: $(srcdir)/sudo.pod
@rm -f $(srcdir)/$@
(cd $(srcdir); pod2man --section=$(mansect8) --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod > $(srcdir)/$@)
(cd $(srcdir); pod2man --section=`echo @MANSECTSU@|tr A-Z a-z` --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod > $(srcdir)/$@)
sudo.cat: sudo.man
visudo.man: $(srcdir)/visudo.pod
visudo.man.in: $(srcdir)/visudo.pod
@rm -f $(srcdir)/$@
(cd $(srcdir); pod2man --section=$(mansect8) --release=$(VERSION) --center="MAINTENANCE COMMANDS" visudo.pod > $(srcdir)/$@)
(cd $(srcdir); pod2man --section=`echo @MANSECTSU@|tr A-Z a-z` --release=$(VERSION) --center="MAINTENANCE COMMANDS" visudo.pod > $(srcdir)/$@)
visudo.cat: visudo.man
sudoers.man: $(srcdir)/sudoers.pod
sudoers.man.in: $(srcdir)/sudoers.pod
@rm -f $(srcdir)/$@
(cd $(srcdir); pod2man --section=$(mansect5) --release=$(VERSION) --center="FILE FORMATS" sudoers.pod > $(srcdir)/$@)
(cd $(srcdir); pod2man --section=`echo @MANSECTFORM@|tr A-Z a-z` --release=$(VERSION) --center="FILE FORMATS" sudoers.pod | sed 's/"\\f(CW""\\fR"/\\f(CW""\\fR/' > $(srcdir)/$@)
sudoers.cat: sudoers.man
install: install-dirs install-binaries install-sudoers install-man
install-dirs:
$(SHELL) $(srcdir)/mkinstalldirs $(sudodir) $(visudodir) $(sudoersdir) $(mandir8) $(mandir5)
$(SHELL) $(srcdir)/mkinstalldirs $(sudodir) $(visudodir) $(sudoersdir) $(mandirsu) $(mandirform)
install-binaries: $(PROGS)
$(INSTALL) -o $(install_uid) -g $(install_gid) -m 4111 -s sudo $(sudodir)/sudo
$(INSTALL) -o $(install_uid) -g $(install_gid) -m 0111 -s visudo $(visudodir)/visudo
install-sudoers:
@ if [ -f $(sudoersdir)/sudoers ]; then \
@if [ -f $(sudoersdir)/sudoers ]; then \
echo "Setting user/group and mode on existing $(sudoersdir)/sudoers file."; \
chown $(sudoers_uid) $(sudoersdir)/sudoers; \
chgrp $(sudoers_gid) $(sudoersdir)/sudoers; \
@@ -290,9 +290,9 @@ install-sudoers:
fi
install-man:
$(INSTALL) -o $(install_uid) -g $(install_gid) -m 0444 $(srcdir)/sudo.$(mantype) $(mandir8)/sudo.$(mansect8)
$(INSTALL) -o $(install_uid) -g $(install_gid) -m 0444 $(srcdir)/visudo.$(mantype) $(mandir8)/visudo.$(mansect8)
$(INSTALL) -o $(install_uid) -g $(install_gid) -m 0444 $(srcdir)/sudoers.$(mantype) $(mandir5)/sudoers.$(mansect5)
$(INSTALL) -o $(install_uid) -g $(install_gid) -m 0444 $(srcdir)/sudo.$(mantype) $(mandirsu)/sudo.$(mansectsu)
$(INSTALL) -o $(install_uid) -g $(install_gid) -m 0444 $(srcdir)/visudo.$(mantype) $(mandirsu)/visudo.$(mansectsu)
$(INSTALL) -o $(install_uid) -g $(install_gid) -m 0444 $(srcdir)/sudoers.$(mantype) $(mandirform)/sudoers.$(mansectform)
@MAN_POSTINSTALL@
check:
@@ -305,7 +305,7 @@ TAGS: $(SRCS)
etags $(SRCS)
clean:
-rm -f *.o $(PROGS) testsudoers core sudo.core visudo.core \
-rm -f *.o $(PROGS) *.man testsudoers core sudo.core visudo.core \
testsudoers.core
mostlyclean: clean

7
aclocal.m4 vendored
View File

@@ -139,14 +139,15 @@ AC_DEFUN(SUDO_TIMEDIR, [AC_MSG_CHECKING(for timestamp file location)
if test -n "$with_timedir"; then
AC_MSG_RESULT($with_timedir)
AC_DEFINE_UNQUOTED(_PATH_SUDO_TIMEDIR, "$with_timedir")
TIMEDIR="$with_timedir"
elif test -d "/var/run"; then
AC_MSG_RESULT(/var/run/sudo)
AC_DEFINE(_PATH_SUDO_TIMEDIR, "/var/run/sudo")
elif test -d "/tmp"; then
TIMEDIR="/var/run/sudo"
else
AC_MSG_RESULT(/tmp/.odus)
AC_DEFINE(_PATH_SUDO_TIMEDIR, "/tmp/.odus")
else
AC_MSG_RESULT(unknown, you will have to set _PATH_SUDO_TIMEDIR by hand)
TIMEDIR="/tmp/.odus"
fi
])dnl

786
configure vendored
View File

File diff suppressed because it is too large Load Diff

45
configure.in
View File

@@ -30,7 +30,10 @@ AC_SUBST(MAN_POSTINSTALL)dnl
AC_SUBST(SUDOERS_MODE)dnl
AC_SUBST(SUDOERS_UID)dnl
AC_SUBST(SUDOERS_GID)dnl
AC_SUBST(TIMEDIR)
AC_SUBST(DEV)
AC_SUBST(mansectsu)
AC_SUBST(mansectform)
dnl
dnl Initial values for Makefile variables listed above
dnl Some may be overridden by environment variables..
@@ -1023,6 +1026,8 @@ case "$host" in
if test "$with_AFS" = "yes"; then
AFS_LIBS="-lc -lucb"
fi
mansectsu=1m
mansectform=4
;;
*-*-aix*)
# To get all prototypes (so we pass -Wall)
@@ -1035,6 +1040,8 @@ case "$host" in
AC_CHECK_LIB(sec, getprpwnam, AC_DEFINE(HAVE_GETPRPWNAM) [SUDO_LIBS="${SUDO_LIBS} -lsec"; LIBS="${LIBS} -lsec"; SECUREWARE=1], AC_CHECK_LIB(security, getprpwnam, AC_DEFINE(HAVE_GETPRPWNAM) [SUDO_LIBS="${SUDO_LIBS} -lsecurity"; LIBS="${LIBS} -lsecurity"; SECUREWARE=1]))
CHECKSHADOW="false"
fi
mansectsu=1m
mansectform=4
;;
*-*-hpux1[[0-9]]*)
# uncomment this for a statically linked sudo
@@ -1070,6 +1077,8 @@ case "$host" in
if test "$with_AFS" = "yes"; then
AFS_LIBS="-lc -lBSD"
fi
mansectsu=1m
mansectform=4
;;
*-*-hpux9*)
# uncomment this for a statically linked sudo
@@ -1115,6 +1124,8 @@ case "$host" in
if test "$with_AFS" = "yes"; then
AFS_LIBS="-lc -lBSD"
fi
mansectsu=1m
mansectform=4
;;
*-*-hpux*)
@@ -1131,6 +1142,8 @@ case "$host" in
if test "$with_AFS" = "yes"; then
AFS_LIBS="-lc -lBSD"
fi
mansectsu=1m
mansectform=4
;;
*-dec-osf*)
# ignore envariables wrt dynamic lib path
@@ -1213,6 +1226,8 @@ case "$host" in
if test "$OSREV" -le 4; then
AC_CHECK_LIB(sun, getpwnam, [LIBS="${LIBS} -lsun"])
fi
mansectsu=1m
mansectform=4
;;
*-*-linux*)
# To get crypt(3) and vasprintf() prototypes (so we pass -Wall)
@@ -1246,6 +1261,8 @@ case "$host" in
LIBS="${LIBS} -lsun -lbsd"
CPPFLAGS="${CPPFLAGS} -I/usr/include -I/usr/include/bsd"
OSDEFS="${OSDEFS} -D_MIPS"
mansectsu=1m
mansectform=4
;;
*-*-isc*)
OSDEFS="${OSDEFS} -D_ISC"
@@ -1257,6 +1274,8 @@ case "$host" in
AC_CHECK_LIB(sec, getspnam, AC_DEFINE(HAVE_GETSPNAM) [SUDO_LIBS="${SUDO_LIBS} -lsec"; LIBS="${LIBS} -lsec"])
CHECKSHADOW="false"
fi
mansectsu=1m
mansectform=4
;;
*-*-sco*)
if test "$CHECKSHADOW" = "true"; then
@@ -1264,16 +1283,22 @@ case "$host" in
AC_CHECK_LIB(gen, getspnam, AC_DEFINE(HAVE_GETSPNAM) [SUDO_LIBS="${SUDO_LIBS} -lgen"; LIBS="${LIBS} -lgen"])
CHECKSHADOW="false"
fi
mansectsu=1m
mansectform=4
;;
*-sequent-sysv*)
if test "$CHECKSHADOW" = "true"; then
AC_CHECK_LIB(sec, getspnam, AC_DEFINE(HAVE_GETSPNAM) [SUDO_LIBS="${SUDO_LIBS} -lsec"; LIBS="${LIBS} -lsec"])
CHECKSHADOW="false"
fi
mansectsu=1m
mansectform=4
;;
*-ccur-sysv4|*-ccur-sysvr4)
LIBS="${LIBS} -lgen"
SUDO_LIBS="${SUDO_LIBS} -lgen"
mansectsu=1m
mansectform=4
;;
*-*-bsdi*)
# Use shlicc for BSD/OS 2.x unless asked to do otherwise
@@ -1283,19 +1308,35 @@ case "$host" in
ac_cv_prog_CC=shlicc
CC="$ac_cv_prog_CC"
fi
if test "$CHECKSHADOW" = "true"; then
CHECKSHADOW="false"
fi
;;
*-*-freebsd*)
if test "$with_skey" = "yes"; then
SUDO_LIBS="${SUDO_LIBS} -lmd"
fi
if test "$CHECKSHADOW" = "true"; then
CHECKSHADOW="false"
fi
;;
*-*-*bsd*)
if test "$CHECKSHADOW" = "true"; then
CHECKSHADOW="false"
fi
;;
*-*-sysv*)
mansectsu=1m
mansectform=4
;;
esac
dnl
dnl Use BSD-style man sections by default
dnl
test -n "$mansectsu" || mansectsu=8
test -n "$mansectform" || mansectform=5
dnl
dnl Check for shadow password routines if we have not already done so.
dnl We check for SVR4-style first and then SecureWare-style.
@@ -1655,9 +1696,9 @@ dnl
test "$exec_prefix" = "NONE" && exec_prefix='$(prefix)'
dnl
dnl Substitute into the Makefiles
dnl Substitute into the Makefile and man pages
dnl
AC_OUTPUT(Makefile)
AC_OUTPUT([Makefile sudo.man visudo.man sudoers.man])
dnl
dnl Spew any text the user needs to know about

136
sudo.cat
View File

@@ -9,7 +9,8 @@ NNNNAAAAMMMMEEEE
SSSSYYYYNNNNOOOOPPPPSSSSIIIISSSS
ssssuuuuddddoooo ----VVVV | ----hhhh | ----llll | ----LLLL | ----vvvv | ----kkkk | ----KKKK | ----ssss | [ ----HHHH ] [----SSSS ]
[ ----bbbb ] | [ ----pppp prompt ] [ ----uuuu username/#uid ] _c_o_m_m_a_n_d
[ ----bbbb ] | [ ----pppp prompt ] [ ----cccc class|- ] [ ----uuuu username/#uid ]
_c_o_m_m_a_n_d
DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN
ssssuuuuddddoooo allows a permitted user to execute a _c_o_m_m_a_n_d as the
@@ -60,8 +61,7 @@ OOOOPPPPTTTTIIIIOOOONNNNSSSS
26/Feb/2000 1.6.3 1
22/Mar/2000 1.6.3 1
@@ -102,7 +102,21 @@ sudo(8) MAINTENANCE COMMANDS sudo(8)
replaced with the user's login name. Similarly, %h
will be replaced with the local hostname.
-u The -u (_u_s_e_r) option causes sudo to run the specified
-c The -c (_c_l_a_s_s) option causes ssssuuuuddddoooo to run the specified
command with resources limited by the specified login
class. The _c_l_a_s_s argument can be either a class name
as defined in /etc/login.conf, or a single '-'
character. Specifying the _c_l_a_s_s as '-' means that the
command should be run restricted by the default login
capibilities of the user the command is run as. If
the _c_l_a_s_s argument specifies an existing user class,
the command must be run as root, or the ssssuuuuddddoooo command
must be run from a shell that is already root. This
option is only available on systems with BSD login
classes where ssssuuuuddddoooo has been configured with the
--with-logincap option.
-u The -u (_u_s_e_r) option causes ssssuuuuddddoooo to run the specified
command as a user other than _r_o_o_t. To specify a _u_i_d
instead of a _u_s_e_r_n_a_m_e, use "#uid".
@@ -110,6 +124,18 @@ sudo(8) MAINTENANCE COMMANDS sudo(8)
_S_H_E_L_L environment variable if it is set or the shell
as specified in _p_a_s_s_w_d(5).
22/Mar/2000 1.6.3 2
sudo(8) MAINTENANCE COMMANDS sudo(8)
-H The -H (_H_O_M_E) option sets the _H_O_M_E environment
variable to the homedir of the target user (root by
default) as specified in _p_a_s_s_w_d(5). By default, ssssuuuuddddoooo
@@ -124,18 +150,6 @@ sudo(8) MAINTENANCE COMMANDS sudo(8)
RRRREEEETTTTUUUURRRRNNNN VVVVAAAALLLLUUUUEEEESSSS
ssssuuuuddddoooo quits with an exit value of 1 if there is a
26/Feb/2000 1.6.3 2
sudo(8) MAINTENANCE COMMANDS sudo(8)
configuration/permission problem or if ssssuuuuddddoooo cannot execute
the given command. In the latter case the error string is
printed to stderr. If ssssuuuuddddoooo cannot _s_t_a_t(2) one or more
@@ -173,27 +187,13 @@ SSSSEEEECCCCUUUURRRRIIIITTTTYYYY NNNNOOOOTTTTE
statically.
ssssuuuuddddoooo will check the ownership of its timestamp directory
(_/_v_a_r_/_r_u_n_/_s_u_d_o or _/_t_m_p_/_._o_d_u_s by default) and ignore the
directory's contents if it is not owned by root and only
writable by root. On systems that allow non-root users to
give away files via _c_h_o_w_n(2), if the timestamp directory
is located in a directory writable by anyone (ie: _/_t_m_p),
it is possible for a user to create the timestamp
directory before ssssuuuuddddoooo is run. However, because ssssuuuuddddoooo
checks the ownership and mode of the directory and its
contents, the only damage that can be done is to "hide"
files by putting them in the timestamp dir. This is
unlikely to happen since once the timestamp dir is owned
by root and inaccessible by any other user the user
placing files there would be unable to get them back out.
To get around this issue you can use a directory that is
not world-writable for the timestamps (_/_v_a_r_/_a_d_m_/_s_u_d_o for
instance) or create /tmp/.odus with the appropriate owner
(root) and permissions (0700) in the system startup files.
(_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's
contents if it is not owned by root and only writable by
root. On systems that allow non-root users to give away
26/Feb/2000 1.6.3 3
22/Mar/2000 1.6.3 3
@@ -202,6 +202,21 @@ SSSSEEEECCCCUUUURRRRIIIITTTTYYYY NNNNOOOOTTTTE
sudo(8) MAINTENANCE COMMANDS sudo(8)
files via _c_h_o_w_n(2), if the timestamp directory is located
in a directory writable by anyone (eg: _/_t_m_p), it is
possible for a user to create the timestamp directory
before ssssuuuuddddoooo is run. However, because ssssuuuuddddoooo checks the
ownership and mode of the directory and its contents, the
only damage that can be done is to "hide" files by putting
them in the timestamp dir. This is unlikely to happen
since once the timestamp dir is owned by root and
inaccessible by any other user the user placing files
there would be unable to get them back out. To get around
this issue you can use a directory that is not world-
writable for the timestamps (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance)
or create _/_v_a_r_/_r_u_n_/_s_u_d_o with the appropriate owner (root)
and permissions (0700) in the system startup files.
ssssuuuuddddoooo will not honor timestamps set far in the future.
Timestamps with a date greater than current_time + 2 *
TIMEOUT will be ignored and sudo will log and complain.
@@ -241,25 +256,10 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
EEEENNNNVVVVIIIIRRRROOOONNNNMMMMEEEENNNNTTTT
ssssuuuuddddoooo utilizes the following environment variables:
PATH Set to a sane value if SECURE_PATH is set
SHELL Used to determine shell to run with -s option
USER Set to the target user (root unless the -u option
is specified)
HOME In -s or -H mode (or if sudo was configured with
the --enable-shell-sets-home option), set to
homedir of the target user.
SUDO_PROMPT Used as the default password prompt
SUDO_COMMAND Set to the command run by sudo
SUDO_USER Set to the login of the user who invoked sudo
SUDO_UID Set to the uid of the user who invoked sudo
SUDO_GID Set to the gid of the user who invoked sudo
SUDO_PS1 If set, PS1 will be set to its value
26/Feb/2000 1.6.3 4
22/Mar/2000 1.6.3 4
@@ -268,12 +268,6 @@ EEEENNNNVVVVIIIIRRRROOOONNNNMMMMEEEENNNNTTTT
sudo(8) MAINTENANCE COMMANDS sudo(8)
FFFFIIIILLLLEEEESSSS
/etc/sudoers List of who can run what
/var/run/sudo Directory containing timestamps
ssssuuuuddddoooo utilizes the following environment variables:
PATH Set to a sane value if SECURE_PATH is set
SHELL Used to determine shell to run with -s option
USER Set to the target user (root unless the -u option
@@ -291,8 +285,7 @@ FFFFIIIILLLLEEEESSSS
FFFFIIIILLLLEEEESSSS
/etc/sudoers List of who can run what
/var/run/sudo Directory containing timestamps
/tmp/.odus Same as above if no /var/run exists
/var/run/sudo Directory containing timestamps
AAAAUUUUTTTTHHHHOOOORRRRSSSS
@@ -322,10 +315,17 @@ CCCCAAAAVVVVEEEEAAAATTTTSSSS
escapes.
If users have sudo ALL there is nothing to prevent them
from creating their own program that gives them a root
shell regardless of any '!' elements in the user
specification.
Running shell scripts via ssssuuuuddddoooo can expose the same kernel
bugs that make setuid shell scripts unsafe on some
operating systems (if your OS supports the /dev/fd/
26/Feb/2000 1.6.3 5
22/Mar/2000 1.6.3 5
@@ -334,17 +334,10 @@ CCCCAAAAVVVVEEEEAAAATTTTSSSS
sudo(8) MAINTENANCE COMMANDS sudo(8)
from creating their own program that gives them a root
shell regardless of any '!' elements in the user
specification.
Running shell scripts via ssssuuuuddddoooo can expose the same kernel
bugs that make setuid shell scripts unsafe on some
operating systems (if your OS supports the /dev/fd/
directory, setuid shell scripts are generally safe).
SSSSEEEEEEEE AAAALLLLSSSSOOOO
_s_u_d_o_e_r_s(5), _v_i_s_u_d_o(8), _s_u(1).
_l_o_g_i_n___c_a_p(3), _s_u_d_o_e_r_s(5), _v_i_s_u_d_o(8), _s_u(1).
@@ -391,6 +384,13 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO
26/Feb/2000 1.6.3 6
22/Mar/2000 1.6.3 6

44
sudo.man.in
View File

@@ -2,8 +2,12 @@
''' $RCSfile$$Revision$$Date$
'''
''' $Log$
''' Revision 1.1 2000/03/23 00:17:29 millert
''' configure does substitution on these to produce *.man
''' Revision 1.2 2000/03/23 00:35:58 millert
''' Add FreeBSD login.conf support (untested on BSD/OS) based on a patch from
''' Michael D. Marchionna.
''' configure now does substitution on the man pages, allowing us to
''' fix up the paths and set the section correctly. Based on an idea
''' from Michael D. Marchionna.
'''
'''
.de Sh
@@ -96,7 +100,7 @@
.nr % 0
.rr F
.\}
.TH sudo.pod.in @mansectsu@ "1.6.3" "22/Mar/2000" "MAINTENANCE COMMANDS"
.TH sudo @mansectsu@ "1.6.3" "22/Mar/2000" "MAINTENANCE COMMANDS"
.UC
.if n .hy 0
.if n .na
@@ -327,22 +331,22 @@ not disable user-defined library search paths for setuid programs
(most do), you should either use a linker option that disables this
behavior or link \fBsudo\fR statically.
.PP
\fBsudo\fR will check the ownership of its timestamp directory (\fI@TIMEDIR@\fR)
and ignore the directory's contents if it is not owned by root and
only writable by root. On systems that allow non-root users to
give away files via \fIchown\fR\|(2), if the timestamp directory is located
in a directory writable by anyone (eg: \fI/tmp\fR), it is possible for
a user to create the timestamp directory before \fBsudo\fR is run.
However, because \fBsudo\fR checks the ownership and mode of the
directory and its contents, the only damage that can be done is to
\*(L"hide\*(R" files by putting them in the timestamp dir. This is unlikely
to happen since once the timestamp dir is owned by root and
inaccessible by any other user the user placing files there would
be unable to get them back out. To get around this issue you can
use a directory that is not world-writable for the timestamps
(\fI/var/adm/sudo\fR for instance) or create \fI@TIMEDIR@\fR with the
appropriate owner (root) and permissions (0700) in the system startup
files.
\fBsudo\fR will check the ownership of its timestamp directory
(\fI@TIMEDIR@\fR by default) and ignore the directory's contents if
it is not owned by root and only writable by root. On systems that
allow non-root users to give away files via \fIchown\fR\|(2), if the timestamp
directory is located in a directory writable by anyone (eg: \fI/tmp\fR),
it is possible for a user to create the timestamp directory before
\fBsudo\fR is run. However, because \fBsudo\fR checks the ownership and
mode of the directory and its contents, the only damage that can
be done is to \*(L"hide\*(R" files by putting them in the timestamp dir.
This is unlikely to happen since once the timestamp dir is owned
by root and inaccessible by any other user the user placing files
there would be unable to get them back out. To get around this
issue you can use a directory that is not world-writable for the
timestamps (\fI/var/adm/sudo\fR for instance) or create \fI@TIMEDIR@\fR
with the appropriate owner (root) and permissions (0700) in the
system startup files.
.PP
\fBsudo\fR will not honor timestamps set far in the future.
Timestamps with a date greater than current_time + 2 * \f(CWTIMEOUT\fR
@@ -438,7 +442,7 @@ are generally safe).
\fIlogin_cap\fR\|(3), \fIsudoers\fR\|(5), \fIvisudo\fR\|(8), \fIsu\fR\|(1).
.rn }` ''
.IX Title "sudo.pod.in @mansectsu@"
.IX Title "sudo @mansectsu@"
.IX Name "sudo - execute a command as another user"
.IX Header "NAME"

77
sudo.pod
View File

@@ -42,7 +42,7 @@ sudo - execute a command as another user
=head1 SYNOPSIS
B<sudo> B<-V> | B<-h> | B<-l> | B<-L> | B<-v> | B<-k> | B<-K> | B<-s> |
[ B<-H> ] [B<-S> ] [ B<-b> ] | [ B<-p> prompt ]
[ B<-H> ] [B<-S> ] [ B<-b> ] | [ B<-p> prompt ] [ B<-c> class|- ]
[ B<-u> username/#uid ] I<command>
=head1 DESCRIPTION
@@ -59,7 +59,7 @@ user may then use sudo without a password for a short period of time
(five minutes by default).
B<sudo> determines who is an authorized user by consulting the
file F</etc/sudoers>. By giving B<sudo> the C<-v> flag a user
file F<@sysconfdir@/sudoers>. By giving B<sudo> the C<-v> flag a user
can update the time stamp without running a I<command.>
The password prompt itself will also time out if the user's password is
not entered with N minutes (again, this is defined at configure
@@ -137,9 +137,22 @@ contains the C<%u> escape, C<%u> will be replaced with the user's
login name. Similarly, C<%h> will be replaced with the local
hostname.
=item -c
The C<-c> (I<class>) option causes B<sudo> to run the specified command
with resources limited by the specified login class. The I<class>
argument can be either a class name as defined in /etc/login.conf,
or a single '-' character. Specifying the I<class> as '-' means
that the command should be run restricted by the default login
capibilities of the user the command is run as. If the I<class>
argument specifies an existing user class, the command must be run
as root, or the B<sudo> command must be run from a shell that is already
root. This option is only available on systems with BSD login classes
where B<sudo> has been configured with the --with-logincap option.
=item -u
The C<-u> (I<user>) option causes sudo to run the specified command
The C<-u> (I<user>) option causes B<sudo> to run the specified command
as a user other than I<root>. To specify a I<uid> instead of a
I<username>, use "#uid".
@@ -205,21 +218,21 @@ not disable user-defined library search paths for setuid programs
behavior or link B<sudo> statically.
B<sudo> will check the ownership of its timestamp directory
(F</var/run/sudo> or F</tmp/.odus> by default) and ignore the
directory's contents if it is not owned by root and only writable
by root. On systems that allow non-root users to give away files
via chown(2), if the timestamp directory is located in a directory
writable by anyone (ie: F</tmp>), it is possible for a user to
create the timestamp directory before B<sudo> is run. However,
because B<sudo> checks the ownership and mode of the directory and
its contents, the only damage that can be done is to "hide" files
by putting them in the timestamp dir. This is unlikely to happen
since once the timestamp dir is owned by root and inaccessible by
any other user the user placing files there would be unable to get
them back out. To get around this issue you can use a directory
that is not world-writable for the timestamps (F</var/adm/sudo> for
instance) or create /tmp/.odus with the appropriate owner (root)
and permissions (0700) in the system startup files.
(F<@TIMEDIR@> by default) and ignore the directory's contents if
it is not owned by root and only writable by root. On systems that
allow non-root users to give away files via chown(2), if the timestamp
directory is located in a directory writable by anyone (eg: F</tmp>),
it is possible for a user to create the timestamp directory before
B<sudo> is run. However, because B<sudo> checks the ownership and
mode of the directory and its contents, the only damage that can
be done is to "hide" files by putting them in the timestamp dir.
This is unlikely to happen since once the timestamp dir is owned
by root and inaccessible by any other user the user placing files
there would be unable to get them back out. To get around this
issue you can use a directory that is not world-writable for the
timestamps (F</var/adm/sudo> for instance) or create F<@TIMEDIR@>
with the appropriate owner (root) and permissions (0700) in the
system startup files.
B<sudo> will not honor timestamps set far in the future.
Timestamps with a date greater than current_time + 2 * C<TIMEOUT>
@@ -274,30 +287,8 @@ B<sudo> utilizes the following environment variables:
=head1 FILES
/etc/sudoers List of who can run what
/var/run/sudo Directory containing timestamps
B<sudo> utilizes the following environment variables:
PATH Set to a sane value if SECURE_PATH is set
SHELL Used to determine shell to run with -s option
USER Set to the target user (root unless the -u option
is specified)
HOME In -s or -H mode (or if sudo was configured with
the --enable-shell-sets-home option), set to
homedir of the target user.
SUDO_PROMPT Used as the default password prompt
SUDO_COMMAND Set to the command run by sudo
SUDO_USER Set to the login of the user who invoked sudo
SUDO_UID Set to the uid of the user who invoked sudo
SUDO_GID Set to the gid of the user who invoked sudo
SUDO_PS1 If set, PS1 will be set to its value
=head1 FILES
/etc/sudoers List of who can run what
/var/run/sudo Directory containing timestamps
/tmp/.odus Same as above if no /var/run exists
@sysconfdir@/sudoers List of who can run what
@TIMEDIR@ Directory containing timestamps
=head1 AUTHORS
@@ -338,4 +329,4 @@ are generally safe).
=head1 SEE ALSO
sudoers(5), visudo(8), su(1).
login_cap(3), sudoers(5), visudo(8), su(1).

250
sudoers.cat
View File

@@ -61,7 +61,7 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN
18/Feb/2000 1.6.3 1
22/Mar/2000 1.6.3 1
@@ -127,7 +127,7 @@ sudoers(5) FILE FORMATS sudoers(5)
18/Feb/2000 1.6.3 2
22/Mar/2000 1.6.3 2
@@ -193,7 +193,7 @@ sudoers(5) FILE FORMATS sudoers(5)
18/Feb/2000 1.6.3 3
22/Mar/2000 1.6.3 3
@@ -259,7 +259,7 @@ sudoers(5) FILE FORMATS sudoers(5)
18/Feb/2000 1.6.3 4
22/Mar/2000 1.6.3 4
@@ -325,7 +325,7 @@ sudoers(5) FILE FORMATS sudoers(5)
18/Feb/2000 1.6.3 5
22/Mar/2000 1.6.3 5
@@ -391,7 +391,7 @@ sudoers(5) FILE FORMATS sudoers(5)
18/Feb/2000 1.6.3 6
22/Mar/2000 1.6.3 6
@@ -405,6 +405,12 @@ sudoers(5) FILE FORMATS sudoers(5)
root) instead of the password of the invoking
user.
use_loginclass
If set, sudo will apply the defaults specified
for the target user's login class if one
exists. Only available if sudo is configured
with the --with-logincap option.
IIIInnnntttteeeeggggeeeerrrrssss:
passwd_tries
@@ -448,16 +454,10 @@ sudoers(5) FILE FORMATS sudoers(5)
incorrect password. The default is "Sorry,
try again." unless insults are enabled.
timestampdir
The directory in which ssssuuuuddddoooo stores its
timestamp files. The default is either
/var/run/sudo or /tmp/sudo.
18/Feb/2000 1.6.3 7
22/Mar/2000 1.6.3 7
@@ -466,6 +466,10 @@ sudoers(5) FILE FORMATS sudoers(5)
sudoers(5) FILE FORMATS sudoers(5)
timestampdir
The directory in which ssssuuuuddddoooo stores its
timestamp files. The default is _@_T_I_M_E_D_I_R_@.
passprompt The default prompt to use when asking for a
password; can be overridden via the -p option
or the SUDO_PROMPT environment variable.
@@ -492,6 +496,10 @@ sudoers(5) FILE FORMATS sudoers(5)
SSSSttttrrrriiiinnnnggggssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt:
logfile Path to the sudo log file (not the syslog log
file). Setting a path turns on logging to a
file, negating this option turns it off.
syslog Syslog facility if syslog is being used for
logging (negate to disable syslog logging).
Defaults to "local2".
@@ -511,6 +519,19 @@ sudoers(5) FILE FORMATS sudoers(5)
and PATH requirements. This is not set by
default.
22/Mar/2000 1.6.3 8
sudoers(5) FILE FORMATS sudoers(5)
secure_path Path used for every command run from ssssuuuuddddoooo. If
you don't trust the people running sudo to
have a sane PATH environment variable you may
@@ -520,18 +541,6 @@ sudoers(5) FILE FORMATS sudoers(5)
verifypw This option controls when a password will be
required when a user runs sudo with the ----vvvv.
18/Feb/2000 1.6.3 8
sudoers(5) FILE FORMATS sudoers(5)
It has the following possible values:
all All the user's I<sudoers> entries for the
@@ -577,6 +586,18 @@ sudoers(5) FILE FORMATS sudoers(5)
Parameter): aaaauuuutttthhhhpppprrrriiiivvvv (if your OS supports it), aaaauuuutttthhhh,
ddddaaaaeeeemmmmoooonnnn, uuuusssseeeerrrr, llllooooccccaaaallll0000, llllooooccccaaaallll1111, llllooooccccaaaallll2222, llllooooccccaaaallll3333, llllooooccccaaaallll4444,
llllooooccccaaaallll5555, llllooooccccaaaallll6666, and llllooooccccaaaallll7777. The following syslog
22/Mar/2000 1.6.3 9
sudoers(5) FILE FORMATS sudoers(5)
priorities are supported: aaaalllleeeerrrrtttt, ccccrrrriiiitttt, ddddeeeebbbbuuuugggg, eeeemmmmeeeerrrrgggg, eeeerrrrrrrr,
iiiinnnnffffoooo, nnnnoooottttiiiicccceeee, and wwwwaaaarrrrnnnniiiinnnngggg.
@@ -586,18 +607,6 @@ sudoers(5) FILE FORMATS sudoers(5)
User_Spec ::= User_list Host_List '=' User_List Cmnd_Spec_List \
(':' User_Spec)*
18/Feb/2000 1.6.3 9
sudoers(5) FILE FORMATS sudoers(5)
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
@@ -643,6 +652,18 @@ sudoers(5) FILE FORMATS sudoers(5)
modified via the NOPASSWD tag. Like a Runas_Spec, the
NOPASSWD tag sets a default for the commands that follow
it in the Cmnd_Spec_List. Conversely, the PASSWD tag can
22/Mar/2000 1.6.3 10
sudoers(5) FILE FORMATS sudoers(5)
be used to reverse things. For example:
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
@@ -653,17 +674,6 @@ sudoers(5) FILE FORMATS sudoers(5)
able to run _/_b_i_n_/_k_i_l_l without a password the entry would
be:
18/Feb/2000 1.6.3 10
sudoers(5) FILE FORMATS sudoers(5)
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
Note however, that the PASSWD tag has no effect on users
@@ -705,6 +715,21 @@ sudoers(5) FILE FORMATS sudoers(5)
match /usr/bin/who but not /usr/bin/X11/xterm.
22/Mar/2000 1.6.3 11
sudoers(5) FILE FORMATS sudoers(5)
EEEExxxxcccceeeeppppttttiiiioooonnnnssss ttttoooo wwwwiiiillllddddccccaaaarrrrdddd rrrruuuulllleeeessss::::
The following exceptions apply to the above rules:
@@ -718,18 +743,6 @@ sudoers(5) FILE FORMATS sudoers(5)
The pound sign ('#') is used to indicate a comment (unless
it occurs in the context of a user name and is followed by
18/Feb/2000 1.6.3 11
sudoers(5) FILE FORMATS sudoers(5)
one or more digits, in which case it is treated as a uid).
Both the comment character and any text after it, up to
the end of the line, are ignored.
@@ -770,6 +783,19 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim
22/Mar/2000 1.6.3 12
sudoers(5) FILE FORMATS sudoers(5)
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
@@ -784,18 +810,6 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
18/Feb/2000 1.6.3 12
sudoers(5) FILE FORMATS sudoers(5)
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
@@ -836,6 +850,18 @@ sudoers(5) FILE FORMATS sudoers(5)
FULLTIMERS ALL = NOPASSWD: ALL
Full time sysadmins (mmmmiiiilllllllleeeerrrrtttt, mmmmiiiikkkkeeeeffff, and ddddoooowwwwddddyyyy) may run
22/Mar/2000 1.6.3 13
sudoers(5) FILE FORMATS sudoers(5)
any command on any host without authenticating themselves.
PARTTIMERS ALL = ALL
@@ -850,18 +876,6 @@ sudoers(5) FILE FORMATS sudoers(5)
_C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0,
and 128.138.242.0). Of those networks, only
<128.138.204.0> has an explicit netmask (in CIDR notation)
18/Feb/2000 1.6.3 13
sudoers(5) FILE FORMATS sudoers(5)
indicating it is a class C network. For the other
networks in _C_S_N_E_T_S, the local machine's netmask will be
used during matching.
@@ -902,6 +916,18 @@ sudoers(5) FILE FORMATS sudoers(5)
netgroup. SSSSuuuuddddoooo knows that "biglab" is a netgroup due to
the '+' prefix.
22/Mar/2000 1.6.3 14
sudoers(5) FILE FORMATS sudoers(5)
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
Users in the sssseeeeccccrrrreeeettttaaaarrrriiiieeeessss netgroup need to help manage the
@@ -916,18 +942,6 @@ sudoers(5) FILE FORMATS sudoers(5)
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
On the _A_L_P_H_A machines, user jjjjoooohhhhnnnn may su to anyone except
18/Feb/2000 1.6.3 14
sudoers(5) FILE FORMATS sudoers(5)
root but he is not allowed to give _s_u(1) any flags.
jen ALL, !SERVERS = ALL
@@ -967,6 +981,19 @@ sudoers(5) FILE FORMATS sudoers(5)
type, so it is a prime candiate for encapsulating in a
shell script.
22/Mar/2000 1.6.3 15
sudoers(5) FILE FORMATS sudoers(5)
SSSSEEEECCCCUUUURRRRIIIITTTTYYYY NNNNOOOOTTTTEEEESSSS
It is generally not effective to "subtract" commands from
ALL using the '!' operator. A user can trivially
@@ -982,18 +1009,6 @@ SSSSEEEECCCCUUUURRRRIIIITTTTYYYY NNNNOOOOTTTTE
restrictions should be considered advisory at best (and
reinforced by policy).
18/Feb/2000 1.6.3 15
sudoers(5) FILE FORMATS sudoers(5)
CCCCAAAAVVVVEEEEAAAATTTTSSSS
The _s_u_d_o_e_r_s file should aaaallllwwwwaaaayyyyssss be edited by the vvvviiiissssuuuuddddoooo
command which locks the file and does grammatical
@@ -1036,22 +1051,7 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO
18/Feb/2000 1.6.3 16
22/Mar/2000 1.6.3 16
@@ -1117,6 +1117,6 @@ sudoers(5) FILE FORMATS sudoers(5)
18/Feb/2000 1.6.3 17
22/Mar/2000 1.6.3 17

12
sudoers.man.in
View File

@@ -2,8 +2,12 @@
''' $RCSfile$$Revision$$Date$
'''
''' $Log$
''' Revision 1.1 2000/03/23 00:17:29 millert
''' configure does substitution on these to produce *.man
''' Revision 1.2 2000/03/23 00:35:59 millert
''' Add FreeBSD login.conf support (untested on BSD/OS) based on a patch from
''' Michael D. Marchionna.
''' configure now does substitution on the man pages, allowing us to
''' fix up the paths and set the section correctly. Based on an idea
''' from Michael D. Marchionna.
'''
'''
.de Sh
@@ -96,7 +100,7 @@
.nr % 0
.rr F
.\}
.TH sudoers.pod.in @mansectform@ "1.6.3" "22/Mar/2000" "FILE FORMATS"
.TH sudoers @mansectform@ "1.6.3" "22/Mar/2000" "FILE FORMATS"
.UC
.if n .hy 0
.if n .na
@@ -970,7 +974,7 @@ as returned by the \f(CWhostname\fR command or use the \fIfqdn\fR option in
\fIsudo\fR\|(8), \fIvisudo\fR\|(8), \fIsu\fR\|(1), \fIfnmatch\fR\|(3).
.rn }` ''
.IX Title "sudoers.pod.in @mansectform@"
.IX Title "sudoers @mansectform@"
.IX Name "sudoers - list of which users may execute what"
.IX Header "NAME"

15
sudoers.pod
View File

@@ -370,6 +370,12 @@ If set, sudo will prompt for the password of the user specified by
the C<-u> flag (defaults to root) instead of the password of the
invoking user.
=item use_loginclass
If set, sudo will apply the defaults specified for the target user's
login class if one exists. Only available if sudo is configured with
the --with-logincap option.
=back
B<Integers>:
@@ -429,7 +435,7 @@ The default is "Sorry, try again." unless insults are enabled.
=item timestampdir
The directory in which B<sudo> stores its timestamp files.
The default is either C</var/run/sudo> or C</tmp/sudo>.
The default is F<@TIMEDIR@>.
=item passprompt
@@ -464,6 +470,11 @@ B<Strings that can be used in a boolean context>:
=over 12
=item logfile
Path to the sudo log file (not the syslog log file). Setting a path
turns on logging to a file, negating this option turns it off.
=item syslog
Syslog facility if syslog is being used for logging (negate to
@@ -898,7 +909,7 @@ I<sudoers>.
=head1 FILES
/etc/sudoers List of who can run what
@sysconfdir@/sudoers List of who can run what
/etc/group Local groups file
/etc/netgroup List of network groups

12
visudo.cat
View File

@@ -55,13 +55,13 @@ EEEERRRRRRRROOOORRRRSSSS
sudoers file busy, try again later.
Someone else is currently editing the _s_u_d_o_e_r_s file.
/etc/sudoers.tmp: Permission denied
@sysconf@/sudoers.tmp: Permission denied
You didn't run vvvviiiissssuuuuddddoooo as root.
15/Feb/2000 1.6.3 1
22/Mar/2000 1.6.3 1
@@ -91,8 +91,8 @@ EEEENNNNVVVVIIIIRRRROOOONNNNMMMMEEEENNNNTTTT
FFFFIIIILLLLEEEESSSS
/etc/sudoers List of who can run what
/etc/sudoers.tmp Lock file for visudo
@sysconf@/sudoers List of who can run what
@sysconf@/sudoers.tmp Lock file for visudo
AAAAUUUUTTTTHHHHOOOORRRR
@@ -127,7 +127,7 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO
15/Feb/2000 1.6.3 2
22/Mar/2000 1.6.3 2
@@ -193,6 +193,6 @@ visudo(8) MAINTENANCE COMMANDS visudo(8)
15/Feb/2000 1.6.3 3
22/Mar/2000 1.6.3 3

12
visudo.man.in
View File

@@ -2,8 +2,12 @@
''' $RCSfile$$Revision$$Date$
'''
''' $Log$
''' Revision 1.1 2000/03/23 00:17:30 millert
''' configure does substitution on these to produce *.man
''' Revision 1.2 2000/03/23 00:35:59 millert
''' Add FreeBSD login.conf support (untested on BSD/OS) based on a patch from
''' Michael D. Marchionna.
''' configure now does substitution on the man pages, allowing us to
''' fix up the paths and set the section correctly. Based on an idea
''' from Michael D. Marchionna.
'''
'''
.de Sh
@@ -96,7 +100,7 @@
.nr % 0
.rr F
.\}
.TH visudo.pod.in @mansectsu@ "1.6.3" "18/Mar/2000" "MAINTENANCE COMMANDS"
.TH visudo @mansectsu@ "1.6.3" "22/Mar/2000" "MAINTENANCE COMMANDS"
.UC
.if n .hy 0
.if n .na
@@ -280,7 +284,7 @@ the editor used by \fBvisudo\fR allows shell escapes.
\fIsudo\fR\|(8), \fIvipw\fR\|(8).
.rn }` ''
.IX Title "visudo.pod.in @mansectsu@"
.IX Title "visudo @mansectsu@"
.IX Name "visudo - edit the sudoers file"
.IX Header "NAME"

6
visudo.pod
View File

@@ -98,7 +98,7 @@ and exit.
Someone else is currently editing the I<sudoers> file.
=item /etc/sudoers.tmp: Permission denied
=item @sysconf@/sudoers.tmp: Permission denied
You didn't run B<visudo> as root.
@@ -127,8 +127,8 @@ was configured with the I<--with-env-editor> option:
=head1 FILES
/etc/sudoers List of who can run what
/etc/sudoers.tmp Lock file for visudo
@sysconf@/sudoers List of who can run what
@sysconf@/sudoers.tmp Lock file for visudo
=head1 AUTHOR