isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync

Browse Source
This commit is contained in:
Todd C. Miller
2007-12-19 21:40:47 +00:00
parent e60093477e
commit d7090332e5
1 changed files with 49 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
TODO
View File

@@ -18,145 +18,140 @@ TODO list (most will be addressed in sudo 2.0)
after doing the stat to guard against spoofing. This should avoid after doing the stat to guard against spoofing. This should avoid
the race condition caused by going through namei() twice... the race condition caused by going through namei() twice...
08) Make runas_user a struct "runas" with user and group components. 08) Should be able to mix Cmnd_Alias's and command args. Ie:
(maybe uid and gid too???)
09) Should be able to mix Cmnd_Alias's and command args. Ie:
pete ALL=PASSWD [A-z]*,!PASSWD root pete ALL=PASSWD [A-z]*,!PASSWD root
where PASSWD was defined to be /usr/bin/passwd. where PASSWD was defined to be /usr/bin/passwd.
This requires the arg parsing to happen in the yacc grammer. This requires the arg parsing to happen in the yacc grammer.
At the very least, commands and args have to become separate At the very least, commands and args have to become separate
tokens in the lexer. tokens in the lexer.
10) Add a per-tty restriction? Ie: only can run foo from /dev/console. 09) Add a per-tty restriction? Ie: only can run foo from /dev/console.
11) Add test for how to read ether interfaces in configure script 10) Add test for how to read ether interfaces in configure script
12) Use strtol() and strtoul(), not atoi() 11) Use strtol() and strtoul(), not atoi()
13) Implement date_format and log_format options. 12) Implement date_format and log_format options.
14) Add support for: Default:user@host 13) Add support for: Default:user@host
15) Some people want to be able to specify a special password in sudoers 14) Some people want to be able to specify a special password in sudoers
in addition or instead of the normal one. The best argument for in addition or instead of the normal one. The best argument for
this so far is to be able to use separate passwords for the this so far is to be able to use separate passwords for the
target users that are not the passwd file ones. target users that are not the passwd file ones.
16) Add support for trusted users. E.g. allow user to run a certain 15) Add support for trusted users. E.g. allow user to run a certain
command regardless of what dir it is in if it is owned by the command regardless of what dir it is in if it is owned by the
trusted user. trusted user.
17) Add a flag similar to '-l' but that spits out sudo commands in 16) Add a flag similar to '-l' but that spits out sudo commands in
a format suitable for cut & paste into sudoers. a format suitable for cut & paste into sudoers.
18) Someone wants a recursive version of the dir specifier. Ie: 17) Someone wants a recursive version of the dir specifier. Ie:
SOME_MODIFIER:/usr/local/ to allow anything under /usr/local to be run. SOME_MODIFIER:/usr/local/ to allow anything under /usr/local to be run.
19) An option to set the shell to the target user would make sense. 18) An option to set the shell to the target user would make sense.
See other target user-related issues above. See other target user-related issues above.
20) Add an option (-D) to dump the defaults after the sudoers file 19) Add an option (-D) to dump the defaults after the sudoers file
has been parsed. Should only be available to root and should has been parsed. Should only be available to root and should
allow a -u user modifier. Maybe dump all of sudoers? allow a -u user modifier. Maybe dump all of sudoers?
21) Allow /etc/sudoers to be a symlink but require the parent dir to 20) Allow /etc/sudoers to be a symlink but require the parent dir to
be root-owned and not writable by anything else. Should really be root-owned and not writable by anything else. Should really
traverse the tree to the root doing this. traverse the tree to the root doing this.
22) Improve interfaces.c STREAMS code (see ntpd's ntp_io.c for hints) 21) Improve interfaces.c STREAMS code (see ntpd's ntp_io.c for hints)
23) Wildcard support for user and group names? (netgroup too?) 22) Wildcard support for user and group names? (netgroup too?)
24) If root_sudo is off, still allow sudo -u to non-root users? 23) If root_sudo is off, still allow sudo -u to non-root users?
25) Parse gids like %#0 24) For AIX, use setpenv() and setpcred() if they exist
26) For AIX, use setpenv() and setpcred() if they exist
http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/basetrf2/setpenv.htm http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/basetrf2/setpenv.htm
http://publib16.boulder.ibm.com/pseries/en_US/libs/basetrf2/setpcred.htm http://publib16.boulder.ibm.com/pseries/en_US/libs/basetrf2/setpcred.htm
27) Add an insult_path variable that is intialized to "builtin" but that 25) Add an insult_path variable that is intialized to "builtin" but that
can point to other files containing an insult count as the first can point to other files containing an insult count as the first
line and that have a constant record length (sparse files) for line and that have a constant record length (sparse files) for
easy seeking. easy seeking.
28) Some way of using a new pty for the program run via sudo would prevent 26) Some way of using a new pty for the program run via sudo would prevent
access to the caller's /dev/tty (but probably makes job control tricky). access to the caller's /dev/tty (but probably makes job control tricky).
29) Maybe have a database of checksums that commands are verified against. 27) Maybe have a database of checksums that commands are verified against.
Basically replace the st_ino/st_dev check with a checksum lookup. Basically replace the st_ino/st_dev check with a checksum lookup.
30) Look into testing writability of a file via sudoedit *before* doing 28) Look into testing writability of a file via sudoedit *before* doing
the edit; e.g., try opening with O_APPEND. the edit; e.g., try opening with O_APPEND.
31) Add Makefile.in bits to autogenerate Solaris and Irix packages 29) Add Makefile.in bits to autogenerate Solaris and Irix packages
32) Add a session mode where sudo allocates a pty and logs everything 30) Add a session mode where sudo allocates a pty and logs everything
that occurs ala script(1). that occurs ala script(1).
33) Use pam_open_session() and pam_close_session() (requires a persistent 31) Use pam_open_session() and pam_close_session() (requires a persistent
sudo process to call pam_close_session()). Maybe add xauth support for sudo process to call pam_close_session()). Maybe add xauth support for
the non-pam case? the non-pam case?
34) Add substitution mechanism in sudoers to subst, e.g. editors for sudoedit 32) Add substitution mechanism in sudoers to subst, e.g. editors for sudoedit
35) Move prototypes to extern.h? 33) Move prototypes to extern.h?
36) Get rid of VALIDATE_NOT_OK and just set/clear VALIDATE_OK 34) Get rid of VALIDATE_NOT_OK and just set/clear VALIDATE_OK
37) visudo -c should also sanity check aliases 35) visudo -c should also sanity check aliases
38) Use AC_CHECK_DECLS for systems w/o proper prototypes? Maybe errno too? 36) Use AC_CHECK_DECLS for systems w/o proper prototypes? Maybe errno too?
39) Flesh out testsudoers and fix glob/opendir issues. Use custom netgroup 37) Flesh out testsudoers and fix glob/opendir issues. Use custom netgroup
code too? code too?
40) Think some more about giving admins a way to test commands for a user 38) Think some more about giving admins a way to test commands for a user
on a specific host with a different sudoers file. on a specific host with a different sudoers file.
41) Add nsswitch.conf parsing to LDAP support. 39) Add nsswitch.conf parsing to LDAP support.
42) Refactor duplicated code in ldap.c into wrapper functions. 40) Refactor duplicated code in ldap.c into wrapper functions.
43) Return command from command_matches() instead of setting safe_cmnd directly. 41) Return command from command_matches() instead of setting safe_cmnd directly.
44) Roll visudo into sudo ala sudoedit. 42) Roll visudo into sudo ala sudoedit.
45) Add ticket file to ticket dir in non-tty tickets case so we 43) Add ticket file to ticket dir in non-tty tickets case so we
can mix tty and non-tty ticket schemes. can mix tty and non-tty ticket schemes.
46) Use ldap_get_values_len() instead of ldap_get_values() for 44) Use ldap_get_values_len() instead of ldap_get_values() for
OpenLDAP (what about others?) OpenLDAP (what about others?)
47) Add support for NOEXEC w/ 64-bit AIX executables. 45) Add support for NOEXEC w/ 64-bit AIX executables.
http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.xlf91a.doc/xlfug/comp64.htm http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.xlf91a.doc/xlfug/comp64.htm
48) Revisit debian fqdn diffs. 46) Revisit debian fqdn diffs.
49) Add gettext() support. Can borrow some translations from PAM. 47) Add gettext() support. Can borrow some translations from PAM.
50) Convert the other capitalized files into .pod so we can get decent html 48) Convert the other capitalized files into .pod so we can get decent html
form them? E.g. README, etc. E.g. form them? E.g. README, etc. E.g.
pod2text -l -i0 history.pod > HISTORY pod2text -l -i0 history.pod > HISTORY
pod2html --noindex history.pod > history.html pod2html --noindex history.pod > history.html
51) Use mkstemp() for visudo temp files? Also re-examine locking. 49) Use mkstemp() for visudo temp files? Also re-examine locking.
52) Add SSL support for ldap, see http://docs.sun.com/source/816-5616-10/ssl.htm#12979 and enablefor "ssl on" 50) Run sudo thorugh valgrind
53) Run sudo thorugh valgrind 51) Make -a and -c options in sudo.pod only visible when available.
54) Make -a and -c options in sudo.pod only visible when available.
Could use an nroff register combines with configure substitute magic. Could use an nroff register combines with configure substitute magic.
Note that configure substitution runs on the .man.in file not the Note that configure substitution runs on the .man.in file not the
.pod file. .pod file.
55) Consolidate line wrap code. 52) Consolidate line wrap code.
56) How can we distinguish between a bare '\\' and one that is escaping 53) How can we distinguish between a bare '\\' and one that is escaping
glob chars? Right now we convert \\ -> \ in the lexer which glob chars? Right now we convert \\ -> \ in the lexer which
causes the confusion. causes the confusion.
57) For LDAP entries, should be able to parse the per-command options 54) For LDAP entries, should be able to parse the per-command options
since they may affect the outcome (e.g. default_runas). since they may affect the outcome (e.g. default_runas).
55) Better LDAP documention. Perhaps a sudo-ldap man page.