From d744271a63d4fb1f8333b45b030d396bda47029b Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 20 Oct 2022 08:08:48 -0600 Subject: [PATCH] Make it clear that runas_default sets the default user for Runas_Spec. Also use mention runas_default in other parts of the manual, use @runas_default@ instead of root and add markup around user names. GitHub issue #186. --- docs/sudoers.man.in | 216 ++++++++++++++++++++++++++++++------------- docs/sudoers.mdoc.in | 216 ++++++++++++++++++++++++++++++------------- 2 files changed, 302 insertions(+), 130 deletions(-) diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in index 6f5818cb1..dec073b31 100644 --- a/docs/sudoers.man.in +++ b/docs/sudoers.man.in @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.TH "SUDOERS" "@mansectform@" "September 27, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "@mansectform@" "October 20, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -179,16 +179,19 @@ security policy requires that most users authenticate themselves before they can use \fBsudo\fR. A password is not required -if the invoking user is root, if the target user is the same as the -invoking user, or if the policy has disabled authentication for the -user or command. +if the invoking user is +\fBroot\fR, +if the target user is the same as the invoking user, or if the +policy has disabled authentication for the user or command. Unlike su(1), when \fBsudoers\fR requires authentication, it validates the invoking user's credentials, not -the target user's (or root's) credentials. +the target user's (or +\fB@runas_default@\fR's) +credentials. This can be changed via the \fIrootpw\fR, @@ -230,7 +233,9 @@ are logged, regardless of whether or not mail is sent. .PP If \fBsudo\fR -is run by root and the +is run by +\fBroot\fR +and the \fRSUDO_USER\fR environment variable is set, the @@ -238,7 +243,9 @@ is set, the policy will use this value to determine who the actual user is. This can be used by a user to log commands -through sudo even when a root shell has been invoked. +through sudo even when a +\fBroot\fR +shell has been invoked. It also allows the \fB\-e\fR @@ -246,7 +253,9 @@ option to remain useful even when invoked via a sudo-run script or program. Note, however, that the \fIsudoers\fR -file lookup is still done for root, not the user specified by +file lookup is still done for +\fBroot\fR, +not the user specified by \fRSUDO_USER\fR. .PP \fBsudoers\fR @@ -456,7 +465,9 @@ as modified by global Defaults parameters in \fIsudoers\fR, is displayed when \fBsudo\fR -is run by root with the +is run by +\fBroot\fR +with the \fB\-V\fR option. The list of environment variables to remove @@ -926,8 +937,11 @@ it can contain User names and groups are matched as strings. In other words, two users (groups) with the same user (group) ID are considered to be distinct. -If you wish to match all user names with the same user-ID (e.g., root and -toor), you can use a user-ID instead of a name (#0 in the example given). +If you wish to match all user names with the same user-ID (e.g., +\fBroot\fR +and +\fBtoor\fR), +you can use a user-ID instead of a name (#0 in the example given). The user-ID or group-ID specified in a \fIRunas_Member\fR need not be listed in the password or group database. @@ -1308,10 +1322,12 @@ A \fBuser specification\fR determines which commands a user may run (and as what user) on specified hosts. -By default, commands are -run as -\fBroot\fR, -but this can be changed on a per-command basis. +By default, commands are run as +\fB@runas_default@\fR +(unless +\fIrunas_default\fR +has been set to a different value) +but this can also be changed on a per-command basis. .PP The basic structure of a user specification is \(lqwho where = (as_whom) what\(rq. @@ -1355,11 +1371,14 @@ are empty, the command may only be run as the invoking user and the group, if specified, must be one that the invoking user is a member of. If no \fIRunas_Spec\fR -is specified, the command may only be run as -\fBroot\fR -and the group, if specified, must be one that -\fBroot\fR -is a member of. +is specified, the command may only be run as the +\fIrunas_default\fR +user +(\fB@runas_default@\fR +by default) and the group, +if specified, must be one that the +\fIrunas_default\fR +user is a member of. .PP A \fIRunas_Spec\fR @@ -1487,7 +1506,10 @@ alan ALL = (root, bin : operator, system) ALL .PP user \fBalan\fR -may run any command as either user root or bin, +may run any command as either user +\fBroot\fR +or +\fBbin\fR, optionally setting the group to operator or system. .SS "Option_Spec" A @@ -1554,7 +1576,9 @@ alice ALL = (root) APPARMOR_PROFILE=my-profile ALL .PP the user \fBalice\fR -may run any command as root under confinement by the profile +may run any command as +\fBroot\fR +under confinement by the profile \(oqmy-profile\(cq. You can also stack profiles, or allow a user to run commands unconfined by any profile. @@ -1573,7 +1597,9 @@ entries allow user \fBbob\fR to run \fI/usr/bin/vi\fR -as root under the stacked profiles +as +\fBroot\fR +under the stacked profiles \(oqfoo\(cq and \(oqbar\(cq, @@ -1927,7 +1953,7 @@ to run and \fI/usr/bin/lprm\fR as -\fBroot\fR +\fB@runas_default@\fR on the machine \(lqrushmore\(rq without authenticating himself. @@ -2200,7 +2226,11 @@ In the following example, user \fBjohn\fR can run the passwd(1) -command as root on any host but is not allowed to change root's password. +command as +\fB@runas_default@\fR +on any host but is not allowed to change +\fBroot\fR's +password. This kind of rule is impossible to express safely using wildcards. .nf .sp @@ -2237,7 +2267,8 @@ to run the \fI/usr/sbin/usermod\fR, and \fI/usr/sbin/userdel\fR -commands as root. +commands as +\fB@runas_default@\fR. .nf .sp .RS 4n @@ -2485,7 +2516,9 @@ This allows one to exclude certain values. For the \(oq\&!\(cq operator to be effective, there must be something for it to exclude. -For example, to match all users except for root one would use: +For example, to match all users except for +\fBroot\fR +one would use: .nf .sp .RS 4n @@ -2503,7 +2536,9 @@ is omitted, as in: .RE .fi .PP -it would explicitly deny root but not match any other users. +it would explicitly deny +\fBroot\fR +but not match any other users. This is different from a true \(lqnegation\(rq operator. @@ -2570,7 +2605,9 @@ If enabled, will set the \fRHOME\fR environment variable to the home directory of the target user -(which is the root user unless the +(which is the +\fIrunas_default\fR +user unless the \fB\-u\fR option is used). This flag is largely obsolete and has no effect unless the @@ -2709,9 +2746,13 @@ or \fREDITOR\fR environment variables before falling back on the default editor list. \fBvisudo\fR -is typically run as root so this flag may allow a user with +is typically run as +\fBroot\fR +so this flag may allow a user with \fBvisudo\fR -privileges to run arbitrary commands as root without logging. +privileges to run arbitrary commands as +\fBroot\fR +without logging. An alternative is to place a colon-separated list of \(lqsafe\(rq editors int the @@ -2777,7 +2818,9 @@ lists, as modified by global Defaults parameters in \fIsudoers\fR, are displayed when \fBsudo\fR -is run by root with the +is run by +\fBroot\fR +with the \fB\-V\fR option. If the @@ -3736,17 +3779,23 @@ This flag is by default. .TP 18n root_sudo -If set, root is allowed to run +If set, +\fBroot\fR +is allowed to run \fBsudo\fR too. Disabling this prevents users from \(lqchaining\(rq \fBsudo\fR -commands to get a root shell by doing something like +commands to get a +\fBroot\fR +shell by doing something like \(oqsudo sudo /bin/sh\(cq. Note, however, that turning off \fIroot_sudo\fR -will also prevent root from running +will also prevent +\fBroot\fR +from running \fBsudoedit\fR. Disabling \fIroot_sudo\fR @@ -3758,7 +3807,9 @@ by default. rootpw If set, \fBsudo\fR -will prompt for the root password instead of the password of the invoking user +will prompt for the +\fBroot\fR +password instead of the password of the invoking user when running a command or editing a file. This flag is \fIoff\fR @@ -3808,7 +3859,8 @@ If set, \fBsudo\fR will prompt for the password of the user defined by the \fIrunas_default\fR -option (defaults to @runas_default@) +option (defaults to +\fB@runas_default@\fR) instead of the password of the invoking user when running a command or editing a file. This flag is @@ -3833,7 +3885,9 @@ is invoked with the option, the \fRHOME\fR environment variable will be set to the home directory of the target -user (which is the root user unless the +user (which is the +\fIrunas_default\fR +user unless the \fB\-u\fR option is used). This flag is largely obsolete and has no effect unless the @@ -3854,7 +3908,9 @@ will set the \fRLOGNAME\fR and \fRUSER\fR -environment variables to the name of the target user (usually root unless the +environment variables to the name of the target user (the user specified by +\fIrunas_default\fR +unless the \fB\-u\fR option is given). However, since some programs (including the RCS revision control system) use @@ -3924,7 +3980,9 @@ If set and is invoked with no arguments it acts as if the \fB\-s\fR option had been given. -That is, it runs a shell as root (the shell is determined by the +That is, it runs a shell as +\fBroot\fR +(the shell is determined by the \fRSHELL\fR environment variable if it is set, falling back on the shell listed in the invoking user's /etc/passwd entry if not). @@ -3936,7 +3994,9 @@ stay_setuid Normally, when \fBsudo\fR executes a command the real and effective user-IDs are set to the target -user (root by default). +user +(\fB@runas_default@\fR +by default). This option changes that behavior such that the real user-ID is left as the invoking user's user-ID. In other words, this makes @@ -3964,7 +4024,8 @@ Symbolic links will not be followed in writable directories and will refuse to edit a file located in a writable directory. These restrictions are not enforced when \fBsudoedit\fR -is run by root. +is run by +\fBroot\fR. On some systems, if all directory components of the path to be edited are not readable by the target user, \fBsudoedit\fR @@ -4014,7 +4075,8 @@ If set, will prompt for the password of the user specified by the \fB\-u\fR -option (defaults to root) +option (defaults to the value of +\fIrunas_default\fR) instead of the password of the invoking user when running a command or editing a file. This flag precludes the use of a user-ID not listed in the passwd @@ -4475,11 +4537,13 @@ expanded to the name of the invoking user's real group-ID .TP 6n %{runas_user} expanded to the login name of the user the command will -be run as (e.g., root) +be run as (e.g., +\fBroot\fR) .TP 6n %{runas_group} expanded to the group name of the user the command will -be run as (e.g., wheel) +be run as (e.g., +\fBwheel\fR) .TP 6n %{hostname} expanded to the local host name without the domain name @@ -4766,7 +4830,8 @@ flags in .TP 6n \&%U expanded to the login name of the user the command will -be run as (defaults to root) +be run as (defaults to +\fB@runas_default@\fR) .TP 6n %u expanded to the invoking user's login name @@ -4830,7 +4895,8 @@ runas_default The default user to run commands as if the \fB\-u\fR option is not specified on the command line. -This defaults to @runas_default@. +This defaults to +\fB@runas_default@\fR. .TP 18n sudoers_locale Locale to use when parsing the sudoers file, logging commands, and @@ -4908,7 +4974,8 @@ The default is timestampowner The owner of the lecture status directory, time stamp directory and all files stored therein. -The default is root. +The default is +\fBroot\fR. .if \n(SL \{\ .TP 18n type @@ -5557,8 +5624,9 @@ option is enabled or disabled, variables specified by will be preserved in the environment if they pass the aforementioned check. The global list of environment variables to check is displayed when \fBsudo\fR -is run by root with -the +is run by +\fBroot\fR +with the \fB\-V\fR option. .RE @@ -5578,7 +5646,9 @@ and operators respectively. The global list of environment variables to remove is displayed when \fBsudo\fR -is run by root with the +is run by +\fBroot\fR +with the \fB\-V\fR option. Many operating systems will remove potentially dangerous variables @@ -5604,7 +5674,9 @@ operators respectively. The global list of variables to keep is displayed when \fBsudo\fR -is run by root with the +is run by +\fBroot\fR +with the \fB\-V\fR option. .sp @@ -6017,7 +6089,9 @@ unable to open @rundir@/ts/username was unable to read or create the user's time stamp file. This can happen when \fItimestampowner\fR -is set to a user other than root and the mode on +is set to a user other than +\fBroot\fR +and the mode on \fI@rundir@\fR is not searchable by group or other. The default mode for @@ -6641,7 +6715,8 @@ need not provide a password and we don't want to reset the \fRLOGNAME\fR or \fRUSER\fR -environment variables when running commands as root. +environment variables when running commands as +\fBroot\fR. Additionally, on the machines in the \fRSERVERS\fR \fIHost_Alias\fR, @@ -6807,7 +6882,8 @@ groups). The user \fBpete\fR is allowed to change anyone's password except for -root on the +\fBroot\fR +on the \fRHPPA\fR machines. Because command line arguments are matched as a single, @@ -6908,8 +6984,9 @@ On the \fRALPHA\fR machines, user \fBjohn\fR -may su to anyone except root but he is not allowed to specify any options -to the +may su to anyone except +\fBroot\fR +but he is not allowed to specify any options to the su(1) command. .nf @@ -7034,7 +7111,9 @@ advisory at best (and reinforced by policy). In general, if a user has sudo \fBALL\fR there is nothing to prevent them from creating their own program that gives -them a root shell (or making their own copy of a shell) regardless of any +them a +\fBroot\fR +shell (or making their own copy of a shell) regardless of any \(oq!\&\(cq elements in the user specification. .SS "Security implications of \fIfast_glob\fR" @@ -7418,9 +7497,11 @@ is enabled. .RE .PP Restricting shell escapes is not a panacea. -Programs running as root are still capable of many potentially hazardous -operations (such as changing or overwriting files) that could lead -to unintended privilege escalation. +Programs running as +\fBroot\fR +are still capable of many potentially hazardous operations (such +as changing or overwriting files) that could lead to unintended +privilege escalation. In the specific case of an editor, a safer approach is to give the user permission to run \fBsudoedit\fR @@ -7473,7 +7554,9 @@ $ sudoedit /etc/motd .RE .fi .PP -The editor will run as the operator user, not root, on a temporary copy of +The editor will run as the operator user, not +\fB@runas_default@\fR, +on a temporary copy of \fI/etc/motd\fR. After the file has been edited, \fI/etc/motd\fR @@ -7494,7 +7577,8 @@ not be followed in writable directories and will refuse to edit a file located in a writable directory unless the \fIsudoedit_checkdir\fR -option has been disabled or the invoking user is root. +option has been disabled or the invoking user is +\fBroot\fR. Additionally, in version 1.8.15 and higher, \fBsudoedit\fR will refuse to open a symbolic link unless either the @@ -7511,8 +7595,10 @@ file. will check the ownership of its time stamp directory (\fI@rundir@/ts\fR by default) -and ignore the directory's contents if it is not owned by root or -if it is writable by a user other than root. +and ignore the directory's contents if it is not owned by +\fBroot\fR +or if it is writable by a user other than +\fBroot\fR. Older versions of \fBsudo\fR stored time stamp files in diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in index 911b69afc..d09f06a99 100644 --- a/docs/sudoers.mdoc.in +++ b/docs/sudoers.mdoc.in @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.Dd September 27, 2022 +.Dd October 20, 2022 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -168,16 +168,19 @@ security policy requires that most users authenticate themselves before they can use .Nm sudo . A password is not required -if the invoking user is root, if the target user is the same as the -invoking user, or if the policy has disabled authentication for the -user or command. +if the invoking user is +.Sy root , +if the target user is the same as the invoking user, or if the +policy has disabled authentication for the user or command. Unlike .Xr su 1 , when .Nm requires authentication, it validates the invoking user's credentials, not -the target user's (or root's) credentials. +the target user's (or +.Sy @runas_default@ Ns No 's) +credentials. This can be changed via the .Em rootpw , @@ -219,7 +222,9 @@ are logged, regardless of whether or not mail is sent. .Pp If .Nm sudo -is run by root and the +is run by +.Sy root +and the .Ev SUDO_USER environment variable is set, the @@ -227,7 +232,9 @@ is set, the policy will use this value to determine who the actual user is. This can be used by a user to log commands -through sudo even when a root shell has been invoked. +through sudo even when a +.Sy root +shell has been invoked. It also allows the .Fl e @@ -235,7 +242,9 @@ option to remain useful even when invoked via a sudo-run script or program. Note, however, that the .Em sudoers -file lookup is still done for root, not the user specified by +file lookup is still done for +.Sy root , +not the user specified by .Ev SUDO_USER . .Pp .Nm @@ -442,7 +451,9 @@ as modified by global Defaults parameters in .Em sudoers , is displayed when .Nm sudo -is run by root with the +is run by +.Sy root +with the .Fl V option. The list of environment variables to remove @@ -888,8 +899,11 @@ it can contain User names and groups are matched as strings. In other words, two users (groups) with the same user (group) ID are considered to be distinct. -If you wish to match all user names with the same user-ID (e.g., root and -toor), you can use a user-ID instead of a name (#0 in the example given). +If you wish to match all user names with the same user-ID (e.g., +.Sy root +and +.Sy toor ) , +you can use a user-ID instead of a name (#0 in the example given). The user-ID or group-ID specified in a .Em Runas_Member need not be listed in the password or group database. @@ -1261,10 +1275,12 @@ A .Sy user specification determines which commands a user may run (and as what user) on specified hosts. -By default, commands are -run as -.Sy root , -but this can be changed on a per-command basis. +By default, commands are run as +.Sy @runas_default@ +(unless +.Em runas_default +has been set to a different value) +but this can also be changed on a per-command basis. .Pp The basic structure of a user specification is .Dq who where = (as_whom) what . @@ -1308,11 +1324,14 @@ are empty, the command may only be run as the invoking user and the group, if specified, must be one that the invoking user is a member of. If no .Em Runas_Spec -is specified, the command may only be run as -.Sy root -and the group, if specified, must be one that -.Sy root -is a member of. +is specified, the command may only be run as the +.Em runas_default +user +.Sy ( @runas_default@ +by default) and the group, +if specified, must be one that the +.Em runas_default +user is a member of. .Pp A .Em Runas_Spec @@ -1416,7 +1435,10 @@ alan ALL = (root, bin : operator, system) ALL .Pp user .Sy alan -may run any command as either user root or bin, +may run any command as either user +.Sy root +or +.Sy bin , optionally setting the group to operator or system. .Ss Option_Spec A @@ -1483,7 +1505,9 @@ alice ALL = (root) APPARMOR_PROFILE=my-profile ALL .Pp the user .Sy alice -may run any command as root under confinement by the profile +may run any command as +.Sy root +under confinement by the profile .Ql my-profile . You can also stack profiles, or allow a user to run commands unconfined by any profile. @@ -1499,7 +1523,9 @@ entries allow user .Sy bob to run .Pa /usr/bin/vi -as root under the stacked profiles +as +.Sy root +under the stacked profiles .Ql foo and .Ql bar , @@ -1832,7 +1858,7 @@ to run and .Pa /usr/bin/lprm as -.Sy root +.Sy @runas_default@ on the machine .Dq rushmore without authenticating himself. @@ -2090,7 +2116,11 @@ In the following example, user .Sy john can run the .Xr passwd 1 -command as root on any host but is not allowed to change root's password. +command as +.Sy @runas_default@ +on any host but is not allowed to change +.Sy root Ns No 's +password. This kind of rule is impossible to express safely using wildcards. .Bd -literal -offset 4n john ALL = /usr/bin/passwd ^[a-zA-Z0-9_]+$,\e @@ -2121,7 +2151,8 @@ to run the .Pa /usr/sbin/usermod , and .Pa /usr/sbin/userdel -commands as root. +commands as +.Sy @runas_default@ . .Bd -literal -offset 4n sid ALL = ^/usr/sbin/(group|user)(add|mod|del)$ .Ed @@ -2350,7 +2381,9 @@ This allows one to exclude certain values. For the .Ql \&! operator to be effective, there must be something for it to exclude. -For example, to match all users except for root one would use: +For example, to match all users except for +.Sy root +one would use: .Bd -literal -offset 4n ALL, !root .Ed @@ -2362,7 +2395,9 @@ is omitted, as in: !root .Ed .Pp -it would explicitly deny root but not match any other users. +it would explicitly deny +.Sy root +but not match any other users. This is different from a true .Dq negation operator. @@ -2430,7 +2465,9 @@ If enabled, will set the .Ev HOME environment variable to the home directory of the target user -(which is the root user unless the +(which is the +.Em runas_default +user unless the .Fl u option is used). This flag is largely obsolete and has no effect unless the @@ -2562,9 +2599,13 @@ or .Ev EDITOR environment variables before falling back on the default editor list. .Nm visudo -is typically run as root so this flag may allow a user with +is typically run as +.Sy root +so this flag may allow a user with .Nm visudo -privileges to run arbitrary commands as root without logging. +privileges to run arbitrary commands as +.Sy root +without logging. An alternative is to place a colon-separated list of .Dq safe editors int the @@ -2629,7 +2670,9 @@ lists, as modified by global Defaults parameters in .Em sudoers , are displayed when .Nm sudo -is run by root with the +is run by +.Sy root +with the .Fl V option. If the @@ -3532,17 +3575,23 @@ This flag is .Em off by default. .It root_sudo -If set, root is allowed to run +If set, +.Sy root +is allowed to run .Nm sudo too. Disabling this prevents users from .Dq chaining .Nm sudo -commands to get a root shell by doing something like +commands to get a +.Sy root +shell by doing something like .Ql sudo sudo /bin/sh . Note, however, that turning off .Em root_sudo -will also prevent root from running +will also prevent +.Sy root +from running .Nm sudoedit . Disabling .Em root_sudo @@ -3553,7 +3602,9 @@ by default. .It rootpw If set, .Nm sudo -will prompt for the root password instead of the password of the invoking user +will prompt for the +.Sy root +password instead of the password of the invoking user when running a command or editing a file. This flag is .Em off @@ -3599,7 +3650,8 @@ If set, .Nm sudo will prompt for the password of the user defined by the .Em runas_default -option (defaults to @runas_default@) +option (defaults to +.Sy @runas_default@ ) instead of the password of the invoking user when running a command or editing a file. This flag is @@ -3622,7 +3674,9 @@ is invoked with the option, the .Ev HOME environment variable will be set to the home directory of the target -user (which is the root user unless the +user (which is the +.Em runas_default +user unless the .Fl u option is used). This flag is largely obsolete and has no effect unless the @@ -3642,7 +3696,9 @@ will set the .Ev LOGNAME and .Ev USER -environment variables to the name of the target user (usually root unless the +environment variables to the name of the target user (the user specified by +.Em runas_default +unless the .Fl u option is given). However, since some programs (including the RCS revision control system) use @@ -3709,7 +3765,9 @@ If set and is invoked with no arguments it acts as if the .Fl s option had been given. -That is, it runs a shell as root (the shell is determined by the +That is, it runs a shell as +.Sy root +(the shell is determined by the .Ev SHELL environment variable if it is set, falling back on the shell listed in the invoking user's /etc/passwd entry if not). @@ -3720,7 +3778,9 @@ by default. Normally, when .Nm sudo executes a command the real and effective user-IDs are set to the target -user (root by default). +user +.Sy ( @runas_default@ +by default). This option changes that behavior such that the real user-ID is left as the invoking user's user-ID. In other words, this makes @@ -3746,7 +3806,8 @@ Symbolic links will not be followed in writable directories and will refuse to edit a file located in a writable directory. These restrictions are not enforced when .Nm sudoedit -is run by root. +is run by +.Sy root . On some systems, if all directory components of the path to be edited are not readable by the target user, .Nm sudoedit @@ -3793,7 +3854,8 @@ If set, will prompt for the password of the user specified by the .Fl u -option (defaults to root) +option (defaults to the value of +.Em runas_default ) instead of the password of the invoking user when running a command or editing a file. This flag precludes the use of a user-ID not listed in the passwd @@ -4225,10 +4287,12 @@ expanded to the invoking user's login name expanded to the name of the invoking user's real group-ID .It %{runas_user} expanded to the login name of the user the command will -be run as (e.g., root) +be run as (e.g., +.Sy root ) .It %{runas_group} expanded to the group name of the user the command will -be run as (e.g., wheel) +be run as (e.g., +.Sy wheel ) .It %{hostname} expanded to the local host name without the domain name .It %{command} @@ -4489,7 +4553,8 @@ flags in .Em sudoers ) .It \&%U expanded to the login name of the user the command will -be run as (defaults to root) +be run as (defaults to +.Sy @runas_default@ ) .It %u expanded to the invoking user's login name .It %% @@ -4548,7 +4613,8 @@ is built with SELinux support. The default user to run commands as if the .Fl u option is not specified on the command line. -This defaults to @runas_default@. +This defaults to +.Sy @runas_default@ . .It sudoers_locale Locale to use when parsing the sudoers file, logging commands, and sending email. @@ -4615,7 +4681,8 @@ The default is .It timestampowner The owner of the lecture status directory, time stamp directory and all files stored therein. -The default is root. +The default is +.Sy root . .if \n(SL \{\ .It type The default SELinux type to use when constructing a new security @@ -5194,8 +5261,9 @@ option is enabled or disabled, variables specified by will be preserved in the environment if they pass the aforementioned check. The global list of environment variables to check is displayed when .Nm sudo -is run by root with -the +is run by +.Sy root +with the .Fl V option. .It env_delete @@ -5213,7 +5281,9 @@ and operators respectively. The global list of environment variables to remove is displayed when .Nm sudo -is run by root with the +is run by +.Sy root +with the .Fl V option. Many operating systems will remove potentially dangerous variables @@ -5238,7 +5308,9 @@ operators respectively. The global list of variables to keep is displayed when .Nm sudo -is run by root with the +is run by +.Sy root +with the .Fl V option. .Pp @@ -5619,7 +5691,9 @@ file. was unable to read or create the user's time stamp file. This can happen when .Em timestampowner -is set to a user other than root and the mode on +is set to a user other than +.Sy root +and the mode on .Pa @rundir@ is not searchable by group or other. The default mode for @@ -6165,7 +6239,8 @@ need not provide a password and we don't want to reset the .Ev LOGNAME or .Ev USER -environment variables when running commands as root. +environment variables when running commands as +.Sy root . Additionally, on the machines in the .Dv SERVERS .Em Host_Alias , @@ -6307,7 +6382,8 @@ groups). The user .Sy pete is allowed to change anyone's password except for -root on the +.Sy root +on the .Dv HPPA machines. Because command line arguments are matched as a single, @@ -6394,8 +6470,9 @@ On the .Dv ALPHA machines, user .Sy john -may su to anyone except root but he is not allowed to specify any options -to the +may su to anyone except +.Sy root +but he is not allowed to specify any options to the .Xr su 1 command. .Bd -literal @@ -6499,7 +6576,9 @@ advisory at best (and reinforced by policy). In general, if a user has sudo .Sy ALL there is nothing to prevent them from creating their own program that gives -them a root shell (or making their own copy of a shell) regardless of any +them a +.Sy root +shell (or making their own copy of a shell) regardless of any .Ql !\& elements in the user specification. .Ss Security implications of Em fast_glob @@ -6855,9 +6934,11 @@ is enabled. .El .Pp Restricting shell escapes is not a panacea. -Programs running as root are still capable of many potentially hazardous -operations (such as changing or overwriting files) that could lead -to unintended privilege escalation. +Programs running as +.Sy root +are still capable of many potentially hazardous operations (such +as changing or overwriting files) that could lead to unintended +privilege escalation. In the specific case of an editor, a safer approach is to give the user permission to run .Nm sudoedit @@ -6904,7 +6985,9 @@ as follows: $ sudoedit /etc/motd .Ed .Pp -The editor will run as the operator user, not root, on a temporary copy of +The editor will run as the operator user, not +.Sy @runas_default@ , +on a temporary copy of .Pa /etc/motd . After the file has been edited, .Pa /etc/motd @@ -6925,7 +7008,8 @@ not be followed in writable directories and will refuse to edit a file located in a writable directory unless the .Em sudoedit_checkdir -option has been disabled or the invoking user is root. +option has been disabled or the invoking user is +.Sy root . Additionally, in version 1.8.15 and higher, .Nm sudoedit will refuse to open a symbolic link unless either the @@ -6944,8 +7028,10 @@ will check the ownership of its time stamp directory .Pa @rundir@/ts by default .Pc -and ignore the directory's contents if it is not owned by root or -if it is writable by a user other than root. +and ignore the directory's contents if it is not owned by +.Sy root +or if it is writable by a user other than +.Sy root . Older versions of .Nm sudo stored time stamp files in