isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

stay_setuid now requires set_reuid() or setresuid()

Browse Source
This commit is contained in:
Todd C. Miller
2004-10-13 16:52:51 +00:00
parent 48cdd1dec3
commit e455f848a9
3 changed files with 148 additions and 152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

282
sudoers.cat
View File

@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.6.9 October 7, 2004 1
1.6.9 October 13, 2004 1
@@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.9 October 7, 2004 2
1.6.9 October 13, 2004 2
@@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.9 October 7, 2004 3
1.6.9 October 13, 2004 3
@@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.9 October 7, 2004 4
1.6.9 October 13, 2004 4
@@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.9 October 7, 2004 5
1.6.9 October 13, 2004 5
@@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.9 October 7, 2004 6
1.6.9 October 13, 2004 6
@@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.9 October 7, 2004 7
1.6.9 October 13, 2004 7
@@ -502,12 +502,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
this makes ssuuddoo act as a setuid wrapper. This
can be useful on systems that disable some
potentially dangerous functionality when a
program is run setuid. Note, however, that
this means that ssuuddoo will run with the real
uid of the invoking user which may allow that
user to kill ssuuddoo before it can log a failure,
depending on how your OS defines the interac<61>
tion between signals and setuid processes.
program is run setuid. This option is only
effective on systems with either the
_s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function.
env_reset If set, ssuuddoo will reset the environment to
only contain the following variables: HOME,
@@ -520,10 +517,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
with the SECURE_PATH option, its value will be
used for the PATH environment variable. Other
variables may be preserved with the _e_n_v___k_e_e_p
option.
1.6.9 October 7, 2004 8
1.6.9 October 13, 2004 8
@@ -532,8 +532,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
option.
use_loginclass
If set, ssuuddoo will apply the defaults specified
for the target user's login class if one
@@ -586,10 +584,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
loglinelen Number of characters per line for the file
log. This value is used to decide when to
wrap lines for nicer log files. This has no
effect on the syslog log file, only the file
log. The default is 80 (use 0 or negate the
1.6.9 October 7, 2004 9
1.6.9 October 13, 2004 9
@@ -598,8 +598,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
effect on the syslog log file, only the file
log. The default is 80 (use 0 or negate the
option to disable word wrap).
timestamp_timeout
@@ -652,10 +650,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
%U expanded to the login name of the user
the command will be run as (defaults
to root)
1.6.9 October 7, 2004 10
1.6.9 October 13, 2004 10
@@ -664,8 +664,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to root)
%h expanded to the local hostname without
the domain name
@@ -718,10 +716,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
never Never lecture the user.
once Only lecture the user the first time
they run ssuuddoo.
1.6.9 October 7, 2004 11
1.6.9 October 13, 2004 11
@@ -730,9 +730,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
once Only lecture the user the first time
they run ssuuddoo.
always Always lecture the user.
The default value is _o_n_c_e.
@@ -784,10 +781,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to use the --vv flag.
always The user must always enter a password
to use the --vv flag.
The default value is `all'.
1.6.9 October 7, 2004 12
1.6.9 October 13, 2004 12
@@ -796,10 +796,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to use the --vv flag.
The default value is `all'.
listpw This option controls when a password will be
required when a user runs ssuuddoo with the --ll
flag. It has the following possible values:
@@ -850,10 +846,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
dangerous variables from the environment of
any setuid process (such as ssuuddoo).
env_keep Environment variables to be preserved in the
user's environment when the _e_n_v___r_e_s_e_t option
is in effect. This allows fine-grained con<6F>
trol over the environment ssuuddoo-spawned
1.6.9 October 7, 2004 13
1.6.9 October 13, 2004 13
@@ -862,11 +862,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
env_keep Environment variables to be preserved in the
user's environment when the _e_n_v___r_e_s_e_t option
is in effect. This allows fine-grained con<6F>
trol over the environment ssuuddoo-spawned pro<72>
cesses will receive. The argument may be a
processes will receive. The argument may be a
double-quoted, space-separated list or a sin<69>
gle value without double-quotes. The list can
be replaced, added to, deleted from, or dis<69>
@@ -916,10 +912,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m
-- but only as ooppeerraattoorr. E.g.,
$ sudo -u operator /bin/ls.
1.6.9 October 7, 2004 14
1.6.9 October 13, 2004 14
@@ -928,10 +928,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-- but only as ooppeerraattoorr. E.g.,
$ sudo -u operator /bin/ls.
It is also possible to override a Runas_Spec later on in
an entry. If we modify the entry like so:
@@ -982,10 +978,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_N_O_E_X_E_C _a_n_d _E_X_E_C
If ssuuddoo has been compiled with _n_o_e_x_e_c support and the
underlying operating system supports it, the NOEXEC tag
can be used to prevent a dynamically-linked executable
from running further commands itself.
1.6.9 October 7, 2004 15
1.6.9 October 13, 2004 15
@@ -994,11 +994,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
If ssuuddoo has been compiled with _n_o_e_x_e_c support and the
underlying operating system supports it, the NOEXEC tag
can be used to prevent a dynamically-linked executable
from running further commands itself.
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e
and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
@@ -1048,10 +1043,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
"?", "[", and "}".
Note that a forward slash ('/') will nnoott be matched by
wildcards used in the pathname. When matching the command
line arguments, however, a slash ddooeess get matched by wild<6C>
cards. This is to make a path like:
/usr/bin/*
1.6.9 October 7, 2004 16
1.6.9 October 13, 2004 16
@@ -1060,12 +1060,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
wildcards used in the pathname. When matching the command
line arguments, however, a slash ddooeess get matched by wild<6C>
cards. This is to make a path like:
/usr/bin/*
match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
@@ -1114,10 +1108,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_a_l_i_a_s called AALLLL as the built-in alias will be used in
preference to your own. Please note that using AALLLL can be
dangerous since in a command context, it allows the user
to run aannyy command on the system.
An exclamation point ('!') can be used as a logical _n_o_t
operator both in an _a_l_i_a_s and in front of a Cmnd. This
allows one to exclude certain values. Note, however, that
using a ! in conjunction with the built-in ALL alias to
1.6.9 October 7, 2004 17
1.6.9 October 13, 2004 17
@@ -1126,12 +1126,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to run aannyy command on the system.
An exclamation point ('!') can be used as a logical _n_o_t
operator both in an _a_l_i_a_s and in front of a Cmnd. This
allows one to exclude certain values. Note, however, that
using a ! in conjunction with the built-in ALL alias to
allow a user to run "all but a few" commands rarely works
as intended (see SECURITY NOTES below).
@@ -1172,26 +1166,6 @@ EEXXAAMMPPLLEESS
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
1.6.9 October 7, 2004 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
SGI = grolsch, dandelion, black :\
@@ -1202,6 +1176,22 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
1.6.9 October 13, 2004 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
@@ -1247,17 +1237,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run
any command on any host without authenticating themselves.
1.6.9 October 7, 2004 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
PARTTIMERS ALL = ALL
Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run
@@ -1267,6 +1246,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
jack CSNETS = ALL
The user jjaacckk may run any command on the machines in the
1.6.9 October 13, 2004 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0,
and 128.138.242.0). Of those networks, only 128.138.204.0
has an explicit netmask (in CIDR notation) indicating it
@@ -1312,18 +1303,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
Users in the sseeccrreettaarriieess netgroup need to help manage the
1.6.9 October 7, 2004 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
printers as well as add and remove users, so they are
allowed to run those commands on all machines.
@@ -1334,6 +1313,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1.6.9 October 13, 2004 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except
root but he is not allowed to give _s_u(1) any flags.
@@ -1378,18 +1368,6 @@ SSEECCUURRIITTYY NNOOTTEESS
It is generally not effective to "subtract" commands from
ALL using the '!' operator. A user can trivially circum<75>
vent this by copying the desired command to a different
1.6.9 October 7, 2004 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
name and then executing that. For example:
bill ALL = ALL, !SU, !SHELLS
@@ -1401,6 +1379,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
restrictions should be considered advisory at best (and
reinforced by policy).
1.6.9 October 13, 2004 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
Once ssuuddoo executes a program, that program is free to do
whatever it pleases, including run other programs. This
@@ -1444,18 +1433,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
File containing dummy exec functions:
then ssuuddoo may be able to replace the exec family
1.6.9 October 7, 2004 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
of functions in the standard library with its
own that simply return an error. Unfortunately,
there is no foolproof way to know whether or not
@@ -1467,6 +1444,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
the LD_PRELOAD environment variable. Check your
operating system's manual pages for the dynamic
linker (usually ld.so, ld.so.1, dyld, dld.sl,
1.6.9 October 13, 2004 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
rld, or loader) to see if LD_PRELOAD is sup<75>
ported.
@@ -1511,17 +1500,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
and Linux. See <http://www.systrace.org/> for
more information.
1.6.9 October 7, 2004 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Note that restricting shell escapes is not a panacea.
Programs running as root are still capable of many poten<65>
tially hazardous operations (such as changing or overwrit<69>
@@ -1532,6 +1510,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SSEEEE AALLSSOO
_r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), sudo(1m), visudo(1m)
1.6.9 October 13, 2004 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
CCAAVVEEAATTSS
The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo
command which locks the file and does grammatical check<63>
@@ -1579,6 +1569,16 @@ DDIISSCCLLAAIIMMEERR
1.6.9 October 7, 2004 24
1.6.9 October 13, 2004 24

10
sudoers.man.in
View File

@@ -149,7 +149,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
.TH SUDOERS @mansectform@ "October 7, 2004" "1.6.9" "MAINTENANCE COMMANDS"
.TH SUDOERS @mansectform@ "October 13, 2004" "1.6.9" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
@@ -563,11 +563,9 @@ UIDs are set to the target user (root by default). This option
changes that behavior such that the real \s-1UID\s0 is left as the invoking
user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid
wrapper. This can be useful on systems that disable some potentially
dangerous functionality when a program is run setuid. Note, however,
that this means that \fBsudo\fR will run with the real uid of the invoking
user which may allow that user to kill \fBsudo\fR before it can log a
failure, depending on how your \s-1OS\s0 defines the interaction between
signals and setuid processes.
dangerous functionality when a program is run setuid. This option
is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR
function.
.IP "env_reset" 12
.IX Item "env_reset"
If set, \fBsudo\fR will reset the environment to only contain the

8
sudoers.pod
View File

@@ -427,11 +427,9 @@ UIDs are set to the target user (root by default). This option
changes that behavior such that the real UID is left as the invoking
user's UID. In other words, this makes B<sudo> act as a setuid
wrapper. This can be useful on systems that disable some potentially
dangerous functionality when a program is run setuid. Note, however,
that this means that B<sudo> will run with the real uid of the invoking
user which may allow that user to kill B<sudo> before it can log a
failure, depending on how your OS defines the interaction between
signals and setuid processes.
dangerous functionality when a program is run setuid. This option
is only effective on systems with either the setreuid() or setresuid()
function.
=item env_reset