isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Emphasis on the never.

Browse Source
This commit is contained in:
Todd C. Miller
2015-08-07 17:05:50 -06:00
parent d4f1aeb196
commit f1053af3b5
6 changed files with 21 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
doc/sudo.cat
View File

@@ -433,11 +433,11 @@ SSEECCUURRIITTYY NNOOTTEESS
environment variable is _n_o_t modified and is passed unchanged to the environment variable is _n_o_t modified and is passed unchanged to the
program that ssuuddoo executes. program that ssuuddoo executes.
Users should not be granted ssuuddoo privileges to execute files that are Users should _n_e_v_e_r be granted ssuuddoo privileges to execute files that are
writable by the user or that reside in a directory that is writable by writable by the user or that reside in a directory that is writable by
the user. If the user can modify or replace the command there is no way the user. If the user can modify or replace the command there is no way
to limit what additional commands they can run. Likewise, users should to limit what additional commands they can run. Likewise, users should
not be granted ssuuddooeeddiitt permission to edit a file that resides in a _n_e_v_e_r be granted ssuuddooeeddiitt permission to edit a file that resides in a
directory the user has write access to. A user with directory write directory the user has write access to. A user with directory write
access could replace the legitimate file with a link to some other, access could replace the legitimate file with a link to some other,
arbitrary, file. Starting with version 1.8.15, ssuuddooeeddiitt will refuse to arbitrary, file. Starting with version 1.8.15, ssuuddooeeddiitt will refuse to

8
doc/sudo.man.in
View File

@@ -869,13 +869,17 @@ modified and is passed unchanged to the program that
\fBsudo\fR \fBsudo\fR
executes. executes.
.PP .PP
Users should not be granted Users should
\fInever\fR
be granted
\fBsudo\fR \fBsudo\fR
privileges to execute files that are writable by the user or privileges to execute files that are writable by the user or
that reside in a directory that is writable by the user. that reside in a directory that is writable by the user.
If the user can modify or replace the command there is no way If the user can modify or replace the command there is no way
to limit what additional commands they can run. to limit what additional commands they can run.
Likewise, users should not be granted Likewise, users should
\fInever\fR
be granted
\fBsudoedit\fR \fBsudoedit\fR
permission to edit a file that resides in a directory the user has permission to edit a file that resides in a directory the user has
write access to. write access to.

8
doc/sudo.mdoc.in
View File

@@ -804,13 +804,17 @@ modified and is passed unchanged to the program that
.Nm .Nm
executes. executes.
.Pp .Pp
Users should not be granted Users should
.Em never
be granted
.Nm .Nm
privileges to execute files that are writable by the user or privileges to execute files that are writable by the user or
that reside in a directory that is writable by the user. that reside in a directory that is writable by the user.
If the user can modify or replace the command there is no way If the user can modify or replace the command there is no way
to limit what additional commands they can run. to limit what additional commands they can run.
Likewise, users should not be granted Likewise, users should
.Em never
be granted
.Nm sudoedit .Nm sudoedit
permission to edit a file that resides in a directory the user has permission to edit a file that resides in a directory the user has
write access to. write access to.

2
doc/sudoers.cat
View File

@@ -2310,7 +2310,7 @@ SSEECCUURRIITTYY NNOOTTEESS
of _/_e_t_c_/_m_o_t_d. After the file has been edited, _/_e_t_c_/_m_o_t_d will be updated of _/_e_t_c_/_m_o_t_d. After the file has been edited, _/_e_t_c_/_m_o_t_d will be updated
with the contents of the temporary copy. with the contents of the temporary copy.
Users should never be granted ssuuddooeeddiitt permission to edit a file that Users should _n_e_v_e_r be granted ssuuddooeeddiitt permission to edit a file that
resides in a directory the user has write access to, either directly or resides in a directory the user has write access to, either directly or
via a wildcard. If the user has write access to the directory it is via a wildcard. If the user has write access to the directory it is
possible to replace the legitimate file with a link to another file, possible to replace the legitimate file with a link to another file,

4
doc/sudoers.man.in
View File

@@ -4725,7 +4725,9 @@ After the file has been edited,
\fI/etc/motd\fR \fI/etc/motd\fR
will be updated with the contents of the temporary copy. will be updated with the contents of the temporary copy.
.PP .PP
Users should never be granted Users should
\fInever\fR
be granted
\fBsudoedit\fR \fBsudoedit\fR
permission to edit a file that resides in a directory the user permission to edit a file that resides in a directory the user
has write access to, either directly or via a wildcard. has write access to, either directly or via a wildcard.

4
doc/sudoers.mdoc.in
View File

@@ -4357,7 +4357,9 @@ After the file has been edited,
.Pa /etc/motd .Pa /etc/motd
will be updated with the contents of the temporary copy. will be updated with the contents of the temporary copy.
.Pp .Pp
Users should never be granted Users should
.Em never
be granted
.Nm sudoedit .Nm sudoedit
permission to edit a file that resides in a directory the user permission to edit a file that resides in a directory the user
has write access to, either directly or via a wildcard. has write access to, either directly or via a wildcard.