isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for runas groups. This allows the user to run a command

Browse Source 
with a different effective group.  If the -g option is specified
without -u the command will be run as the current user (only the
group will change).  the -g and -u options may be used together.
TODO: implement runas group for ldap
      improve runas group documentation
      add testsudoers support
This commit is contained in:
Todd C. Miller
2007-11-21 20:12:00 +00:00
parent bfd781ff65
commit f9f4aca556
28 changed files with 1446 additions and 1061 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
WHATSNEW
View File

@@ -15,6 +15,10 @@ What's new in Sudo 1.7?
o a new -U flag can be used in conjunction with "sudo -l" to allow o a new -U flag can be used in conjunction with "sudo -l" to allow
root (or a user with "sudo ALL") list another user's privileges. root (or a user with "sudo ALL") list another user's privileges.
* A new -g flag has been added to allow the user to specify a
primary group to run the command as. The sudoers syntax has been
extended to include a group section in the Runas specification.
* A uid may now be used anywhere a username is valid. * A uid may now be used anywhere a username is valid.
* The "secure_path" run-time Defaults option has been restored. * The "secure_path" run-time Defaults option has been restored.

8
check.c
View File

@@ -208,7 +208,7 @@ expand_prompt(old_prompt, user, host)
break; break;
case 'U': case 'U':
p++; p++;
len += strlen(*user_runas) - 2; len += strlen(runas_pw->pw_name) - 2;
subst = 1; subst = 1;
break; break;
case '%': case '%':
@@ -251,7 +251,7 @@ expand_prompt(old_prompt, user, host)
continue; continue;
case 'U': case 'U':
p++; p++;
n = strlcpy(np, *user_runas, np - endp); n = strlcpy(np, runas_pw->pw_name, np - endp);
if (n >= np - endp) if (n >= np - endp)
goto oflow; goto oflow;
np += n; np += n;
@@ -335,14 +335,14 @@ build_timestamp(timestampdir, timestampfile)
p = user_tty; p = user_tty;
if (def_targetpw) if (def_targetpw)
len = easprintf(timestampfile, "%s/%s/%s:%s", dirparent, user_name, len = easprintf(timestampfile, "%s/%s/%s:%s", dirparent, user_name,
p, *user_runas); p, runas_pw->pw_name);
else else
len = easprintf(timestampfile, "%s/%s/%s", dirparent, user_name, p); len = easprintf(timestampfile, "%s/%s/%s", dirparent, user_name, p);
if (len >= PATH_MAX) if (len >= PATH_MAX)
log_error(0, "timestamp path too long: %s", *timestampfile); log_error(0, "timestamp path too long: %s", *timestampfile);
} else if (def_targetpw) { } else if (def_targetpw) {
len = easprintf(timestampfile, "%s/%s/%s", dirparent, user_name, len = easprintf(timestampfile, "%s/%s/%s", dirparent, user_name,
*user_runas); runas_pw->pw_name);
if (len >= PATH_MAX) if (len >= PATH_MAX)
log_error(0, "timestamp path too long: %s", *timestampfile); log_error(0, "timestamp path too long: %s", *timestampfile);
} else } else

1
def_data.in
View File

@@ -155,7 +155,6 @@ passprompt
runas_default runas_default
T_STR T_STR
"Default user to run commands as: %s" "Default user to run commands as: %s"
*set_runaspw
secure_path secure_path
T_STR|T_BOOL T_STR|T_BOOL
"Value to override user's $PATH with: %s" "Value to override user's $PATH with: %s"

10
defaults.c
View File

@@ -479,14 +479,6 @@ init_defaults()
/* Finally do the lists (currently just environment tables). */ /* Finally do the lists (currently just environment tables). */
init_envtables(); init_envtables();
/*
* The following depend on the above values.
* We use a pointer to the string so that if its
* value changes we get the change.
*/
if (user_runas == NULL)
user_runas = &def_runas_default;
firsttime = 0; firsttime = 0;
} }
@@ -514,7 +506,7 @@ update_defaults(skip_cmnd)
return(FALSE); return(FALSE);
break; break;
case DEFAULTS_RUNAS: case DEFAULTS_RUNAS:
if (runaslist_matches(&def->binding) && if (runaslist_matches(&def->binding, NULL) &&
!set_default(def->var, def->val, def->op)) !set_default(def->var, def->val, def->op))
return(FALSE); return(FALSE);
break; break;

574
gram.c
View File

File diff suppressed because it is too large Load Diff

1
gram.h
View File

@@ -29,6 +29,7 @@ typedef union {
struct cmndspec *cmndspec; struct cmndspec *cmndspec;
struct defaults *defaults; struct defaults *defaults;
struct member *member; struct member *member;
struct runascontainer *runas;
struct privilege *privilege; struct privilege *privilege;
struct sudo_command command; struct sudo_command command;
struct cmndtag tag; struct cmndtag tag;

126
gram.y
View File

@@ -104,6 +104,7 @@ yyerror(s)
struct cmndspec *cmndspec; struct cmndspec *cmndspec;
struct defaults *defaults; struct defaults *defaults;
struct member *member; struct member *member;
struct runascontainer *runas;
struct privilege *privilege; struct privilege *privilege;
struct sudo_command command; struct sudo_command command;
struct cmndtag tag; struct cmndtag tag;
@@ -150,13 +151,14 @@ yyerror(s)
%type <member> host %type <member> host
%type <member> hostlist %type <member> hostlist
%type <member> ophost %type <member> ophost
%type <member> oprunasuser
%type <member> opuser %type <member> opuser
%type <member> runaslist
%type <member> runasspec
%type <member> runasuser
%type <member> user %type <member> user
%type <member> userlist %type <member> userlist
%type <member> opgroup
%type <member> group
%type <member> grouplist
%type <runas> runasspec
%type <runas> runaslist
%type <privilege> privilege %type <privilege> privilege
%type <privilege> privileges %type <privilege> privileges
%type <tag> cmndtag %type <tag> cmndtag
@@ -198,7 +200,7 @@ entry : COMMENT {
| DEFAULTS_USER userlist defaults_list { | DEFAULTS_USER userlist defaults_list {
add_defaults(DEFAULTS_USER, $2, $3); add_defaults(DEFAULTS_USER, $2, $3);
} }
| DEFAULTS_RUNAS runaslist defaults_list { | DEFAULTS_RUNAS userlist defaults_list {
add_defaults(DEFAULTS_RUNAS, $2, $3); add_defaults(DEFAULTS_RUNAS, $2, $3);
} }
| DEFAULTS_HOST hostlist defaults_list { | DEFAULTS_HOST hostlist defaults_list {
@@ -288,16 +290,27 @@ cmndspeclist : cmndspec
if ($3->tags.setenv == UNSPEC && if ($3->tags.setenv == UNSPEC &&
$3->prev->tags.setenv != IMPLIED) $3->prev->tags.setenv != IMPLIED)
$3->tags.setenv = $3->prev->tags.setenv; $3->tags.setenv = $3->prev->tags.setenv;
if (tq_empty(&$3->runaslist) && if ((tq_empty(&$3->runasuserlist) &&
!tq_empty(&$3->prev->runaslist)) tq_empty(&$3->runasgrouplist)) &&
$3->runaslist = $3->prev->runaslist; (!tq_empty(&$3->prev->runasuserlist) ||
!tq_empty(&$3->prev->runasgrouplist))) {
$3->runasuserlist = $3->prev->runasuserlist;
$3->runasgrouplist = $3->prev->runasgrouplist;
}
$$ = $1; $$ = $1;
} }
; ;
cmndspec : runasspec cmndtag opcmnd { cmndspec : runasspec cmndtag opcmnd {
struct cmndspec *cs = emalloc(sizeof(*cs)); struct cmndspec *cs = emalloc(sizeof(*cs));
list2tq(&cs->runaslist, $1); if ($1 != NULL) {
list2tq(&cs->runasuserlist, $1->runasusers);
list2tq(&cs->runasgrouplist, $1->runasgroups);
efree($1);
} else {
tq_init(&cs->runasuserlist);
tq_init(&cs->runasgrouplist);
}
cs->tags = $2; cs->tags = $2;
cs->cmnd = $3; cs->cmnd = $3;
cs->prev = cs; cs->prev = cs;
@@ -328,37 +341,20 @@ runasspec : /* empty */ {
} }
; ;
runaslist : oprunasuser runaslist : userlist {
| runaslist ',' oprunasuser { $$ = emalloc(sizeof(struct runascontainer));
list_append($1, $3); $$->runasusers = $1;
$$ = $1; $$->runasgroups = NULL;
} }
; | userlist ':' grouplist {
$$ = emalloc(sizeof(struct runascontainer));
oprunasuser : runasuser { $$->runasusers = $1;
$$ = $1; $$->runasgroups = $3;
$$->negated = FALSE;
} }
| '!' runasuser { | ':' grouplist {
$$ = $2; $$ = emalloc(sizeof(struct runascontainer));
$$->negated = TRUE; $$->runasusers = NULL;
} $$->runasgroups = $2;
;
runasuser : ALIAS {
$$ = new_member($1, ALIAS);
}
| ALL {
$$ = new_member(NULL, ALL);
}
| NETGROUP {
$$ = new_member($1, NETGROUP);
}
| USERGROUP {
$$ = new_member($1, USERGROUP);
}
| WORD {
$$ = new_member($1, WORD);
} }
; ;
@@ -443,7 +439,7 @@ runasaliases : runasalias
| runasaliases ':' runasalias | runasaliases ':' runasalias
; ;
runasalias : ALIAS '=' runaslist { runasalias : ALIAS '=' userlist {
char *s; char *s;
if ((s = alias_add($1, RUNASALIAS, $3)) != NULL) { if ((s = alias_add($1, RUNASALIAS, $3)) != NULL) {
yyerror(s); yyerror(s);
@@ -499,6 +495,34 @@ user : ALIAS {
} }
; ;
grouplist : opgroup
| grouplist ',' opgroup {
list_append($1, $3);
$$ = $1;
}
;
opgroup : group {
$$ = $1;
$$->negated = FALSE;
}
| '!' group {
$$ = $2;
$$->negated = TRUE;
}
;
group : ALIAS {
$$ = new_member($1, ALIAS);
}
| ALL {
$$ = new_member(NULL, ALL);
}
| WORD {
$$ = new_member($1, WORD);
}
;
%% %%
static struct defaults * static struct defaults *
new_default(var, val, op) new_default(var, val, op)
@@ -588,7 +612,7 @@ init_parser(path, quiet)
int quiet; int quiet;
{ {
struct defaults *d; struct defaults *d;
struct member *m, *freed; struct member *m, *binding;
struct userspec *us; struct userspec *us;
struct privilege *priv; struct privilege *priv;
struct cmndspec *cs; struct cmndspec *cs;
@@ -599,15 +623,23 @@ init_parser(path, quiet)
efree(m); efree(m);
} }
while ((priv = tq_pop(&us->privileges)) != NULL) { while ((priv = tq_pop(&us->privileges)) != NULL) {
struct member *runasuser = NULL, *runasgroup = NULL;
while ((m = tq_pop(&priv->hostlist)) != NULL) { while ((m = tq_pop(&priv->hostlist)) != NULL) {
efree(m->name); efree(m->name);
efree(m); efree(m);
} }
freed = NULL;
while ((cs = tq_pop(&priv->cmndlist)) != NULL) { while ((cs = tq_pop(&priv->cmndlist)) != NULL) {
if (tq_last(&cs->runaslist) != freed) { if (tq_last(&cs->runasuserlist) != runasuser) {
freed = tq_last(&cs->runaslist); runasuser = tq_last(&cs->runasuserlist);
while ((m = tq_pop(&cs->runaslist)) != NULL) { while ((m = tq_pop(&cs->runasuserlist)) != NULL) {
efree(m->name);
efree(m);
}
}
if (tq_last(&cs->runasgrouplist) != runasgroup) {
runasgroup = tq_last(&cs->runasgrouplist);
while ((m = tq_pop(&cs->runasgrouplist)) != NULL) {
efree(m->name); efree(m->name);
efree(m); efree(m);
} }
@@ -621,10 +653,10 @@ init_parser(path, quiet)
} }
tq_init(&userspecs); tq_init(&userspecs);
freed = NULL; binding = NULL;
while ((d = tq_pop(&defaults)) != NULL) { while ((d = tq_pop(&defaults)) != NULL) {
if (tq_last(&d->binding) != freed) { if (tq_last(&d->binding) != binding) {
freed = tq_last(&d->binding); binding = tq_last(&d->binding);
while ((m = tq_pop(&d->binding)) != NULL) { while ((m = tq_pop(&d->binding)) != NULL) {
efree(m->name); efree(m->name);
efree(m); efree(m);

5
ldap.c
View File

@@ -213,6 +213,11 @@ sudo_ldap_check_runas(ld, entry)
if (!entry) if (!entry)
return(ret); return(ret);
/* If no runas user, just check the group. */
/* XXX - implement runas group checking via sudoRunasGroup */
if (!runas_pw)
return(TRUE);
/* get the values from the entry */ /* get the values from the entry */
v = ldap_get_values(ld, entry, "sudoRunAs"); v = ldap_get_values(ld, entry, "sudoRunAs");

27
logging.c
View File

@@ -314,10 +314,12 @@ log_auth(status, inform_user)
user_name, user_shost); user_name, user_shost);
else else
(void) fprintf(stderr, (void) fprintf(stderr,
"Sorry, user %s is not allowed to execute '%s%s%s' as %s on %s.\n", "Sorry, user %s is not allowed to execute '%s%s%s' as %s%s%s on %s.\n",
user_name, user_cmnd, user_args ? " " : "", user_name, user_cmnd, user_args ? " " : "",
user_args ? user_args : "", user_args ? user_args : "",
list_pw ? list_pw->pw_name : *user_runas, user_host); list_pw ? list_pw->pw_name : runas_pw ?
runas_pw->pw_name : user_name, runas_gr ? ":" : "",
runas_gr ? runas_gr->gr_name : "", user_host);
} }
/* /*
@@ -633,7 +635,10 @@ new_logline(message, serrno)
} }
len += sizeof(LL_TTY_STR) + 2 + strlen(user_tty); len += sizeof(LL_TTY_STR) + 2 + strlen(user_tty);
len += sizeof(LL_CWD_STR) + 2 + strlen(user_cwd); len += sizeof(LL_CWD_STR) + 2 + strlen(user_cwd);
len += sizeof(LL_USER_STR) + 2 + strlen(*user_runas); if (runas_pw != NULL)
len += sizeof(LL_USER_STR) + 2 + strlen(runas_pw->pw_name);
if (runas_gr != NULL)
len += sizeof(LL_GROUP_STR) + 2 + strlen(runas_gr->gr_name);
if (sudo_user.env_vars != NULL) { if (sudo_user.env_vars != NULL) {
size_t evlen = 0; size_t evlen = 0;
struct list_member *cur; struct list_member *cur;
@@ -675,10 +680,18 @@ new_logline(message, serrno)
strlcat(line, user_cwd, len) >= len || strlcat(line, user_cwd, len) >= len ||
strlcat(line, " ; ", len) >= len) strlcat(line, " ; ", len) >= len)
goto toobig; goto toobig;
if (strlcat(line, LL_USER_STR, len) >= len || if (runas_pw != NULL) {
strlcat(line, *user_runas, len) >= len || if (strlcat(line, LL_USER_STR, len) >= len ||
strlcat(line, " ; ", len) >= len) strlcat(line, runas_pw->pw_name, len) >= len ||
goto toobig; strlcat(line, " ; ", len) >= len)
goto toobig;
}
if (runas_gr != NULL) {
if (strlcat(line, LL_GROUP_STR, len) >= len ||
strlcat(line, runas_gr->gr_name, len) >= len ||
strlcat(line, " ; ", len) >= len)
goto toobig;
}
if (evstr != NULL) { if (evstr != NULL) {
if (strlcat(line, LL_ENV_STR, len) >= len || if (strlcat(line, LL_ENV_STR, len) >= len ||
strlcat(line, evstr, len) >= len || strlcat(line, evstr, len) >= len ||

117
match.c
View File

@@ -93,6 +93,8 @@
__unused static const char rcsid[] = "$Sudo$"; __unused static const char rcsid[] = "$Sudo$";
#endif /* lint */ #endif /* lint */
static struct member_list empty;
/* /*
* Returns TRUE if string 's' contains meta characters. * Returns TRUE if string 's' contains meta characters.
*/ */
@@ -154,58 +156,92 @@ userlist_matches(pw, list)
/* /*
* Check for user described by pw in a list of members. * Check for user described by pw in a list of members.
* If list is NULL compare against def_runas_default. * If both lists are empty compare against def_runas_default.
* Returns ALLOW, DENY or UNSPEC. * Returns ALLOW, DENY or UNSPEC.
*/ */
static int static int
_runaslist_matches(list) _runaslist_matches(user_list, group_list)
struct member_list *list; struct member_list *user_list;
struct member_list *group_list;
{ {
struct member *m; struct member *m;
struct alias *a; struct alias *a;
int rval, matched = UNSPEC; int rval, matched = UNSPEC;
if (tq_empty(list)) /* Deny if user specified a group but there is no group in sudoers */
if (runas_gr != NULL && tq_empty(group_list))
return(DENY);
if (tq_empty(user_list) && tq_empty(group_list))
return(userpw_matches(def_runas_default, runas_pw->pw_name, runas_pw)); return(userpw_matches(def_runas_default, runas_pw->pw_name, runas_pw));
tq_foreach_rev(list, m) { if (runas_pw != NULL) {
switch (m->type) { tq_foreach_rev(user_list, m) {
case ALL: switch (m->type) {
matched = !m->negated; case ALL:
break;
case NETGROUP:
if (netgr_matches(m->name, NULL, NULL, runas_pw->pw_name))
matched = !m->negated; matched = !m->negated;
break;
case USERGROUP:
if (usergr_matches(m->name, runas_pw->pw_name, runas_pw))
matched = !m->negated;
break;
case ALIAS:
if ((a = find_alias(m->name, RUNASALIAS)) != NULL) {
rval = _runaslist_matches(&a->members);
if (rval != UNSPEC)
matched = m->negated ? !rval : rval;
break; break;
} case NETGROUP:
/* FALLTHROUGH */ if (netgr_matches(m->name, NULL, NULL, runas_pw->pw_name))
case WORD: matched = !m->negated;
if (userpw_matches(m->name, runas_pw->pw_name, runas_pw)) break;
matched = !m->negated; case USERGROUP:
if (usergr_matches(m->name, runas_pw->pw_name, runas_pw))
matched = !m->negated;
break;
case ALIAS:
if ((a = find_alias(m->name, RUNASALIAS)) != NULL) {
rval = _runaslist_matches(&a->members, &empty);
if (rval != UNSPEC)
matched = m->negated ? !rval : rval;
break;
}
/* FALLTHROUGH */
case WORD:
if (userpw_matches(m->name, runas_pw->pw_name, runas_pw))
matched = !m->negated;
break;
}
if (matched != UNSPEC)
break; break;
} }
if (matched != UNSPEC)
break;
} }
if (runas_gr != NULL) {
tq_foreach_rev(group_list, m) {
switch (m->type) {
case ALL:
matched = !m->negated;
break;
case ALIAS:
if ((a = find_alias(m->name, RUNASALIAS)) != NULL) {
rval = _runaslist_matches(&a->members, &empty);
if (rval != UNSPEC)
matched = m->negated ? !rval : rval;
break;
}
/* FALLTHROUGH */
case WORD:
if (group_matches(m->name, runas_gr))
matched = !m->negated;
break;
}
if (matched != UNSPEC)
break;
}
}
return(matched); return(matched);
} }
int int
runaslist_matches(list) runaslist_matches(user_list, group_list)
struct member_list *list; struct member_list *user_list;
struct member_list *group_list;
{ {
alias_seqno++; alias_seqno++;
return(_runaslist_matches(list)); return(_runaslist_matches(user_list ? user_list : &empty,
group_list ? group_list : &empty));
} }
/* /*
@@ -660,11 +696,28 @@ userpw_matches(sudoers_user, user, pw)
if (pw != NULL && *sudoers_user == '#') { if (pw != NULL && *sudoers_user == '#') {
uid_t uid = (uid_t) atoi(sudoers_user + 1); uid_t uid = (uid_t) atoi(sudoers_user + 1);
if (uid == pw->pw_uid) if (uid == pw->pw_uid)
return(1); return(TRUE);
} }
return(strcmp(sudoers_user, user) == 0); return(strcmp(sudoers_user, user) == 0);
} }
/*
* Returns TRUE if the group/gid from sudoers matches the specified group/gid,
* else returns FALSE.
*/
int
group_matches(sudoers_group, gr)
char *sudoers_group;
struct group *gr;
{
if (*sudoers_group == '#') {
gid_t gid = (gid_t) atoi(sudoers_group + 1);
if (gid == gr->gr_gid)
return(TRUE);
}
return(strcmp(gr->gr_name, sudoers_group) == 0);
}
/* /*
* Returns TRUE if the given user belongs to the named group, * Returns TRUE if the given user belongs to the named group,
* else returns FALSE. * else returns FALSE.

1
mon_systrace.c
View File

@@ -912,7 +912,6 @@ check_execv(fd, pid, seqnr, askp, policyp, errorp)
init_defaults(); init_defaults();
def_authenticate = FALSE; def_authenticate = FALSE;
runas_pw = info->pw; runas_pw = info->pw;
user_runas = &info->pw->pw_name;
validated = VALIDATE_NOT_OK; validated = VALIDATE_NOT_OK;
#ifdef HAVE_LDAP #ifdef HAVE_LDAP
if ((ld = sudo_ldap_open()) != NULL) { if ((ld = sudo_ldap_open()) != NULL) {

21
parse.c
View File

@@ -157,7 +157,8 @@ sudoers_lookup(pwflag)
else else
continue; continue;
tq_foreach_rev(&priv->cmndlist, cs) { tq_foreach_rev(&priv->cmndlist, cs) {
runas_match = runaslist_matches(&cs->runaslist); runas_match = runaslist_matches(&cs->runasuserlist,
&cs->runasgrouplist);
if (runas_match == ALLOW) { if (runas_match == ALLOW) {
cmnd_match = cmnd_matches(cs->cmnd); cmnd_match = cmnd_matches(cs->cmnd);
if (cmnd_match != UNSPEC) { if (cmnd_match != UNSPEC) {
@@ -240,9 +241,9 @@ display_privs(v, pw)
if (cs != tq_first(&priv->cmndlist)) if (cs != tq_first(&priv->cmndlist))
lbuf_append(&lbuf, ", ", NULL); lbuf_append(&lbuf, ", ", NULL);
lbuf_append(&lbuf, "(", NULL); lbuf_append(&lbuf, "(", NULL);
if (!tq_empty(&cs->runaslist)) { if (!tq_empty(&cs->runasuserlist)) {
tq_foreach_fwd(&cs->runaslist, m) { tq_foreach_fwd(&cs->runasuserlist, m) {
if (m != tq_first(&cs->runaslist)) if (m != tq_first(&cs->runasuserlist))
lbuf_append(&lbuf, ", ", NULL); lbuf_append(&lbuf, ", ", NULL);
print_member(&lbuf, m->name, m->type, m->negated, print_member(&lbuf, m->name, m->type, m->negated,
RUNASALIAS); RUNASALIAS);
@@ -250,6 +251,15 @@ display_privs(v, pw)
} else { } else {
lbuf_append(&lbuf, def_runas_default, NULL); lbuf_append(&lbuf, def_runas_default, NULL);
} }
if (!tq_empty(&cs->runasgrouplist)) {
lbuf_append(&lbuf, " : ", NULL);
tq_foreach_fwd(&cs->runasgrouplist, m) {
if (m != tq_first(&cs->runasgrouplist))
lbuf_append(&lbuf, ", ", NULL);
print_member(&lbuf, m->name, m->type, m->negated,
RUNASALIAS);
}
}
lbuf_append(&lbuf, ") ", NULL); lbuf_append(&lbuf, ") ", NULL);
if (TAG_CHANGED(setenv)) { if (TAG_CHANGED(setenv)) {
lbuf_append(&lbuf, cs->tags.setenv ? "SETENV: " : lbuf_append(&lbuf, cs->tags.setenv ? "SETENV: " :
@@ -439,7 +449,8 @@ display_cmnd(v, pw)
if (host_match != ALLOW) if (host_match != ALLOW)
continue; continue;
tq_foreach_rev(&priv->cmndlist, cs) { tq_foreach_rev(&priv->cmndlist, cs) {
runas_match = runaslist_matches(&cs->runaslist); runas_match = runaslist_matches(&cs->runasuserlist,
&cs->runasgrouplist);
if (runas_match == ALLOW) { if (runas_match == ALLOW) {
cmnd_match = cmnd_matches(cs->cmnd); cmnd_match = cmnd_matches(cs->cmnd);
if (cmnd_match != UNSPEC) { if (cmnd_match != UNSPEC) {

11
parse.h
View File

@@ -98,7 +98,8 @@ struct privilege {
*/ */
struct cmndspec { struct cmndspec {
struct cmndspec *prev, *next; struct cmndspec *prev, *next;
struct member_list runaslist; /* list of runas users */ struct member_list runasuserlist; /* list of runas users */
struct member_list runasgrouplist; /* list of runas groups */
struct member *cmnd; /* command to allow/deny */ struct member *cmnd; /* command to allow/deny */
struct cmndtag tags; /* tag specificaion */ struct cmndtag tags; /* tag specificaion */
}; };
@@ -113,6 +114,11 @@ struct member {
short negated; /* negated via '!'? */ short negated; /* negated via '!'? */
}; };
struct runascontainer {
struct member *runasusers;
struct member *runasgroups;
};
/* /*
* Generic structure to hold {User,Host,Runas,Cmnd}_Alias * Generic structure to hold {User,Host,Runas,Cmnd}_Alias
* Aliases are stored in a red-black tree, sorted by name and type. * Aliases are stored in a red-black tree, sorted by name and type.
@@ -160,10 +166,11 @@ int hostlist_matches __P((struct member_list *));
int hostname_matches __P((char *, char *, char *)); int hostname_matches __P((char *, char *, char *));
int netgr_matches __P((char *, char *, char *, char *)); int netgr_matches __P((char *, char *, char *, char *));
int no_aliases __P((void)); int no_aliases __P((void));
int runaslist_matches __P((struct member_list *)); int runaslist_matches __P((struct member_list *, struct member_list *));
int userlist_matches __P((struct passwd *, struct member_list *)); int userlist_matches __P((struct passwd *, struct member_list *));
int usergr_matches __P((char *, char *, struct passwd *)); int usergr_matches __P((char *, char *, struct passwd *));
int userpw_matches __P((char *, char *, struct passwd *)); int userpw_matches __P((char *, char *, struct passwd *));
int group_matches __P((char *, struct group *));
struct alias *find_alias __P((char *, int)); struct alias *find_alias __P((char *, int));
void alias_apply __P((int (*)(void *, void *), void *)); void alias_apply __P((int (*)(void *, void *), void *));
void init_aliases __P((void)); void init_aliases __P((void));

30
pwutil.c
View File

@@ -329,6 +329,36 @@ sudo_fakepwnam(user)
return(pw); return(pw);
} }
/*
* Take a gid in string form "#123" and return a faked up group struct.
*/
struct group *
sudo_fakegrnam(group)
const char *group;
{
struct group *gr;
struct rbnode *node;
size_t len;
len = strlen(group);
gr = emalloc(sizeof(struct group) + len + 1);
memset(gr, 0, sizeof(struct group));
gr->gr_gid = (gid_t) atoi(group + 1);
gr->gr_name = (char *)gr + sizeof(struct group);
strlcpy(gr->gr_name, group, len + 1);
/* Store by gid and by name, overwriting cached version. */
if ((node = rbinsert(grcache_bygid, gr)) != NULL) {
efree(node->data);
node->data = (void *) gr;
}
if ((node = rbinsert(grcache_byname, gr)) != NULL) {
efree(node->data);
node->data = (void *) gr;
}
return(gr);
}
void void
sudo_setpwent() sudo_setpwent()
{ {

25
set_perms.c
View File

@@ -98,8 +98,10 @@ set_perms(perm)
break; break;
case PERM_RUNAS: case PERM_RUNAS:
(void) setresgid(-1, runas_pw->pw_gid, -1); (void) setresgid(-1, runas_gr ?
if (setresuid(-1, runas_pw->pw_uid, -1)) runas_gr->gr_gid : runas_pw->pw_gid, -1);
if (setresuid(-1,
runas_pw ? runas_pw->pw_uid : user_uid, -1))
error(1, "unable to change to runas uid"); error(1, "unable to change to runas uid");
break; break;
@@ -175,8 +177,10 @@ set_perms(perm)
break; break;
case PERM_RUNAS: case PERM_RUNAS:
(void) setregid(-1, runas_pw->pw_gid); (void) setregid(-1, runas_gr ?
if (setreuid(-1, runas_pw->pw_uid)) runas_gr->gr_gid : runas_pw->pw_gid);
if (setreuid(-1,
runas_pw ? runas_pw->pw_uid : user_uid))
error(1, "unable to change to runas uid"); error(1, "unable to change to runas uid");
break; break;
@@ -256,8 +260,9 @@ set_perms(perm)
break; break;
case PERM_RUNAS: case PERM_RUNAS:
(void) setegid(runas_pw->pw_gid); (void) setegid(runas_gr ?
if (seteuid(runas_pw->pw_uid)) runas_gr->gr_gid : runas_pw->pw_gid);
if (seteuid(runas_pw ? runas_pw->pw_uid : user_uid))
error(1, "unable to change to runas uid"); error(1, "unable to change to runas uid");
break; break;
@@ -339,12 +344,14 @@ set_perms(perm)
static void static void
runas_setup() runas_setup()
{ {
gid_t gid;
#ifdef HAVE_LOGIN_CAP_H #ifdef HAVE_LOGIN_CAP_H
int flags; int flags;
extern login_cap_t *lc; extern login_cap_t *lc;
#endif #endif
if (runas_pw->pw_name != NULL) { if (runas_pw->pw_name != NULL) {
gid = runas_gr ? runas_gr->gr_gid : runas_pw->pw_gid;
#ifdef HAVE_PAM #ifdef HAVE_PAM
pam_prep_user(runas_pw); pam_prep_user(runas_pw);
#endif /* HAVE_PAM */ #endif /* HAVE_PAM */
@@ -360,7 +367,7 @@ runas_setup()
flags = LOGIN_SETRESOURCES|LOGIN_SETPRIORITY; flags = LOGIN_SETRESOURCES|LOGIN_SETPRIORITY;
if (!def_preserve_groups) if (!def_preserve_groups)
SET(flags, LOGIN_SETGROUP); SET(flags, LOGIN_SETGROUP);
else if (setgid(runas_pw->pw_gid)) else if (setgid(gid))
warning("cannot set gid to runas gid"); warning("cannot set gid to runas gid");
if (setusercontext(lc, runas_pw, runas_pw->pw_uid, flags)) { if (setusercontext(lc, runas_pw, runas_pw->pw_uid, flags)) {
if (runas_pw->pw_uid != ROOT_UID) if (runas_pw->pw_uid != ROOT_UID)
@@ -371,14 +378,14 @@ runas_setup()
} else } else
#endif /* HAVE_LOGIN_CAP_H */ #endif /* HAVE_LOGIN_CAP_H */
{ {
if (setgid(runas_pw->pw_gid)) if (setgid(gid))
warning("cannot set gid to runas gid"); warning("cannot set gid to runas gid");
#ifdef HAVE_INITGROUPS #ifdef HAVE_INITGROUPS
/* /*
* Initialize group vector unless asked not to. * Initialize group vector unless asked not to.
*/ */
if (!def_preserve_groups && if (!def_preserve_groups &&
initgroups(*user_runas, runas_pw->pw_gid) < 0) initgroups(runas_pw->pw_name, runas_pw->pw_gid) < 0)
warning("cannot set group vector"); warning("cannot set group vector");
#endif /* HAVE_INITGROUPS */ #endif /* HAVE_INITGROUPS */
} }

86
sudo.c
View File

@@ -111,6 +111,7 @@ static int parse_args __P((int, char **));
static void initial_setup __P((void)); static void initial_setup __P((void));
static void set_loginclass __P((struct passwd *)); static void set_loginclass __P((struct passwd *));
static void set_project __P((struct passwd *)); static void set_project __P((struct passwd *));
static void set_runasgr __P((char *));
static void usage __P((int)) static void usage __P((int))
__attribute__((__noreturn__)); __attribute__((__noreturn__));
static void usage_excl __P((int)) static void usage_excl __P((int))
@@ -147,6 +148,8 @@ login_cap_t *lc;
char *login_style; char *login_style;
#endif /* HAVE_BSD_AUTH_H */ #endif /* HAVE_BSD_AUTH_H */
sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp, saved_sa_chld; sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp, saved_sa_chld;
static char *runas_user;
static char *runas_group;
int int
@@ -280,6 +283,19 @@ main(argc, argv, envp)
log_error(NO_STDERR|NO_EXIT, "problem with defaults entries"); log_error(NO_STDERR|NO_EXIT, "problem with defaults entries");
} }
/*
* Set runas passwd/group entries based on command line or sudoers.
* Note that if runas_group was specified without runas_user we
* defer setting runas_pw so the match routines know to ignore it.
* XXX - early enough?
*/
if (runas_group != NULL) {
set_runasgr(runas_group);
if (runas_user != NULL)
set_runaspw(runas_user);
} else
set_runaspw(runas_user ? runas_user : def_runas_default);
/* This goes after sudoers is parsed since it may have timestamp options. */ /* This goes after sudoers is parsed since it may have timestamp options. */
if (sudo_mode == MODE_KILL || sudo_mode == MODE_INVALIDATE) { if (sudo_mode == MODE_KILL || sudo_mode == MODE_INVALIDATE) {
remove_timestamp((sudo_mode == MODE_KILL)); remove_timestamp((sudo_mode == MODE_KILL));
@@ -314,6 +330,10 @@ main(argc, argv, envp)
if (safe_cmnd == NULL) if (safe_cmnd == NULL)
safe_cmnd = estrdup(user_cmnd); safe_cmnd = estrdup(user_cmnd);
/* If only a group was specified, set runas_pw based on invoking user. */
if (runas_pw == NULL)
set_runaspw(user_name);
/* /*
* Look up the timestamp dir owner if one is specified. * Look up the timestamp dir owner if one is specified.
*/ */
@@ -603,8 +623,8 @@ init_vars(sudo_mode, envp)
* be run during reboot after the YP/NIS/NIS+/LDAP/etc daemon has died. * be run during reboot after the YP/NIS/NIS+/LDAP/etc daemon has died.
*/ */
if (sudo_mode & (MODE_INVALIDATE|MODE_KILL)) if (sudo_mode & (MODE_INVALIDATE|MODE_KILL))
errorx(1, "uid %s does not exist in the passwd file!", pw_name); errorx(1, "unknown uid: %s", pw_name);
log_error(0, "uid %s does not exist in the passwd file!", pw_name); log_error(0, "unknown uid: %s", pw_name);
} }
if (user_shell == NULL || *user_shell == '\0') if (user_shell == NULL || *user_shell == '\0')
user_shell = estrdup(sudo_user.pw->pw_shell); user_shell = estrdup(sudo_user.pw->pw_shell);
@@ -626,10 +646,6 @@ init_vars(sudo_mode, envp)
if (nohostname) if (nohostname)
log_error(USE_ERRNO|MSG_ONLY, "can't get hostname"); log_error(USE_ERRNO|MSG_ONLY, "can't get hostname");
set_runaspw(*user_runas); /* may call log_error() */
if (*user_runas[0] == '#' && runas_pw->pw_name[0] != '#')
*user_runas = estrdup(runas_pw->pw_name);
/* /*
* Get current working directory. Try as user, fall back to root. * Get current working directory. Try as user, fall back to root.
*/ */
@@ -668,6 +684,7 @@ init_vars(sudo_mode, envp)
} }
/* Set login class if applicable. */ /* Set login class if applicable. */
/* XXX - should move to after sudoers_lookup */
set_loginclass(sudo_user.pw); set_loginclass(sudo_user.pw);
} }
@@ -738,7 +755,7 @@ set_cmnd(sudo_mode)
} }
/* /*
* Command line argument parsing, can't use getopt(3). * Command line argument parsing, can't use getopt(3) due to optional args.
*/ */
static int static int
parse_args(argc, argv) parse_args(argc, argv)
@@ -779,7 +796,17 @@ parse_args(argc, argv)
if (NewArgv[1] == NULL) if (NewArgv[1] == NULL)
usage(1); usage(1);
user_runas = &NewArgv[1]; runas_user = NewArgv[1];
NewArgc--;
NewArgv++;
break;
case 'g':
/* Must have an associated runas group. */
if (NewArgv[1] == NULL)
usage(1);
runas_group = NewArgv[1];
NewArgc--; NewArgc--;
NewArgv++; NewArgv++;
@@ -897,7 +924,7 @@ parse_args(argc, argv)
if (NewArgv[1] == NULL) if (NewArgv[1] == NULL)
usage(1); usage(1);
if ((list_pw = sudo_getpwnam(NewArgv[1])) == NULL) if ((list_pw = sudo_getpwnam(NewArgv[1])) == NULL)
errorx(1, "unknown user %s", NewArgv[1]); errorx(1, "unknown user: %s", NewArgv[1]);
NewArgc--; NewArgc--;
NewArgv++; NewArgv++;
break; break;
@@ -943,10 +970,11 @@ args_done:
usage(1); usage(1);
} }
if (user_runas != NULL && !ISSET(rval, (MODE_EDIT|MODE_RUN|MODE_CHECK))) { if ((runas_user != NULL || runas_group != NULL) &&
!ISSET(rval, (MODE_EDIT|MODE_RUN|MODE_CHECK))) {
if (excl != '\0') if (excl != '\0')
warningx("the `-u' and `-%c' options may not be used together", warningx("the `-%c' and `-%c' options may not be used together",
excl); runas_user ? 'u' : 'g', excl);
usage(1); usage(1);
} }
if (list_pw != NULL && rval != MODE_LIST && rval != MODE_CHECK) { if (list_pw != NULL && rval != MODE_LIST && rval != MODE_CHECK) {
@@ -1105,7 +1133,9 @@ set_loginclass(pw)
errflags = NO_MAIL|MSG_ONLY|NO_EXIT; errflags = NO_MAIL|MSG_ONLY|NO_EXIT;
if (login_class && strcmp(login_class, "-") != 0) { if (login_class && strcmp(login_class, "-") != 0) {
if (strcmp(*user_runas, "root") != 0 && user_uid != 0) /* XXX - def_runas user may change after sudoers parse */
if (user_uid != 0 &&
strcmp(runas_user ? runas_user : def_runas_default, "root") != 0)
errorx(1, "only root can use -c %s", login_class); errorx(1, "only root can use -c %s", login_class);
} else { } else {
login_class = pw->pw_class; login_class = pw->pw_class;
@@ -1246,20 +1276,33 @@ int
set_runaspw(user) set_runaspw(user)
char *user; char *user;
{ {
if (runas_pw != NULL) {
if (user_runas != &def_runas_default)
return(TRUE); /* don't override -u option */
}
if (*user == '#') { if (*user == '#') {
if ((runas_pw = sudo_getpwuid(atoi(user + 1))) == NULL) if ((runas_pw = sudo_getpwuid(atoi(user + 1))) == NULL)
runas_pw = sudo_fakepwnam(user); runas_pw = sudo_fakepwnam(user);
} else { } else {
if ((runas_pw = sudo_getpwnam(user)) == NULL) if ((runas_pw = sudo_getpwnam(user)) == NULL)
log_error(NO_MAIL|MSG_ONLY, "no passwd entry for %s!", user); log_error(NO_MAIL|MSG_ONLY, "unknown user: %s", user);
} }
return(TRUE); return(TRUE);
} }
/*
* Get group entry for the group we are going to run commands as.
* Updates runas_pw as a side effect.
*/
static void
set_runasgr(group)
char *group;
{
if (*group == '#') {
if ((runas_gr = sudo_getgrgid(atoi(group + 1))) == NULL)
runas_gr = sudo_fakegrnam(group);
} else {
if ((runas_gr = sudo_getgrnam(group)) == NULL)
log_error(NO_MAIL|MSG_ONLY, "unknown group: %s", group);
}
}
/* /*
* Get passwd entry for the user we are going to authenticate as. * Get passwd entry for the user we are going to authenticate as.
* By default, this is the user invoking sudo. In the most common * By default, this is the user invoking sudo. In the most common
@@ -1272,14 +1315,13 @@ get_authpw()
if (def_rootpw) { if (def_rootpw) {
if ((pw = sudo_getpwuid(0)) == NULL) if ((pw = sudo_getpwuid(0)) == NULL)
log_error(0, "uid 0 does not exist in the passwd file!"); log_error(0, "unknown uid: 0");
} else if (def_runaspw) { } else if (def_runaspw) {
if ((pw = sudo_getpwnam(def_runas_default)) == NULL) if ((pw = sudo_getpwnam(def_runas_default)) == NULL)
log_error(0, "user %s does not exist in the passwd file!", log_error(0, "unknown user: %s", def_runas_default);
def_runas_default);
} else if (def_targetpw) { } else if (def_targetpw) {
if (runas_pw->pw_name == NULL) if (runas_pw->pw_name == NULL)
log_error(NO_MAIL|MSG_ONLY, "no passwd entry for %lu!", log_error(NO_MAIL|MSG_ONLY, "unknown uid: %lu",
(unsigned long) runas_pw->pw_uid); (unsigned long) runas_pw->pw_uid);
pw = runas_pw; pw = runas_pw;
} else } else

508
sudo.cat
View File

@@ -10,14 +10,16 @@ NNAAMMEE
SSYYNNOOPPSSIISS SSYYNNOOPPSSIISS
ssuuddoo --hh | --KK | --kk | --LL | --VV | --vv ssuuddoo --hh | --KK | --kk | --LL | --VV | --vv
ssuuddoo --ll [--UU _u_s_e_r_n_a_m_e] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d] ssuuddoo --ll [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] [--UU _u_s_e_r_n_a_m_e] [--uu _u_s_e_r_-
_n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d]
ssuuddoo [--bbEEHHPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] ssuuddoo [--bbEEHHPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-]
[--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] {--ii | --ss | _c_o_m_- [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d]
_m_a_n_d} [VVAARR=_v_a_l_u_e] {--ii | --ss | _c_o_m_m_a_n_d}
ssuuddooeeddiitt [--SS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] ssuuddooeeddiitt [--SS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-]
[--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] file ... [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] file
...
DDEESSCCRRIIPPTTIIOONN DDEESSCCRRIIPPTTIIOONN
ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the
@@ -55,13 +57,11 @@ DDEESSCCRRIIPPTTIIOONN
If ssuuddoo is run by root and the SUDO_USER environment vari- If ssuuddoo is run by root and the SUDO_USER environment vari-
able is set, ssuuddoo will use this value to determine who the able is set, ssuuddoo will use this value to determine who the
actual user is. This can be used by a user to log com- actual user is. This can be used by a user to log
mands through sudo even when a root shell has been
invoked. It also allows the --ee flag to remain useful even
1.7 August 15, 2007 1 1.7 November 21, 2007 1
@@ -70,6 +70,8 @@ DDEESSCCRRIIPPTTIIOONN
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
commands through sudo even when a root shell has been
invoked. It also allows the --ee flag to remain useful even
when being run via a sudo-run script or program. Note when being run via a sudo-run script or program. Note
however, that the sudoers lookup is still done for root, however, that the sudoers lookup is still done for root,
not the user specified by SUDO_USER. not the user specified by SUDO_USER.
@@ -82,52 +84,50 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
OOPPTTIIOONNSS OOPPTTIIOONNSS
ssuuddoo accepts the following command line options: ssuuddoo accepts the following command line options:
-a The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use -a _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes
the specified authentication type when validating the ssuuddoo to use the specified authentication type
user, as allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system when validating the user, as allowed by
administrator may specify a list of sudo-specific _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may
authentication methods by adding an "auth-sudo" entry specify a list of sudo-specific authentication
in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This option is only available on methods by adding an "auth-sudo" entry in
systems that support BSD authentication. _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This option is only avail-
able on systems that support BSD authentica-
tion.
-b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given -b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run
command in the background. Note that if you use the the given command in the background. Note
--bb option you cannot use shell job control to manipu- that if you use the --bb option you cannot use
late the process. shell job control to manipulate the process.
-C fd -C _f_d Normally, ssuuddoo will close all open file
Normally, ssuuddoo will close all open file descriptors descriptors other than standard input, stan-
other than standard input, standard output and stan- dard output and standard error. The --CC (_c_l_o_s_e
dard error. The --CC (_c_l_o_s_e _f_r_o_m) option allows the _f_r_o_m) option allows the user to specify a
user to specify a starting point above the standard starting point above the standard error (file
error (file descriptor three). Values less than three descriptor three). Values less than three are
are not permitted. This option is only available if not permitted. This option is only available
the administrator has enabled the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e if the administrator has enabled the _c_l_o_s_e_-
option in _s_u_d_o_e_r_s(4). _f_r_o_m___o_v_e_r_r_i_d_e option in _s_u_d_o_e_r_s(4).
-c The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified -c _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the
command with resources limited by the specified login specified command with resources limited by
class. The _c_l_a_s_s argument can be either a class name the specified login class. The _c_l_a_s_s argument
as defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single '-' charac- can be either a class name as defined in
ter. Specifying a _c_l_a_s_s of - indicates that the com- _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single '-' character.
mand should be run restricted by the default login Specifying a _c_l_a_s_s of - indicates that the
capabilities for the user the command is run as. If command should be run restricted by the
the _c_l_a_s_s argument specifies an existing user class, default login capabilities for the user the
the command must be run as root, or the ssuuddoo command command is run as. If the _c_l_a_s_s argument
must be run from a shell that is already root. This specifies an existing user class, the command
option is only available on systems with BSD login must be run as root, or the ssuuddoo command must
classes. be run from a shell that is already root.
This option is only available on systems with
-E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the BSD login classes.
_e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)). It is only available
when either the matching command has the SETENV tag or
the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(4).
-e The --ee (_e_d_i_t) option indicates that, instead of
1.7 August 15, 2007 2
1.7 November 21, 2007 2
@@ -136,64 +136,64 @@ OOPPTTIIOONNSS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
running a command, the user wishes to edit one or more -E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will
files. In lieu of a command, the string "sudoedit" is override the _e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)).
used when consulting the _s_u_d_o_e_r_s file. If the user is It is only available when either the matching
authorized by _s_u_d_o_e_r_s the following steps are taken: command has the SETENV tag or the _s_e_t_e_n_v
option is set in _s_u_d_o_e_r_s(4).
1. Temporary copies are made of the files to be -e The --ee (_e_d_i_t) option indicates that, instead
edited with the owner set to the invoking user. of running a command, the user wishes to edit
one or more files. In lieu of a command, the
string "sudoedit" is used when consulting the
_s_u_d_o_e_r_s file. If the user is authorized by
_s_u_d_o_e_r_s the following steps are taken:
2. The editor specified by the VISUAL or EDITOR envi- 1. Temporary copies are made of the files to
ronment variables is run to edit the temporary be edited with the owner set to the invok-
files. If neither VISUAL nor EDITOR are set, the ing user.
program listed in the _e_d_i_t_o_r _s_u_d_o_e_r_s variable is
used.
3. If they have been modified, the temporary files 2. The editor specified by the VISUAL or EDI-
are copied back to their original location and the TOR environment variables is run to edit
temporary versions are removed. the temporary files. If neither VISUAL
nor EDITOR are set, the program listed in
the _e_d_i_t_o_r _s_u_d_o_e_r_s variable is used.
If the specified file does not exist, it will be cre- 3. If they have been modified, the temporary
ated. Note that unlike most commands run by ssuuddoo, the files are copied back to their original
editor is run with the invoking user's environment location and the temporary versions are
unmodified. If, for some reason, ssuuddoo is unable to removed.
update a file with its edited version, the user will
receive a warning and the edited copy will remain in a
temporary file.
-H The --HH (_H_O_M_E) option sets the HOME environment vari- If the specified file does not exist, it will
able to the homedir of the target user (root by be created. Note that unlike most commands
default) as specified in _p_a_s_s_w_d(4). By default, ssuuddoo run by ssuuddoo, the editor is run with the invok-
does not modify HOME (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e ing user's environment unmodified. If, for
in _s_u_d_o_e_r_s(4)). some reason, ssuuddoo is unable to update a file
with its edited version, the user will receive
a warning and the edited copy will remain in a
temporary file.
-h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage mes- -g _g_r_o_u_p Normally, ssuuddoo sets the primary group to the
sage and exit. one specified by the passwd database for the
user the command is being run as (by default,
root). The --gg (_g_r_o_u_p) option causes ssuuddoo to
run the specified command with the primary
group set to _g_r_o_u_p. To specify a _g_i_d instead
of a _g_r_o_u_p _n_a_m_e, use _#_g_i_d. When running com-
mands as a _g_i_d, many shells require that the
'#' be escaped with a backslash ('\'). If no
--uu option is specified, the command will be
run as the invoking user (not root). In
either case, the primary group will be set to
_g_r_o_u_p.
-i The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell -H The --HH (_H_O_M_E) option sets the HOME environment
specified in the _p_a_s_s_w_d(4) entry of the user that the variable to the homedir of the target user
command is being run as. The command name argument (root by default) as specified in _p_a_s_s_w_d(4).
given to the shell begins with a `-' to tell the shell
to run as a login shell. ssuuddoo attempts to change to
that user's home directory before running the shell.
It also initializes the environment, leaving _D_I_S_P_L_A_Y
and _T_E_R_M unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_-
_N_A_M_E, and _P_A_T_H, and unsetting all other environment
variables.
-K The --KK (sure _k_i_l_l) option is like --kk except that it
removes the user's timestamp entirely. Like --kk, this
option does not require a password.
-k The --kk (_k_i_l_l) option to ssuuddoo invalidates the user's
timestamp by setting the time on it to the Epoch. The
next time ssuuddoo is run a password will be required.
This option does not require a password and was added
1.7 August 15, 2007 3 1.7 November 21, 2007 3
@@ -202,64 +202,64 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
to allow a user to revoke ssuuddoo permissions from a By default, ssuuddoo does not modify HOME (see
.logout file. _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e in _s_u_d_o_e_r_s(4)).
-L The --LL (_l_i_s_t defaults) option will list out the param- -h The --hh (_h_e_l_p) option causes ssuuddoo to print a
eters that may be set in a _D_e_f_a_u_l_t_s line along with a usage message and exit.
short description for each. This option is useful in
conjunction with _g_r_e_p(1). -i The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs
the shell specified in the _p_a_s_s_w_d(4) entry of
the user that the command is being run as.
The command name argument given to the shell
begins with a `-' to tell the shell to run as
a login shell. ssuuddoo attempts to change to
that user's home directory before running the
shell. It also initializes the environment,
leaving _D_I_S_P_L_A_Y and _T_E_R_M unchanged, setting
_H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and _P_A_T_H, and
unsetting all other environment variables.
-K The --KK (sure _k_i_l_l) option is like --kk except
that it removes the user's timestamp entirely.
Like --kk, this option does not require a pass-
word.
-k The --kk (_k_i_l_l) option to ssuuddoo invalidates the
user's timestamp by setting the time on it to
the Epoch. The next time ssuuddoo is run a pass-
word will be required. This option does not
require a password and was added to allow a
user to revoke ssuuddoo permissions from a .logout
file.
-L The --LL (_l_i_s_t defaults) option will list out
the parameters that may be set in a _D_e_f_a_u_l_t_s
line along with a short description for each.
This option is useful in conjunction with
_g_r_e_p(1).
-l [_c_o_m_m_a_n_d] -l [_c_o_m_m_a_n_d]
If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t)
list the allowed (and forbidden) commands for the option will list the allowed (and forbidden)
invoking user (or the user specified by the --UU option) commands for the invoking user (or the user
on the current host. If a _c_o_m_m_a_n_d is specified and is specified by the --UU option) on the current
permitted by _s_u_d_o_e_r_s, the fully-qualified path to the host. If a _c_o_m_m_a_n_d is specified and is per-
command is displayed along with any command line argu- mitted by _s_u_d_o_e_r_s, the fully-qualified path to
ments. If _c_o_m_m_a_n_d is not allowed, ssuuddoo will exit with the command is displayed along with any com-
a return value of 1. mand line arguments. If _c_o_m_m_a_n_d is not
allowed, ssuuddoo will exit with a return value of
1.
-P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes
preserve the invoking user's group vector unaltered. ssuuddoo to preserve the invoking user's group
By default, ssuuddoo will initialize the group vector to vector unaltered. By default, ssuuddoo will ini-
the list of groups the target user is in. The real tialize the group vector to the list of groups
and effective group IDs, however, are still set to the target user is in. The real and effective
match the target user.
-p The --pp (_p_r_o_m_p_t) option allows you to override the
default password prompt and use a custom one. The
following percent (`%') escapes are supported:
%H expanded to the local hostname including the
domain name (on if the machine's hostname is fully
qualified or the _f_q_d_n _s_u_d_o_e_r_s option is set)
%h expanded to the local hostname without the domain
name
%U expanded to the login name of the user the command
will be run as (defaults to root)
%u expanded to the invoking user's login name
%% two consecutive % characters are collapsed into a
single % character
-S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password
from the standard input instead of the terminal
device.
-s The --ss (_s_h_e_l_l) option runs the shell specified by the
_S_H_E_L_L environment variable if it is set or the shell
as specified in _p_a_s_s_w_d(4).
-U The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with
the --ll option to specify the user whose privileges
1.7 August 15, 2007 4 1.7 November 21, 2007 4
@@ -268,33 +268,82 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
should be listed. Only root or a user with ssuuddoo ALL group IDs, however, are still set to match the
on the current host may use this option. target user.
-u The --uu (_u_s_e_r) option causes ssuuddoo to run the specified -p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override
command as a user other than _r_o_o_t. To specify a _u_i_d the default password prompt and use a custom
instead of a _u_s_e_r_n_a_m_e, use _#_u_i_d. When running com- one. The following percent (`%') escapes are
mands as a _u_i_d, many shells require that the '#' be supported:
escaped with a backslash ('\'). Note that if the _t_a_r_-
_g_e_t_p_w Defaults option is set (see _s_u_d_o_e_r_s(4)) it is
not possible to run commands with a uid not listed in
the password database.
-V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the ver- %H expanded to the local hostname including
sion number and exit. If the invoking user is already the domain name (on if the machine's host-
root the --VV option will print out a list of the name is fully qualified or the _f_q_d_n _s_u_d_o_-
defaults ssuuddoo was compiled with as well as the _e_r_s option is set)
machine's local network addresses.
-v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update %h expanded to the local hostname without the
the user's timestamp, prompting for the user's pass- domain name
word if necessary. This extends the ssuuddoo timeout for
another 5 minutes (or whatever the timeout is set to
in _s_u_d_o_e_r_s) but does not run a command.
-- The ---- flag indicates that ssuuddoo should stop processing %U expanded to the login name of the user the
command line arguments. It is most useful in conjunc- command will be run as (defaults to root)
tion with the --ss flag.
%u expanded to the invoking user's login name
%% two consecutive % characters are collapsed
into a single % character
-S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the
password from the standard input instead of
the terminal device.
-s The --ss (_s_h_e_l_l) option runs the shell specified
by the _S_H_E_L_L environment variable if it is set
or the shell as specified in _p_a_s_s_w_d(4).
-U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunc-
tion with the --ll option to specify the user
whose privileges should be listed. Only root
or a user with ssuuddoo ALL on the current host
may use this option.
-u _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the
specified command as a user other than _r_o_o_t.
To specify a _u_i_d instead of a _u_s_e_r _n_a_m_e, use
_#_u_i_d. When running commands as a _u_i_d, many
shells require that the '#' be escaped with a
backslash ('\'). Note that if the _t_a_r_g_e_t_p_w
Defaults option is set (see _s_u_d_o_e_r_s(4)) it is
not possible to run commands with a uid not
listed in the password database.
-V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print
the version number and exit. If the invoking
user is already root the --VV option will print
out a list of the defaults ssuuddoo was compiled
with as well as the machine's local network
addresses.
1.7 November 21, 2007 5
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will
update the user's timestamp, prompting for the
user's password if necessary. This extends
the ssuuddoo timeout for another 5 minutes (or
whatever the timeout is set to in _s_u_d_o_e_r_s) but
does not run a command.
-- The ---- flag indicates that ssuuddoo should stop
processing command line arguments. It is most
useful in conjunction with the --ss flag.
Environment variables to be set for the command may also Environment variables to be set for the command may also
be passed on the command line in the form of VVAARR=_v_a_l_u_e, be passed on the command line in the form of VVAARR=_v_a_l_u_e,
@@ -302,9 +351,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
passed on the command line are subject to the same passed on the command line are subject to the same
restrictions as normal environment variables with one restrictions as normal environment variables with one
important exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_- important exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_-
_e_r_s or the command to be run has the SETENV tag set the _e_r_s, the command to be run has the SETENV tag set or the
user may set variables that would overwise be forbidden. command matched is ALL, the user may set variables that
See _s_u_d_o_e_r_s(4) for more information. would overwise be forbidden. See _s_u_d_o_e_r_s(4) for more
information.
RREETTUURRNN VVAALLUUEESS RREETTUURRNN VVAALLUUEESS
Upon successful execution of a program, the return value Upon successful execution of a program, the return value
@@ -322,18 +372,6 @@ RREETTUURRNN VVAALLUUEESS
stances. The most common reason for _s_t_a_t(2) to return stances. The most common reason for _s_t_a_t(2) to return
"permission denied" is if you are running an automounter "permission denied" is if you are running an automounter
and one of the directories in your PATH is on a machine and one of the directories in your PATH is on a machine
1.7 August 15, 2007 5
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
that is currently unreachable. that is currently unreachable.
SSEECCUURRIITTYY NNOOTTEESS SSEECCUURRIITTYY NNOOTTEESS
@@ -350,6 +388,18 @@ SSEECCUURRIITTYY NNOOTTEESS
If, however, the _e_n_v___r_e_s_e_t option is disabled in _s_u_d_o_e_r_s, If, however, the _e_n_v___r_e_s_e_t option is disabled in _s_u_d_o_e_r_s,
any variables not explicitly denied by the _e_n_v___c_h_e_c_k and any variables not explicitly denied by the _e_n_v___c_h_e_c_k and
1.7 November 21, 2007 6
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
_e_n_v___d_e_l_e_t_e options are inherited from the invoking pro- _e_n_v___d_e_l_e_t_e options are inherited from the invoking pro-
cess. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e behave like cess. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e behave like
a blacklist. Since it is not possible to blacklist all a blacklist. Since it is not possible to blacklist all
@@ -388,18 +438,6 @@ SSEECCUURRIITTYY NNOOTTEESS
timestamp directory before ssuuddoo is run. However, because timestamp directory before ssuuddoo is run. However, because
ssuuddoo checks the ownership and mode of the directory and ssuuddoo checks the ownership and mode of the directory and
its contents, the only damage that can be done is to its contents, the only damage that can be done is to
1.7 August 15, 2007 6
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
"hide" files by putting them in the timestamp dir. This "hide" files by putting them in the timestamp dir. This
is unlikely to happen since once the timestamp dir is is unlikely to happen since once the timestamp dir is
owned by root and inaccessible by any other user, the user owned by root and inaccessible by any other user, the user
@@ -417,6 +455,17 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
timestamp with a bogus date on systems that allow users to timestamp with a bogus date on systems that allow users to
give away files. give away files.
1.7 November 21, 2007 7
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
Please note that ssuuddoo will normally only log the command Please note that ssuuddoo will normally only log the command
it explicitly runs. If a user runs a command such as sudo it explicitly runs. If a user runs a command such as sudo
su or sudo sh, subsequent commands run from that shell su or sudo sh, subsequent commands run from that shell
@@ -455,17 +504,6 @@ EENNVVIIRROONNMMEENNTT
SUDO_UID Set to the uid of the user who invoked SUDO_UID Set to the uid of the user who invoked
sudo sudo
1.7 August 15, 2007 7
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO_GID Set to the gid of the user who invoked SUDO_GID Set to the gid of the user who invoked
sudo sudo
@@ -481,6 +519,19 @@ FFIILLEESS
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
_/_v_a_r_/_r_u_n_/_s_u_d_o Directory containing timestamps _/_v_a_r_/_r_u_n_/_s_u_d_o Directory containing timestamps
1.7 November 21, 2007 8
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
EEXXAAMMPPLLEESS EEXXAAMMPPLLEESS
Note: the following examples assume suitable _s_u_d_o_e_r_s(4) Note: the following examples assume suitable _s_u_d_o_e_r_s(4)
entries. entries.
@@ -520,18 +571,6 @@ AAUUTTHHOORRSS
Todd C. Miller Todd C. Miller
See the HISTORY file in the ssuuddoo distribution or visit See the HISTORY file in the ssuuddoo distribution or visit
1.7 August 15, 2007 8
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
http://www.sudo.ws/sudo/history.html for a short history http://www.sudo.ws/sudo/history.html for a short history
of ssuuddoo. of ssuuddoo.
@@ -547,6 +586,18 @@ CCAAVVEEAATTSS
It is not meaningful to run the cd command directly via It is not meaningful to run the cd command directly via
sudo, e.g., sudo, e.g.,
1.7 November 21, 2007 9
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
$ sudo cd /usr/local/protected $ sudo cd /usr/local/protected
since when the command exits the parent process (your since when the command exits the parent process (your
@@ -589,6 +640,21 @@ DDIISSCCLLAAIIMMEERR
1.7 August 15, 2007 9
1.7 November 21, 2007 10

5
sudo.h
View File

@@ -37,6 +37,7 @@
struct sudo_user { struct sudo_user {
struct passwd *pw; struct passwd *pw;
struct passwd *_runas_pw; struct passwd *_runas_pw;
struct group *_runas_gr;
struct stat *cmnd_stat; struct stat *cmnd_stat;
char *path; char *path;
char *shell; char *shell;
@@ -44,7 +45,6 @@ struct sudo_user {
char *ttypath; char *ttypath;
char *host; char *host;
char *shost; char *shost;
char **runas;
char *prompt; char *prompt;
char *cmnd; char *cmnd;
char *cmnd_args; char *cmnd_args;
@@ -132,7 +132,6 @@ struct sudo_user {
#define user_tty (sudo_user.tty) #define user_tty (sudo_user.tty)
#define user_ttypath (sudo_user.ttypath) #define user_ttypath (sudo_user.ttypath)
#define user_cwd (sudo_user.cwd) #define user_cwd (sudo_user.cwd)
#define user_runas (sudo_user.runas)
#define user_cmnd (sudo_user.cmnd) #define user_cmnd (sudo_user.cmnd)
#define user_args (sudo_user.cmnd_args) #define user_args (sudo_user.cmnd_args)
#define user_base (sudo_user.cmnd_base) #define user_base (sudo_user.cmnd_base)
@@ -145,6 +144,7 @@ struct sudo_user {
#define safe_cmnd (sudo_user.cmnd_safe) #define safe_cmnd (sudo_user.cmnd_safe)
#define login_class (sudo_user.class_name) #define login_class (sudo_user.class_name)
#define runas_pw (sudo_user._runas_pw) #define runas_pw (sudo_user._runas_pw)
#define runas_gr (sudo_user._runas_gr)
/* /*
* We used to use the system definition of PASS_MAX or _PASSWD_LEN, * We used to use the system definition of PASS_MAX or _PASSWD_LEN,
@@ -281,6 +281,7 @@ struct passwd *sudo_fakepwnam __P((const char *));
struct passwd *sudo_getpwuid __P((uid_t)); struct passwd *sudo_getpwuid __P((uid_t));
struct passwd *sudo_fakepwuid __P((uid_t)); struct passwd *sudo_fakepwuid __P((uid_t));
struct group *sudo_getgrnam __P((const char *)); struct group *sudo_getgrnam __P((const char *));
struct group *sudo_fakegrnam __P((const char *));
struct group *sudo_getgrgid __P((gid_t)); struct group *sudo_getgrgid __P((gid_t));
YY_DECL; YY_DECL;

95
sudo.man.in
View File

@@ -150,22 +150,24 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDO @mansectsu@" .IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "August 15, 2007" "1.7" "MAINTENANCE COMMANDS" .TH SUDO @mansectsu@ "November 21, 2007" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
sudo, sudoedit \- execute a command as another user sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS" .SH "SYNOPSIS"
.IX Header "SYNOPSIS" .IX Header "SYNOPSIS"
\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR | \fB\-v\fR \&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR | \fB\-v\fR
.PP .PP
\&\fBsudo\fR \fB\-l\fR [\fB\-U\fR\ \fIusername\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR] \&\fBsudo\fR \fB\-l\fR [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-U\fR\ \fIusername\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR]
.PP .PP
\&\fBsudo\fR [\fB\-bEHPS\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] \&\fBsudo\fR [\fB\-bEHPS\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR]
[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\s-1VAR\s0\fR=\fIvalue\fR] {\fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR} [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fB\s-1VAR\s0\fR=\fIvalue\fR]
{\fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR}
.PP .PP
\&\fBsudoedit\fR [\fB\-S\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] \&\fBsudoedit\fR [\fB\-S\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR]
[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
file ... [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] file ...
.SH "DESCRIPTION" .SH "DESCRIPTION"
.IX Header "DESCRIPTION" .IX Header "DESCRIPTION"
\&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the \&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the
@@ -215,20 +217,20 @@ or via the \fIsudoers\fR file.
.SH "OPTIONS" .SH "OPTIONS"
.IX Header "OPTIONS" .IX Header "OPTIONS"
\&\fBsudo\fR accepts the following command line options: \&\fBsudo\fR accepts the following command line options:
.IP "\-a" 4 .IP "\-a \fItype\fR" 12
.IX Item "-a" .IX Item "-a type"
The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
specified authentication type when validating the user, as allowed specified authentication type when validating the user, as allowed
by \fI/etc/login.conf\fR. The system administrator may specify a list by \fI/etc/login.conf\fR. The system administrator may specify a list
of sudo-specific authentication methods by adding an \*(L"auth\-sudo\*(R" of sudo-specific authentication methods by adding an \*(L"auth\-sudo\*(R"
entry in \fI/etc/login.conf\fR. This option is only available on systems entry in \fI/etc/login.conf\fR. This option is only available on systems
that support \s-1BSD\s0 authentication. that support \s-1BSD\s0 authentication.
.IP "\-b" 4 .IP "\-b" 12
.IX Item "-b" .IX Item "-b"
The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
command in the background. Note that if you use the \fB\-b\fR command in the background. Note that if you use the \fB\-b\fR
option you cannot use shell job control to manipulate the process. option you cannot use shell job control to manipulate the process.
.IP "\-C fd" 4 .IP "\-C \fIfd\fR" 12
.IX Item "-C fd" .IX Item "-C fd"
Normally, \fBsudo\fR will close all open file descriptors other than Normally, \fBsudo\fR will close all open file descriptors other than
standard input, standard output and standard error. The \fB\-C\fR standard input, standard output and standard error. The \fB\-C\fR
@@ -237,8 +239,8 @@ above the standard error (file descriptor three). Values less than
three are not permitted. This option is only available if the three are not permitted. This option is only available if the
administrator has enabled the \fIclosefrom_override\fR option in administrator has enabled the \fIclosefrom_override\fR option in
\&\fIsudoers\fR\|(@mansectform@). \&\fIsudoers\fR\|(@mansectform@).
.IP "\-c" 4 .IP "\-c \fIclass\fR" 12
.IX Item "-c" .IX Item "-c class"
The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
with resources limited by the specified login class. The \fIclass\fR with resources limited by the specified login class. The \fIclass\fR
argument can be either a class name as defined in \fI/etc/login.conf\fR, argument can be either a class name as defined in \fI/etc/login.conf\fR,
@@ -248,20 +250,20 @@ capabilities for the user the command is run as. If the \fIclass\fR
argument specifies an existing user class, the command must be run argument specifies an existing user class, the command must be run
as root, or the \fBsudo\fR command must be run from a shell that is already as root, or the \fBsudo\fR command must be run from a shell that is already
root. This option is only available on systems with \s-1BSD\s0 login classes. root. This option is only available on systems with \s-1BSD\s0 login classes.
.IP "\-E" 4 .IP "\-E" 12
.IX Item "-E" .IX Item "-E"
The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option will override the The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option will override the
\&\fIenv_reset\fR option in \fIsudoers\fR\|(@mansectform@)). It is only \&\fIenv_reset\fR option in \fIsudoers\fR\|(@mansectform@)). It is only
available when either the matching command has the \f(CW\*(C`SETENV\*(C'\fR tag available when either the matching command has the \f(CW\*(C`SETENV\*(C'\fR tag
or the \fIsetenv\fR option is set in \fIsudoers\fR\|(@mansectform@). or the \fIsetenv\fR option is set in \fIsudoers\fR\|(@mansectform@).
.IP "\-e" 4 .IP "\-e" 12
.IX Item "-e" .IX Item "-e"
The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running
a command, the user wishes to edit one or more files. In lieu a command, the user wishes to edit one or more files. In lieu
of a command, the string \*(L"sudoedit\*(R" is used when consulting of a command, the string \*(L"sudoedit\*(R" is used when consulting
the \fIsudoers\fR file. If the user is authorized by \fIsudoers\fR the \fIsudoers\fR file. If the user is authorized by \fIsudoers\fR
the following steps are taken: the following steps are taken:
.RS 4 .RS 12
.IP "1." 4 .IP "1." 4
Temporary copies are made of the files to be edited with the owner Temporary copies are made of the files to be edited with the owner
set to the invoking user. set to the invoking user.
@@ -274,7 +276,7 @@ variable is used.
If they have been modified, the temporary files are copied back to If they have been modified, the temporary files are copied back to
their original location and the temporary versions are removed. their original location and the temporary versions are removed.
.RE .RE
.RS 4 .RS 12
.Sp .Sp
If the specified file does not exist, it will be created. Note If the specified file does not exist, it will be created. Note
that unlike most commands run by \fBsudo\fR, the editor is run with that unlike most commands run by \fBsudo\fR, the editor is run with
@@ -283,16 +285,27 @@ the invoking user's environment unmodified. If, for some reason,
user will receive a warning and the edited copy will remain in a user will receive a warning and the edited copy will remain in a
temporary file. temporary file.
.RE .RE
.IP "\-H" 4 .IP "\-g \fIgroup\fR" 12
.IX Item "-g group"
Normally, \fBsudo\fR sets the primary group to the one specified by
the passwd database for the user the command is being run as (by
default, root). The \fB\-g\fR (\fIgroup\fR) option causes \fBsudo\fR to run
the specified command with the primary group set to \fIgroup\fR. To
specify a \fIgid\fR instead of a \fIgroup name\fR, use \fI#gid\fR. When
running commands as a \fIgid\fR, many shells require that the '#' be
escaped with a backslash ('\e'). If no \fB\-u\fR option is specified,
the command will be run as the invoking user (not root). In either
case, the primary group will be set to \fIgroup\fR.
.IP "\-H" 12
.IX Item "-H" .IX Item "-H"
The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable
to the homedir of the target user (root by default) as specified to the homedir of the target user (root by default) as specified
in \fIpasswd\fR\|(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR in \fIpasswd\fR\|(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR
(see \fIset_home\fR and \fIalways_set_home\fR in \fIsudoers\fR\|(@mansectform@)). (see \fIset_home\fR and \fIalways_set_home\fR in \fIsudoers\fR\|(@mansectform@)).
.IP "\-h" 4 .IP "\-h" 12
.IX Item "-h" .IX Item "-h"
The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit. The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit.
.IP "\-i" 4 .IP "\-i" 12
.IX Item "-i" .IX Item "-i"
The \fB\-i\fR (\fIsimulate initial login\fR) option runs the shell specified The \fB\-i\fR (\fIsimulate initial login\fR) option runs the shell specified
in the \fIpasswd\fR\|(@mansectform@) entry of the user that the command is in the \fIpasswd\fR\|(@mansectform@) entry of the user that the command is
@@ -302,24 +315,24 @@ attempts to change to that user's home directory before running the
shell. It also initializes the environment, leaving \fI\s-1DISPLAY\s0\fR shell. It also initializes the environment, leaving \fI\s-1DISPLAY\s0\fR
and \fI\s-1TERM\s0\fR unchanged, setting \fI\s-1HOME\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, \fI\s-1LOGNAME\s0\fR, and and \fI\s-1TERM\s0\fR unchanged, setting \fI\s-1HOME\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, \fI\s-1LOGNAME\s0\fR, and
\&\fI\s-1PATH\s0\fR, and unsetting all other environment variables. \&\fI\s-1PATH\s0\fR, and unsetting all other environment variables.
.IP "\-K" 4 .IP "\-K" 12
.IX Item "-K" .IX Item "-K"
The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes
the user's timestamp entirely. Like \fB\-k\fR, this option does not the user's timestamp entirely. Like \fB\-k\fR, this option does not
require a password. require a password.
.IP "\-k" 4 .IP "\-k" 12
.IX Item "-k" .IX Item "-k"
The \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates the user's timestamp The \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates the user's timestamp
by setting the time on it to the Epoch. The next time \fBsudo\fR is by setting the time on it to the Epoch. The next time \fBsudo\fR is
run a password will be required. This option does not require a password run a password will be required. This option does not require a password
and was added to allow a user to revoke \fBsudo\fR permissions from a .logout and was added to allow a user to revoke \fBsudo\fR permissions from a .logout
file. file.
.IP "\-L" 4 .IP "\-L" 12
.IX Item "-L" .IX Item "-L"
The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters
that may be set in a \fIDefaults\fR line along with a short description that may be set in a \fIDefaults\fR line along with a short description
for each. This option is useful in conjunction with \fIgrep\fR\|(1). for each. This option is useful in conjunction with \fIgrep\fR\|(1).
.IP "\-l [\fIcommand\fR]" 4 .IP "\-l [\fIcommand\fR]" 12
.IX Item "-l [command]" .IX Item "-l [command]"
If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list
the allowed (and forbidden) commands for the invoking user (or the the allowed (and forbidden) commands for the invoking user (or the
@@ -328,19 +341,19 @@ user specified by the \fB\-U\fR option) on the current host. If a
fully-qualified path to the command is displayed along with any fully-qualified path to the command is displayed along with any
command line arguments. If \fIcommand\fR is not allowed, \fBsudo\fR will command line arguments. If \fIcommand\fR is not allowed, \fBsudo\fR will
exit with a return value of 1. exit with a return value of 1.
.IP "\-P" 4 .IP "\-P" 12
.IX Item "-P" .IX Item "-P"
The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to
preserve the invoking user's group vector unaltered. By default, preserve the invoking user's group vector unaltered. By default,
\&\fBsudo\fR will initialize the group vector to the list of groups the \&\fBsudo\fR will initialize the group vector to the list of groups the
target user is in. The real and effective group IDs, however, are target user is in. The real and effective group IDs, however, are
still set to match the target user. still set to match the target user.
.IP "\-p" 4 .IP "\-p \fIprompt\fR" 12
.IX Item "-p" .IX Item "-p prompt"
The \fB\-p\fR (\fIprompt\fR) option allows you to override the default The \fB\-p\fR (\fIprompt\fR) option allows you to override the default
password prompt and use a custom one. The following percent (`\f(CW\*(C`%\*(C'\fR') password prompt and use a custom one. The following percent (`\f(CW\*(C`%\*(C'\fR')
escapes are supported: escapes are supported:
.RS 4 .RS 12
.ie n .IP "%H" 4 .ie n .IP "%H" 4
.el .IP "\f(CW%H\fR" 4 .el .IP "\f(CW%H\fR" 4
.IX Item "%H" .IX Item "%H"
@@ -365,46 +378,46 @@ expanded to the invoking user's login name
.IX Item "%%" .IX Item "%%"
two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
.RE .RE
.RS 4 .RS 12
.RE .RE
.IP "\-S" 4 .IP "\-S" 12
.IX Item "-S" .IX Item "-S"
The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
the standard input instead of the terminal device. the standard input instead of the terminal device.
.IP "\-s" 4 .IP "\-s" 12
.IX Item "-s" .IX Item "-s"
The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR
environment variable if it is set or the shell as specified environment variable if it is set or the shell as specified
in \fIpasswd\fR\|(@mansectform@). in \fIpasswd\fR\|(@mansectform@).
.IP "\-U" 4 .IP "\-U \fIuser\fR" 12
.IX Item "-U" .IX Item "-U user"
The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR
option to specify the user whose privileges should be listed. Only option to specify the user whose privileges should be listed. Only
root or a user with \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host may use this root or a user with \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host may use this
option. option.
.IP "\-u" 4 .IP "\-u \fIuser\fR" 12
.IX Item "-u" .IX Item "-u user"
The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified
command as a user other than \fIroot\fR. To specify a \fIuid\fR instead command as a user other than \fIroot\fR. To specify a \fIuid\fR instead
of a \fIusername\fR, use \fI#uid\fR. When running commands as a \fIuid\fR, of a \fIuser name\fR, use \fI#uid\fR. When running commands as a \fIuid\fR,
many shells require that the '#' be escaped with a backslash ('\e'). many shells require that the '#' be escaped with a backslash ('\e').
Note that if the \fItargetpw\fR Defaults option is set (see \fIsudoers\fR\|(@mansectform@)) Note that if the \fItargetpw\fR Defaults option is set (see \fIsudoers\fR\|(@mansectform@))
it is not possible to run commands with a uid not listed in the it is not possible to run commands with a uid not listed in the
password database. password database.
.IP "\-V" 4 .IP "\-V" 12
.IX Item "-V" .IX Item "-V"
The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version
number and exit. If the invoking user is already root the \fB\-V\fR number and exit. If the invoking user is already root the \fB\-V\fR
option will print out a list of the defaults \fBsudo\fR was compiled option will print out a list of the defaults \fBsudo\fR was compiled
with as well as the machine's local network addresses. with as well as the machine's local network addresses.
.IP "\-v" 4 .IP "\-v" 12
.IX Item "-v" .IX Item "-v"
If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the
user's timestamp, prompting for the user's password if necessary. user's timestamp, prompting for the user's password if necessary.
This extends the \fBsudo\fR timeout for another \f(CW\*(C`@timeout@\*(C'\fR minutes This extends the \fBsudo\fR timeout for another \f(CW\*(C`@timeout@\*(C'\fR minutes
(or whatever the timeout is set to in \fIsudoers\fR) but does not run (or whatever the timeout is set to in \fIsudoers\fR) but does not run
a command. a command.
.IP "\-\-" 4 .IP "\-\-" 12
The \fB\-\-\fR flag indicates that \fBsudo\fR should stop processing command The \fB\-\-\fR flag indicates that \fBsudo\fR should stop processing command
line arguments. It is most useful in conjunction with the \fB\-s\fR flag. line arguments. It is most useful in conjunction with the \fB\-s\fR flag.
.PP .PP
@@ -413,9 +426,9 @@ on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g.
\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. Variables passed on the \&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. Variables passed on the
command line are subject to the same restrictions as normal environment command line are subject to the same restrictions as normal environment
variables with one important exception. If the \fIsetenv\fR option variables with one important exception. If the \fIsetenv\fR option
is set in \fIsudoers\fR or the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag is set in \fIsudoers\fR, the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag
set the user may set variables that would overwise be forbidden. set or the command matched is \f(CW\*(C`ALL\*(C'\fR, the user may set variables
See \fIsudoers\fR\|(@mansectform@) for more information. that would overwise be forbidden. See \fIsudoers\fR\|(@mansectform@) for more information.
.SH "RETURN VALUES" .SH "RETURN VALUES"
.IX Header "RETURN VALUES" .IX Header "RETURN VALUES"
Upon successful execution of a program, the return value from \fBsudo\fR Upon successful execution of a program, the return value from \fBsudo\fR

26
sudo.pod
View File

@@ -30,15 +30,17 @@ sudo, sudoedit - execute a command as another user
B<sudo> B<-h> | B<-K> | B<-k> | B<-L> | B<-V> | B<-v> B<sudo> B<-h> | B<-K> | B<-k> | B<-L> | B<-V> | B<-v>
B<sudo> B<-l> S<[B<-U> I<username>]> S<[B<-u> I<username>|I<#uid>]> [I<command>] B<sudo> B<-l> S<[B<-g> I<groupname>|I<#gid>]> S<[B<-U> I<username>]>
S<[B<-u> I<username>|I<#uid>]> [I<command>]
B<sudo> [B<-bEHPS>] S<[B<-a> I<auth_type>]> S<[B<-C> I<fd>]> B<sudo> [B<-bEHPS>] S<[B<-a> I<auth_type>]> S<[B<-C> I<fd>]>
S<[B<-c> I<class>|I<->]> S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]> S<[B<-c> I<class>|I<->]> S<[B<-g> I<groupname>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<VAR>=I<value>]> S<{B<-i> | B<-s> | I<command>}> S<[B<-u> I<username>|I<#uid>]> S<[B<VAR>=I<value>]>
S<{B<-i> | B<-s> | I<command>}>
B<sudoedit> [B<-S>] S<[B<-a> I<auth_type>]> S<[B<-C> I<fd>]> B<sudoedit> [B<-S>] S<[B<-a> I<auth_type>]> S<[B<-C> I<fd>]>
S<[B<-c> I<class>|I<->]> S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]> S<[B<-c> I<class>|I<->]> S<[B<-g> I<groupname>|I<#gid>]> S<[B<-p> I<prompt>]>
file ... S<[B<-u> I<username>|I<#uid>]> file ...
=head1 DESCRIPTION =head1 DESCRIPTION
@@ -173,6 +175,18 @@ B<sudo> is unable to update a file with its edited version, the
user will receive a warning and the edited copy will remain in a user will receive a warning and the edited copy will remain in a
temporary file. temporary file.
=item -g I<group>
Normally, B<sudo> sets the primary group to the one specified by
the passwd database for the user the command is being run as (by
default, root). The B<-g> (I<group>) option causes B<sudo> to run
the specified command with the primary group set to I<group>. To
specify a I<gid> instead of a I<group name>, use I<#gid>. When
running commands as a I<gid>, many shells require that the '#' be
escaped with a backslash ('\'). If no B<-u> option is specified,
the command will be run as the invoking user (not root). In either
case, the primary group will be set to I<group>.
=item -H =item -H
The B<-H> (I<HOME>) option sets the C<HOME> environment variable The B<-H> (I<HOME>) option sets the C<HOME> environment variable
@@ -288,7 +302,7 @@ option.
The B<-u> (I<user>) option causes B<sudo> to run the specified The B<-u> (I<user>) option causes B<sudo> to run the specified
command as a user other than I<root>. To specify a I<uid> instead command as a user other than I<root>. To specify a I<uid> instead
of a I<username>, use I<#uid>. When running commands as a I<uid>, of a I<user name>, use I<#uid>. When running commands as a I<uid>,
many shells require that the '#' be escaped with a backslash ('\'). many shells require that the '#' be escaped with a backslash ('\').
Note that if the I<targetpw> Defaults option is set (see L<sudoers(5)>) Note that if the I<targetpw> Defaults option is set (see L<sudoers(5)>)
it is not possible to run commands with a uid not listed in the it is not possible to run commands with a uid not listed in the

6
sudo_usage.h.in
View File

@@ -6,8 +6,8 @@
* need to be able to substitute values from configure. * need to be able to substitute values from configure.
*/ */
#define SUDO_USAGE1 " -h | -K | -k | -L | -V | -v" #define SUDO_USAGE1 " -h | -K | -k | -L | -V | -v"
#define SUDO_USAGE2 " -l [-U username] [-u username|#uid] [command]" #define SUDO_USAGE2 " -l [-g groupname|#gid] [-U username] [-u username|#uid] [-g groupname|#gid] [command]"
#define SUDO_USAGE3 " [-bEHPS] @BSDAUTH_USAGE@[-C fd] @LOGINCAP_USAGE@[-p prompt] [-u username|#uid] [VAR=value] {-i | -s | <command>}" #define SUDO_USAGE3 " [-bEHPS] @BSDAUTH_USAGE@[-C fd] @LOGINCAP_USAGE@[-g groupname|#gid] [-p prompt] [-u username|#uid] [-g groupname|#gid] [VAR=value] {-i | -s | <command>}"
#define SUDO_USAGE4 " -e [-S] @BSDAUTH_USAGE@[-C fd] @LOGINCAP_USAGE@[-p prompt] [-u username|#uid] file ..." #define SUDO_USAGE4 " -e [-S] @BSDAUTH_USAGE@[-C fd] @LOGINCAP_USAGE@[-g groupname|#gid] [-p prompt] [-u username|#uid] file ..."
#endif /* _SUDO_USAGE_H */ #endif /* _SUDO_USAGE_H */

586
sudoers.cat
View File

@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.7 September 5, 2007 1 1.7 November 21, 2007 1
@@ -117,8 +117,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
odd number of '!' operators negate the value of the item; odd number of '!' operators negate the value of the item;
an even number just cancel each other out. an even number just cancel each other out.
Runas_List ::= Runas_User | Runas_List ::= Runas_Member |
Runas_User ',' Runas_List Runas_Member ',' Runas_List
@@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 September 5, 2007 2 1.7 November 21, 2007 2
@@ -136,11 +136,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Runas_User ::= '!'* username | Runas_Member ::= '!'* username |
'!'* '#'uid | '!'* '#'uid |
'!'* '%'group | '!'* '%'group |
'!'* +netgroup | '!'* +netgroup |
'!'* Runas_Alias '!'* Runas_Alias
A Runas_List is similar to a User_List except that instead A Runas_List is similar to a User_List except that instead
of User_Aliases it can contain Runas_Aliases. Note that of User_Aliases it can contain Runas_Aliases. Note that
@@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 September 5, 2007 3 1.7 November 21, 2007 3
@@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 September 5, 2007 4 1.7 November 21, 2007 4
@@ -288,7 +288,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
Runas_Spec ::= '(' Runas_List ')' Runas_Spec ::= '(' Runas_List? (: Runas_List)? ')'
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'SETENV:' | 'NOSETENV:' ) 'SETENV:' | 'NOSETENV:' )
@@ -302,12 +302,37 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
RRuunnaass__SSppeecc RRuunnaass__SSppeecc
A Runas_Spec is simply a Runas_List (as defined above) A Runas_Spec determines the user and/or the group that a
enclosed in a set of parentheses. If you do not specify a command may be run as. A fully-specified Runas_Spec con-
Runas_Spec in the user specification, a default Runas_Spec sists of two Runas_Lists (as defined above) separated by a
of rroooott will be used. A Runas_Spec sets the default for colon (':') and enclosed in a set of parentheses. The
commands that follow it. What this means is that for the first Runas_List indicates which users the command may be
entry: run as via ssuuddoo's --uu flag. The second defines a list of
groups that can be specified via ssuuddoo's --gg flag. If both
Runas_Lists are specified, the command may be run with any
combination of users and groups listed in their respective
Runas_Lists. If only the first is specified, the command
may be run as any user in the list but no --gg flag may be
specified. If the first Runas_List is empty but the sec-
ond is specified, the command may be run as the invoking
user with the group set to any listed in the Runas_List.
If no Runas_Spec is specified the command may be run as
rroooott and no group may be specified.
A Runas_Spec sets the default for the commands that follow
it. What this means is that for the entry:
1.7 November 21, 2007 5
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
@@ -322,20 +347,22 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr,
1.7 September 5, 2007 5
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
We can extend this to allow ddggbb to run /bin/ls with either
the user or group set to ooppeerraattoorr:
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
/usr/bin/lprm
In the following example, user ttccmm may run commands that
access a modem device file with the dialer group. Note
that in this example only the group will be set, the com-
mand still runs as user ttccmm.
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
TTaagg__SSppeecc TTaagg__SSppeecc
A command may have zero or more tags associated with it. A command may have zero or more tags associated with it.
@@ -362,6 +389,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
able to run _/_b_i_n_/_k_i_l_l without a password the entry would able to run _/_b_i_n_/_k_i_l_l without a password the entry would
be: be:
1.7 November 21, 2007 6
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
Note, however, that the PASSWD tag has no effect on users Note, however, that the PASSWD tag has no effect on users
@@ -388,18 +426,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more See the "PREVENTING SHELL ESCAPES" section below for more
1.7 September 5, 2007 6
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
details on how NOEXEC works and whether or not it will details on how NOEXEC works and whether or not it will
work on your system. work on your system.
@@ -411,6 +437,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
way are not subject to the restrictions imposed by way are not subject to the restrictions imposed by
_e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted
users should be allowed to set variables in this manner. users should be allowed to set variables in this manner.
If the command matched is AALLLL, the SETENV tag is implied
for that command; this default may be overridden by use of
the UNSETENV tag.
WWiillddccaarrddss WWiillddccaarrddss
@@ -426,6 +455,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
[...] Matches any character in the specified range. [...] Matches any character in the specified range.
1.7 November 21, 2007 7
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
[!...] Matches any character nnoott in the specified range. [!...] Matches any character nnoott in the specified range.
\x For any character "x", evaluates to "x". This is \x For any character "x", evaluates to "x". This is
@@ -454,18 +494,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
It is possible to include other _s_u_d_o_e_r_s files from within It is possible to include other _s_u_d_o_e_r_s files from within
the _s_u_d_o_e_r_s file currently being parsed using the #include the _s_u_d_o_e_r_s file currently being parsed using the #include
directive, similar to the one used by the C preprocessor. directive, similar to the one used by the C preprocessor.
1.7 September 5, 2007 7
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
This is useful, for example, for keeping a site-wide _s_u_d_o_- This is useful, for example, for keeping a site-wide _s_u_d_o_-
_e_r_s file in addition to a per-machine local one. For the _e_r_s file in addition to a per-machine local one. For the
sake of this example the site-wide _s_u_d_o_e_r_s will be sake of this example the site-wide _s_u_d_o_e_r_s will be
@@ -492,6 +520,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
comment character and any text after it, up to the end of comment character and any text after it, up to the end of
the line, are ignored. the line, are ignored.
1.7 November 21, 2007 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The reserved word AALLLL is a built-in _a_l_i_a_s that always The reserved word AALLLL is a built-in _a_l_i_a_s that always
causes a match to succeed. It can be used wherever one causes a match to succeed. It can be used wherever one
might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
@@ -519,19 +559,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
('\') when used as part of a word (e.g. a username or ('\') when used as part of a word (e.g. a username or
hostname): '@', '!', '=', ':', ',', '(', ')', '\'. hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
1.7 September 5, 2007 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SSUUDDOOEERRSS OOPPTTIIOONNSS SSUUDDOOEERRSS OOPPTTIIOONNSS
ssuuddoo's behavior can be modified by Default_Entry lines, as ssuuddoo's behavior can be modified by Default_Entry lines, as
explained earlier. A list of all supported Defaults explained earlier. A list of all supported Defaults
@@ -559,6 +586,18 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
at which ssuuddoo begins closing open file at which ssuuddoo begins closing open file
descriptors. This flag is _o_f_f by default. descriptors. This flag is _o_f_f by default.
1.7 November 21, 2007 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
env_editor If set, vviissuuddoo will use the value of the env_editor If set, vviissuuddoo will use the value of the
EDITOR or VISUAL environment variables EDITOR or VISUAL environment variables
before falling back on the default editor before falling back on the default editor
@@ -586,18 +625,6 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
default. default.
fqdn Set this flag if you want to put fully fqdn Set this flag if you want to put fully
1.7 September 5, 2007 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
qualified hostnames in the _s_u_d_o_e_r_s file. qualified hostnames in the _s_u_d_o_e_r_s file.
I.e., instead of myhost you would use I.e., instead of myhost you would use
myhost.mydomain.edu. You may still use myhost.mydomain.edu. You may still use
@@ -625,6 +652,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
ignore_local_sudoers ignore_local_sudoers
If set via LDAP, parsing of If set via LDAP, parsing of
@sysconfdir@/sudoers will be skipped. @sysconfdir@/sudoers will be skipped.
1.7 November 21, 2007 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
This is intended for Enterprises that wish This is intended for Enterprises that wish
to prevent the usage of local sudoers to prevent the usage of local sudoers
files so that only LDAP is used. This files so that only LDAP is used. This
@@ -652,18 +691,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
flag is _o_f_f by default. flag is _o_f_f by default.
long_otp_prompt When validating with a One Time Password long_otp_prompt When validating with a One Time Password
1.7 September 5, 2007 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
(OPT) scheme such as SS//KKeeyy or OOPPIIEE, a two- (OPT) scheme such as SS//KKeeyy or OOPPIIEE, a two-
line prompt is used to make it easier to line prompt is used to make it easier to
cut and paste the challenge to a local cut and paste the challenge to a local
@@ -692,6 +719,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
or is explicitly denied. This flag is _o_f_f or is explicitly denied. This flag is _o_f_f
by default. by default.
1.7 November 21, 2007 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
mail_no_user If set, mail will be sent to the _m_a_i_l_t_o mail_no_user If set, mail will be sent to the _m_a_i_l_t_o
user if the invoking user is not in the user if the invoking user is not in the
_s_u_d_o_e_r_s file. This flag is _o_n by default. _s_u_d_o_e_r_s file. This flag is _o_n by default.
@@ -718,18 +756,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
preserve_groups By default ssuuddoo will initialize the group preserve_groups By default ssuuddoo will initialize the group
vector to the list of groups the target vector to the list of groups the target
1.7 September 5, 2007 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set,
the user's existing group vector is left the user's existing group vector is left
unaltered. The real and effective group unaltered. The real and effective group
@@ -758,6 +784,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
by default. by default.
rootpw If set, ssuuddoo will prompt for the root rootpw If set, ssuuddoo will prompt for the root
1.7 November 21, 2007 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
password instead of the password of the password instead of the password of the
invoking user. This flag is _o_f_f by invoking user. This flag is _o_f_f by
default. default.
@@ -783,21 +821,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
since some programs (including the RCS since some programs (including the RCS
revision control system) use LOGNAME to revision control system) use LOGNAME to
determine the real identity of the user, determine the real identity of the user,
it may be desirable to change this it may be desirable to change this behav-
ior. This can be done by negating the
set_logname option. Note that if the
1.7 September 5, 2007 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
behavior. This can be done by negating
the set_logname option. Note that if the
_e_n_v___r_e_s_e_t option has not been disabled, _e_n_v___r_e_s_e_t option has not been disabled,
entries in the _e_n_v___k_e_e_p list will override entries in the _e_n_v___k_e_e_p list will override
the value of _s_e_t___l_o_g_n_a_m_e. This flag is the value of _s_e_t___l_o_g_n_a_m_e. This flag is
@@ -824,6 +850,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
stay_setuid Normally, when ssuuddoo executes a command the stay_setuid Normally, when ssuuddoo executes a command the
real and effective UIDs are set to the real and effective UIDs are set to the
1.7 November 21, 2007 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
target user (root by default). This target user (root by default). This
option changes that behavior such that the option changes that behavior such that the
real UID is left as the invoking user's real UID is left as the invoking user's
@@ -850,18 +888,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
as the user running it. With this flag as the user running it. With this flag
enabled, ssuuddoo will use a file named for enabled, ssuuddoo will use a file named for
the tty the user is logged in on in that the tty the user is logged in on in that
1.7 September 5, 2007 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
directory. This flag is _o_f_f by default. directory. This flag is _o_f_f by default.
use_loginclass If set, ssuuddoo will apply the defaults spec- use_loginclass If set, ssuuddoo will apply the defaults spec-
@@ -890,6 +916,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
log. This value is used to decide when to log. This value is used to decide when to
wrap lines for nicer log files. This has wrap lines for nicer log files. This has
no effect on the syslog log file, only the no effect on the syslog log file, only the
1.7 November 21, 2007 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
file log. The default is 80 (use 0 or file log. The default is 80 (use 0 or
negate the option to disable word wrap). negate the option to disable word wrap).
@@ -916,18 +954,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SSttrriinnggss: SSttrriinnggss:
badpass_message Message that is displayed if a user enters badpass_message Message that is displayed if a user enters
1.7 September 5, 2007 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
an incorrect password. The default is an incorrect password. The default is
Sorry, try again. unless insults are Sorry, try again. unless insults are
enabled. enabled.
@@ -952,10 +978,22 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_n_o_e_x_e_c functionality on systems that sup- _n_o_e_x_e_c functionality on systems that sup-
port LD_PRELOAD or its equivalent. port LD_PRELOAD or its equivalent.
Defaults to Defaults to
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c. _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o.
passprompt The default prompt to use when asking for passprompt The default prompt to use when asking for
a password; can be overridden via the --pp a password; can be overridden via the --pp
1.7 November 21, 2007 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
option or the SUDO_PROMPT environment option or the SUDO_PROMPT environment
variable. The following percent (`%') variable. The following percent (`%')
escapes are supported: escapes are supported:
@@ -982,18 +1020,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
runas_default The default user to run commands as if the runas_default The default user to run commands as if the
--uu flag is not specified on the command --uu flag is not specified on the command
1.7 September 5, 2007 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
line. This defaults to root. Note that line. This defaults to root. Note that
if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur
before any Runas_Alias specifications. before any Runas_Alias specifications.
@@ -1023,6 +1049,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
be printed along with the password prompt. It be printed along with the password prompt. It
has the following possible values: has the following possible values:
1.7 November 21, 2007 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
always Always lecture the user. always Always lecture the user.
never Never lecture the user. never Never lecture the user.
@@ -1049,17 +1086,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
current host must have the NOPASSWD current host must have the NOPASSWD
flag set to avoid entering a password. flag set to avoid entering a password.
1.7 September 5, 2007 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
always The user must always enter a password always The user must always enter a password
to use the --ll flag. to use the --ll flag.
@@ -1088,6 +1114,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
mail. Defaults to the path to sendmail found mail. Defaults to the path to sendmail found
at configure time. at configure time.
1.7 November 21, 2007 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
mailto Address to send warning and error mail to. mailto Address to send warning and error mail to.
The address should be enclosed in double The address should be enclosed in double
quotes (") to protect against ssuuddoo interpret- quotes (") to protect against ssuuddoo interpret-
@@ -1114,18 +1152,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
current host must have the NOPASSWD current host must have the NOPASSWD
flag set to avoid entering a password. flag set to avoid entering a password.
1.7 September 5, 2007 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
always The user must always enter a password always The user must always enter a password
to use the --vv flag. to use the --vv flag.
@@ -1154,6 +1180,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
gle value without double-quotes. The list gle value without double-quotes. The list
can be replaced, added to, deleted from, can be replaced, added to, deleted from,
or disabled by using the =, +=, -=, and ! or disabled by using the =, +=, -=, and !
1.7 November 21, 2007 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
operators respectively. Regardless of operators respectively. Regardless of
whether the env_reset option is enabled or whether the env_reset option is enabled or
disabled, variables specified by env_check disabled, variables specified by env_check
@@ -1180,18 +1218,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
env_keep Environment variables to be preserved in env_keep Environment variables to be preserved in
the user's environment when the _e_n_v___r_e_s_e_t the user's environment when the _e_n_v___r_e_s_e_t
option is in effect. This allows fine- option is in effect. This allows fine-
1.7 September 5, 2007 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
grained control over the environment grained control over the environment
ssuuddoo-spawned processes will receive. The ssuuddoo-spawned processes will receive. The
argument may be a double-quoted, space- argument may be a double-quoted, space-
@@ -1220,6 +1246,18 @@ EEXXAAMMPPLLEESS
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of Below are example _s_u_d_o_e_r_s entries. Admittedly, some of
these are a bit contrived. First, we define our _a_l_i_a_s_e_s: these are a bit contrived. First, we define our _a_l_i_a_s_e_s:
1.7 November 21, 2007 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
# User alias specification # User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl User_Alias PARTTIMERS = bostley, jwfox, crawl
@@ -1239,25 +1277,6 @@ EEXXAAMMPPLLEESS
Host_Alias SERVERS = master, mail, www, ns Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules Host_Alias CDROM = orion, perseus, hercules
1.7 September 5, 2007 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
# Cmnd alias specification # Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore /usr/sbin/restore, /usr/sbin/rrestore
@@ -1293,6 +1312,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Defaults@SERVERS log_year, logfile=/var/log/sudo.log Defaults@SERVERS log_year, logfile=/var/log/sudo.log
Defaults!PAGERS noexec Defaults!PAGERS noexec
1.7 November 21, 2007 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually deter- The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually deter-
mines who may run what. mines who may run what.
@@ -1313,17 +1344,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
any command on any host but they must authenticate them- any command on any host but they must authenticate them-
selves first (since the entry lacks the NOPASSWD tag). selves first (since the entry lacks the NOPASSWD tag).
1.7 September 5, 2007 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
jack CSNETS = ALL jack CSNETS = ALL
The user jjaacckk may run any command on the machines in the The user jjaacckk may run any command on the machines in the
@@ -1359,6 +1379,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
bob SPARC = (OP) ALL : SGI = (OP) ALL bob SPARC = (OP) ALL : SGI = (OP) ALL
1.7 November 21, 2007 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The user bboobb may run anything on the _S_P_A_R_C and _S_G_I The user bboobb may run anything on the _S_P_A_R_C and _S_G_I
machines as any user listed in the _O_P Runas_Alias (rroooott machines as any user listed in the _O_P Runas_Alias (rroooott
and ooppeerraattoorr). and ooppeerraattoorr).
@@ -1378,18 +1409,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
fred ALL = (DB) NOPASSWD: ALL fred ALL = (DB) NOPASSWD: ALL
The user ffrreedd can run commands as any user in the _D_B The user ffrreedd can run commands as any user in the _D_B
1.7 September 5, 2007 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password. Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
@@ -1425,6 +1444,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
(will, wendy, and wim), may run any command as user www (will, wendy, and wim), may run any command as user www
(which owns the web pages) or simply _s_u(1) to www. (which owns the web pages) or simply _s_u(1) to www.
1.7 November 21, 2007 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
@@ -1443,21 +1474,9 @@ SSEECCUURRIITTYY NNOOTTEESS
bill ALL = ALL, !SU, !SHELLS bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bbiillll from running the commands Doesn't really prevent bbiillll from running the commands
listed in _S_U or _S_H_E_L_L_S since he can simply copy those listed in _S_U or _S_H_E_L_L_S since he can simply copy those com-
mands to a different name, or use a shell escape from an
editor or other program. Therefore, these kind of
1.7 September 5, 2007 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
commands to a different name, or use a shell escape from
an editor or other program. Therefore, these kind of
restrictions should be considered advisory at best (and restrictions should be considered advisory at best (and
reinforced by policy). reinforced by policy).
@@ -1491,6 +1510,18 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
that this applies only to native dynamically- that this applies only to native dynamically-
linked executables. Statically-linked executa- linked executables. Statically-linked executa-
bles and foreign executables running under bles and foreign executables running under
1.7 November 21, 2007 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
binary emulation are not affected. binary emulation are not affected.
To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you
@@ -1510,18 +1541,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
_n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c should _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c should
work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
UNIX, MacOS X, and HP-UX 11.x. It is known nnoott UNIX, MacOS X, and HP-UX 11.x. It is known nnoott
1.7 September 5, 2007 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to work on AIX and UnixWare. _n_o_e_x_e_c is expected to work on AIX and UnixWare. _n_o_e_x_e_c is expected
to work on most operating systems that support to work on most operating systems that support
the LD_PRELOAD environment variable. Check your the LD_PRELOAD environment variable. Check your
@@ -1556,8 +1575,20 @@ SSEEEE AALLSSOO
CCAAVVEEAATTSS CCAAVVEEAATTSS
The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo
command which locks the file and does grammatical check- command which locks the file and does grammatical
ing. It is imperative that _s_u_d_o_e_r_s be free of syntax
1.7 November 21, 2007 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
checking. It is imperative that _s_u_d_o_e_r_s be free of syntax
errors since ssuuddoo will not run with a syntactically incor- errors since ssuuddoo will not run with a syntactically incor-
rect _s_u_d_o_e_r_s file. rect _s_u_d_o_e_r_s file.
@@ -1577,17 +1608,6 @@ SSUUPPPPOORRTT
man/listinfo/sudo-users to subscribe or search the man/listinfo/sudo-users to subscribe or search the
archives. archives.
1.7 September 5, 2007 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
DDIISSCCLLAAIIMMEERR DDIISSCCLLAAIIMMEERR
ssuuddoo is provided ``AS IS'' and any express or implied war- ssuuddoo is provided ``AS IS'' and any express or implied war-
ranties, including, but not limited to, the implied war- ranties, including, but not limited to, the implied war-
@@ -1625,26 +1645,6 @@ DDIISSCCLLAAIIMMEERR
1.7 November 21, 2007 25
1.7 September 5, 2007 25

62
sudoers.man.in
View File

@@ -150,7 +150,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDOERS @mansectform@" .IX Title "SUDOERS @mansectform@"
.TH SUDOERS @mansectform@ "September 5, 2007" "1.7" "MAINTENANCE COMMANDS" .TH SUDOERS @mansectform@ "November 21, 2007" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
sudoers \- list of which users may execute what sudoers \- list of which users may execute what
.SH "DESCRIPTION" .SH "DESCRIPTION"
@@ -269,16 +269,16 @@ zero or more '!' operators. An odd number of '!' operators negate
the value of the item; an even number just cancel each other out. the value of the item; an even number just cancel each other out.
.PP .PP
.Vb 2 .Vb 2
\& Runas_List ::= Runas_User | \& Runas_List ::= Runas_Member |
\& Runas_User ',' Runas_List \& Runas_Member ',' Runas_List
.Ve .Ve
.PP .PP
.Vb 5 .Vb 5
\& Runas_User ::= '!'* username | \& Runas_Member ::= '!'* username |
\& '!'* '#'uid | \& '!'* '#'uid |
\& '!'* '%'group | \& '!'* '%'group |
\& '!'* +netgroup | \& '!'* +netgroup |
\& '!'* Runas_Alias \& '!'* Runas_Alias
.Ve .Ve
.PP .PP
A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
@@ -417,7 +417,7 @@ See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults par
.Ve .Ve
.PP .PP
.Vb 1 .Vb 1
\& Runas_Spec ::= '(' Runas_List ')' \& Runas_Spec ::= '(' Runas_List? (: Runas_List)? ')'
.Ve .Ve
.PP .PP
.Vb 2 .Vb 2
@@ -432,11 +432,24 @@ run as \fBroot\fR, but this can be changed on a per-command basis.
Let's break that down into its constituent parts: Let's break that down into its constituent parts:
.Sh "Runas_Spec" .Sh "Runas_Spec"
.IX Subsection "Runas_Spec" .IX Subsection "Runas_Spec"
A \f(CW\*(C`Runas_Spec\*(C'\fR is simply a \f(CW\*(C`Runas_List\*(C'\fR (as defined above) A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
enclosed in a set of parentheses. If you do not specify a may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two
\&\f(CW\*(C`Runas_Spec\*(C'\fR in the user specification, a default \f(CW\*(C`Runas_Spec\*(C'\fR \&\f(CW\*(C`Runas_List\*(C'\fRs (as defined above) separated by a colon (':') and
of \fBroot\fR will be used. A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for enclosed in a set of parentheses. The first \f(CW\*(C`Runas_List\*(C'\fR indicates
commands that follow it. What this means is that for the entry: which users the command may be run as via \fBsudo\fR's \fB\-u\fR flag.
The second defines a list of groups that can be specified via
\&\fBsudo\fR's \fB\-g\fR flag. If both \f(CW\*(C`Runas_List\*(C'\fRs are specified, the
command may be run with any combination of users and groups listed
in their respective \f(CW\*(C`Runas_List\*(C'\fRs. If only the first is specified,
the command may be run as any user in the list but no \fB\-g\fR flag
may be specified. If the first \f(CW\*(C`Runas_List\*(C'\fR is empty but the
second is specified, the command may be run as the invoking user
with the group set to any listed in the \f(CW\*(C`Runas_List\*(C'\fR. If no
\&\f(CW\*(C`Runas_Spec\*(C'\fR is specified the command may be run as \fBroot\fR and
no group may be specified.
.PP
A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for the commands that follow it.
What this means is that for the entry:
.PP .PP
.Vb 1 .Vb 1
\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm \& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
@@ -458,6 +471,23 @@ entry. If we modify the entry like so:
.PP .PP
Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR, Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR. but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
.PP
We can extend this to allow \fBdgb\fR to run \f(CW\*(C`/bin/ls\*(C'\fR with either
the user or group set to \fBoperator\fR:
.PP
.Vb 2
\& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \e
\& /usr/bin/lprm
.Ve
.PP
In the following example, user \fBtcm\fR may run commands that access
a modem device file with the dialer group. Note that in this example
only the group will be set, the command still runs as user \fBtcm\fR.
.PP
.Vb 2
\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
\& /usr/local/bin/minicom
.Ve
.Sh "Tag_Spec" .Sh "Tag_Spec"
.IX Subsection "Tag_Spec" .IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are A command may have zero or more tags associated with it. There are
@@ -526,7 +556,9 @@ basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, any
environment variables set on the command line way are not subject environment variables set on the command line way are not subject
to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or
\&\fIenv_keep\fR. As such, only trusted users should be allowed to set \&\fIenv_keep\fR. As such, only trusted users should be allowed to set
variables in this manner. variables in this manner. If the command matched is \fB\s-1ALL\s0\fR, the
\&\f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this default may
be overridden by use of the \f(CW\*(C`UNSETENV\*(C'\fR tag.
.Sh "Wildcards" .Sh "Wildcards"
.IX Subsection "Wildcards" .IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters) \&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)

52
sudoers.pod
View File

@@ -125,14 +125,14 @@ with '+') and C<User_Alias>es. Each list item may be prefixed with
zero or more '!' operators. An odd number of '!' operators negate zero or more '!' operators. An odd number of '!' operators negate
the value of the item; an even number just cancel each other out. the value of the item; an even number just cancel each other out.
Runas_List ::= Runas_User | Runas_List ::= Runas_Member |
Runas_User ',' Runas_List Runas_Member ',' Runas_List
Runas_User ::= '!'* username | Runas_Member ::= '!'* username |
'!'* '#'uid | '!'* '#'uid |
'!'* '%'group | '!'* '%'group |
'!'* +netgroup | '!'* +netgroup |
'!'* Runas_Alias '!'* Runas_Alias
A C<Runas_List> is similar to a C<User_List> except that instead A C<Runas_List> is similar to a C<User_List> except that instead
of C<User_Alias>es it can contain C<Runas_Alias>es. Note that of C<User_Alias>es it can contain C<Runas_Alias>es. Note that
@@ -247,7 +247,7 @@ See L</"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
Runas_Spec ::= '(' Runas_List ')' Runas_Spec ::= '(' Runas_List? (: Runas_List)? ')'
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'SETENV:' | 'NOSETENV:' ) 'SETENV:' | 'NOSETENV:' )
@@ -260,11 +260,24 @@ Let's break that down into its constituent parts:
=head2 Runas_Spec =head2 Runas_Spec
A C<Runas_Spec> is simply a C<Runas_List> (as defined above) A C<Runas_Spec> determines the user and/or the group that a command
enclosed in a set of parentheses. If you do not specify a may be run as. A fully-specified C<Runas_Spec> consists of two
C<Runas_Spec> in the user specification, a default C<Runas_Spec> C<Runas_List>s (as defined above) separated by a colon (':') and
of B<root> will be used. A C<Runas_Spec> sets the default for enclosed in a set of parentheses. The first C<Runas_List> indicates
commands that follow it. What this means is that for the entry: which users the command may be run as via B<sudo>'s B<-u> flag.
The second defines a list of groups that can be specified via
B<sudo>'s B<-g> flag. If both C<Runas_List>s are specified, the
command may be run with any combination of users and groups listed
in their respective C<Runas_List>s. If only the first is specified,
the command may be run as any user in the list but no B<-g> flag
may be specified. If the first C<Runas_List> is empty but the
second is specified, the command may be run as the invoking user
with the group set to any listed in the C<Runas_List>. If no
C<Runas_Spec> is specified the command may be run as B<root> and
no group may be specified.
A C<Runas_Spec> sets the default for the commands that follow it.
What this means is that for the entry:
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
@@ -281,6 +294,19 @@ entry. If we modify the entry like so:
Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>, Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
but F</bin/kill> and F</usr/bin/lprm> as B<root>. but F</bin/kill> and F</usr/bin/lprm> as B<root>.
We can extend this to allow B<dgb> to run C</bin/ls> with either
the user or group set to B<operator>:
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
/usr/bin/lprm
In the following example, user B<tcm> may run commands that access
a modem device file with the dialer group. Note that in this example
only the group will be set, the command still runs as user B<tcm>.
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
=head2 Tag_Spec =head2 Tag_Spec
A command may have zero or more tags associated with it. There are A command may have zero or more tags associated with it. There are

27
testsudoers.c
View File

@@ -127,7 +127,7 @@ main(argc, argv)
struct cmndspec *cs; struct cmndspec *cs;
struct privilege *priv; struct privilege *priv;
struct userspec *us; struct userspec *us;
char *p, *grfile, *pwfile, *uflag, hbuf[MAXHOSTNAMELEN]; char *p, *grfile, *pwfile, *runas_user, hbuf[MAXHOSTNAMELEN];
int ch, dflag, rval, matched; int ch, dflag, rval, matched;
#ifdef YYDEBUG #ifdef YYDEBUG
extern int yydebug; extern int yydebug;
@@ -138,7 +138,7 @@ main(argc, argv)
Argc = argc; Argc = argc;
dflag = 0; dflag = 0;
grfile = pwfile = uflag = NULL; grfile = pwfile = runas_user = NULL;
while ((ch = getopt(argc, argv, "dg:h:p:u:")) != -1) { while ((ch = getopt(argc, argv, "dg:h:p:u:")) != -1) {
switch (ch) { switch (ch) {
case 'd': case 'd':
@@ -154,8 +154,7 @@ main(argc, argv)
pwfile = optarg; pwfile = optarg;
break; break;
case 'u': case 'u':
uflag = optarg; runas_user = optarg;
user_runas = &uflag;
break; break;
default: default:
usage(); usage();
@@ -235,12 +234,12 @@ main(argc, argv)
/* Initialize default values. */ /* Initialize default values. */
init_defaults(); init_defaults();
if (**user_runas == '#') { if (*runas_user == '#') {
if ((runas_pw = sudo_getpwuid(atoi(*user_runas + 1))) == NULL) if ((runas_pw = sudo_getpwuid(atoi(runas_user + 1))) == NULL)
runas_pw = sudo_fakepwnam(*user_runas); runas_pw = sudo_fakepwnam(runas_user);
} else { } else {
if ((runas_pw = sudo_getpwnam(*user_runas)) == NULL) if ((runas_pw = sudo_getpwnam(runas_user)) == NULL)
errorx(1, "no passwd entry for %s!", *user_runas); errorx(1, "no passwd entry for %s!", runas_user);
} }
/* Load ip addr/mask for each interface. */ /* Load ip addr/mask for each interface. */
@@ -278,7 +277,8 @@ main(argc, argv)
if (hostlist_matches(&priv->hostlist) == ALLOW) { if (hostlist_matches(&priv->hostlist) == ALLOW) {
puts("\thost matched"); puts("\thost matched");
tq_foreach_rev(&priv->cmndlist, cs) { tq_foreach_rev(&priv->cmndlist, cs) {
if (runaslist_matches(&cs->runaslist) == ALLOW) { if (runaslist_matches(&cs->runasuserlist,
&cs->runasgrouplist) == ALLOW) {
puts("\trunas matched"); puts("\trunas matched");
rval = cmnd_matches(cs->cmnd); rval = cmnd_matches(cs->cmnd);
if (rval != UNSPEC) if (rval != UNSPEC)
@@ -472,10 +472,11 @@ print_privilege(priv)
tq_foreach_fwd(&p->cmndlist, cs) { tq_foreach_fwd(&p->cmndlist, cs) {
if (cs != tq_first(&p->cmndlist)) if (cs != tq_first(&p->cmndlist))
fputs(", ", stdout); fputs(", ", stdout);
if (!tq_empty(&cs->runaslist)) { /* XXX - runasgrouplist too */
if (!tq_empty(&cs->runasuserlist)) {
fputs("(", stdout); fputs("(", stdout);
tq_foreach_fwd(&cs->runaslist, m) { tq_foreach_fwd(&cs->runasuserlist, m) {
if (m != tq_first(&cs->runaslist)) if (m != tq_first(&cs->runasuserlist))
fputs(", ", stdout); fputs(", ", stdout);
print_member(m); print_member(m);
} }

5
visudo.c
View File

@@ -412,7 +412,6 @@ reparse_sudoers(editor, args, strict, quiet)
sp->tpath, sp->path); sp->tpath, sp->path);
/* Clean slate for each parse */ /* Clean slate for each parse */
user_runas = NULL;
init_defaults(); init_defaults();
init_parser(sp->path, quiet); init_parser(sp->path, quiet);
@@ -929,7 +928,7 @@ check_aliases(strict)
} }
} }
tq_foreach_fwd(&priv->cmndlist, cs) { tq_foreach_fwd(&priv->cmndlist, cs) {
tq_foreach_fwd(&cs->runaslist, m) { tq_foreach_fwd(&cs->runasuserlist, m) {
if (m->type == RUNASALIAS) { if (m->type == RUNASALIAS) {
if (find_alias(m->name, m->type) == NULL) { if (find_alias(m->name, m->type) == NULL) {
fprintf(stderr, fprintf(stderr,
@@ -963,7 +962,7 @@ check_aliases(strict)
(void) alias_remove(m->name, m->type); (void) alias_remove(m->name, m->type);
} }
tq_foreach_fwd(&priv->cmndlist, cs) { tq_foreach_fwd(&priv->cmndlist, cs) {
tq_foreach_fwd(&cs->runaslist, m) { tq_foreach_fwd(&cs->runasuserlist, m) {
if (m->type == RUNASALIAS) if (m->type == RUNASALIAS)
(void) alias_remove(m->name, m->type); (void) alias_remove(m->name, m->type);
} }

70
visudo.cat
View File

@@ -50,18 +50,18 @@ DDEESSCCRRIIPPTTIIOONN
OOPPTTIIOONNSS OOPPTTIIOONNSS
vviissuuddoo accepts the following command line options: vviissuuddoo accepts the following command line options:
-c Enable cchheecckk--oonnllyy mode. The existing _s_u_d_o_e_r_s file -c Enable cchheecckk--oonnllyy mode. The existing _s_u_d_o_e_r_s
will be checked for syntax and a message will be file will be checked for syntax and a message
printed to the standard output detailing the status of will be printed to the standard output detail-
_s_u_d_o_e_r_s. If the syntax check completes successfully, ing the status of _s_u_d_o_e_r_s. If the syntax
vviissuuddoo will exit with a value of 0. If a syntax error check completes successfully, vviissuuddoo will exit
is encountered, vviissuuddoo will exit with a value of 1. with a value of 0. If a syntax error is
encountered, vviissuuddoo will exit with a value of
-f Specify and alternate _s_u_d_o_e_r_s file location. With 1.
1.7 August 15, 2007 1 1.7 October 20, 2007 1
@@ -70,28 +70,32 @@ OOPPTTIIOONNSS
VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
this option vviissuuddoo will edit (or check) the _s_u_d_o_e_r_s -f _s_u_d_o_e_r_s Specify and alternate _s_u_d_o_e_r_s file location.
file of your choice, instead of the default, With this option vviissuuddoo will edit (or check)
_/_e_t_c_/_s_u_d_o_e_r_s. The lock file used is the specified the _s_u_d_o_e_r_s file of your choice, instead of
_s_u_d_o_e_r_s file with ".tmp" appended to it. the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock file used
is the specified _s_u_d_o_e_r_s file with ".tmp"
appended to it.
-q Enable qquuiieett mode. In this mode details about syntax -q Enable qquuiieett mode. In this mode details about
errors are not printed. This option is only useful syntax errors are not printed. This option is
when combined with the --cc flag. only useful when combined with the --cc flag.
-s Enable ssttrriicctt checking of the _s_u_d_o_e_r_s file. If an -s Enable ssttrriicctt checking of the _s_u_d_o_e_r_s file.
alias is used before it is defined, vviissuuddoo will con- If an alias is used before it is defined,
sider this a parse error. Note that it is not possi- vviissuuddoo will consider this a parse error. Note
ble to differentiate between an alias and a hostname that it is not possible to differentiate
or username that consists solely of uppercase letters, between an alias and a hostname or username
digits, and the underscore ('_') character. that consists solely of uppercase letters,
digits, and the underscore ('_') character.
-V The --VV (version) option causes vviissuuddoo to print its -V The --VV (version) option causes vviissuuddoo to print
version number and exit. its version number and exit.
EENNVVIIRROONNMMEENNTT EENNVVIIRROONNMMEENNTT
The following environment variables are used only if The following environment variables may be consulted
vviissuuddoo was configured with the _-_-_w_i_t_h_-_e_n_v_-_e_d_i_t_o_r option: depending on the value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_-
_e_r_s variables:
VISUAL Invoked by visudo as the editor to use VISUAL Invoked by visudo as the editor to use
@@ -121,13 +125,9 @@ DDIIAAGGNNOOSSTTIICCSS
will not complain). In --ss (strict) mode these are will not complain). In --ss (strict) mode these are
errors, not warnings. errors, not warnings.
Warning: unused {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias was defined
but never used. You may wish to comment out or remove
1.7 October 20, 2007 2
1.7 August 15, 2007 2
@@ -136,6 +136,9 @@ DDIIAAGGNNOOSSTTIICCSS
VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
Warning: unused {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias was defined
but never used. You may wish to comment out or remove
the unused alias. In --ss (strict) mode this is an the unused alias. In --ss (strict) mode this is an
error, not a warning. error, not a warning.
@@ -190,9 +193,6 @@ DDIISSCCLLAAIIMMEERR
1.7 October 20, 2007 3
1.7 August 15, 2007 3

18
visudo.man.in
View File

@@ -149,7 +149,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "VISUDO @mansectsu@" .IX Title "VISUDO @mansectsu@"
.TH VISUDO @mansectsu@ "August 15, 2007" "1.7" "MAINTENANCE COMMANDS" .TH VISUDO @mansectsu@ "October 20, 2007" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
visudo \- edit the sudoers file visudo \- edit the sudoers file
.SH "SYNOPSIS" .SH "SYNOPSIS"
@@ -191,7 +191,7 @@ error occurred (if the editor supports this feature).
.SH "OPTIONS" .SH "OPTIONS"
.IX Header "OPTIONS" .IX Header "OPTIONS"
\&\fBvisudo\fR accepts the following command line options: \&\fBvisudo\fR accepts the following command line options:
.IP "\-c" 4 .IP "\-c" 12
.IX Item "-c" .IX Item "-c"
Enable \fBcheck-only\fR mode. The existing \fIsudoers\fR file will be Enable \fBcheck-only\fR mode. The existing \fIsudoers\fR file will be
checked for syntax and a message will be printed to the checked for syntax and a message will be printed to the
@@ -199,32 +199,32 @@ standard output detailing the status of \fIsudoers\fR.
If the syntax check completes successfully, \fBvisudo\fR will If the syntax check completes successfully, \fBvisudo\fR will
exit with a value of 0. If a syntax error is encountered, exit with a value of 0. If a syntax error is encountered,
\&\fBvisudo\fR will exit with a value of 1. \&\fBvisudo\fR will exit with a value of 1.
.IP "\-f" 4 .IP "\-f \fIsudoers\fR" 12
.IX Item "-f" .IX Item "-f sudoers"
Specify and alternate \fIsudoers\fR file location. With this option Specify and alternate \fIsudoers\fR file location. With this option
\&\fBvisudo\fR will edit (or check) the \fIsudoers\fR file of your choice, \&\fBvisudo\fR will edit (or check) the \fIsudoers\fR file of your choice,
instead of the default, \fI@sysconfdir@/sudoers\fR. The lock file used instead of the default, \fI@sysconfdir@/sudoers\fR. The lock file used
is the specified \fIsudoers\fR file with \*(L".tmp\*(R" appended to it. is the specified \fIsudoers\fR file with \*(L".tmp\*(R" appended to it.
.IP "\-q" 4 .IP "\-q" 12
.IX Item "-q" .IX Item "-q"
Enable \fBquiet\fR mode. In this mode details about syntax errors Enable \fBquiet\fR mode. In this mode details about syntax errors
are not printed. This option is only useful when combined with are not printed. This option is only useful when combined with
the \fB\-c\fR flag. the \fB\-c\fR flag.
.IP "\-s" 4 .IP "\-s" 12
.IX Item "-s" .IX Item "-s"
Enable \fBstrict\fR checking of the \fIsudoers\fR file. If an alias is Enable \fBstrict\fR checking of the \fIsudoers\fR file. If an alias is
used before it is defined, \fBvisudo\fR will consider this a parse used before it is defined, \fBvisudo\fR will consider this a parse
error. Note that it is not possible to differentiate between an error. Note that it is not possible to differentiate between an
alias and a hostname or username that consists solely of uppercase alias and a hostname or username that consists solely of uppercase
letters, digits, and the underscore ('_') character. letters, digits, and the underscore ('_') character.
.IP "\-V" 4 .IP "\-V" 12
.IX Item "-V" .IX Item "-V"
The \fB\-V\fR (version) option causes \fBvisudo\fR to print its version number The \fB\-V\fR (version) option causes \fBvisudo\fR to print its version number
and exit. and exit.
.SH "ENVIRONMENT" .SH "ENVIRONMENT"
.IX Header "ENVIRONMENT" .IX Header "ENVIRONMENT"
The following environment variables are used only if \fBvisudo\fR The following environment variables may be consulted depending on
was configured with the \fI\-\-with\-env\-editor\fR option: the value of the \fIeditor\fR and \fIenv_editor\fR \fIsudoers\fR variables:
.ie n .IP "\*(C`VISUAL\*(C'" 16 .ie n .IP "\*(C`VISUAL\*(C'" 16
.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16 .el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16
.IX Item "VISUAL" .IX Item "VISUAL"