isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f02f4b428f5d5b51d3ccf1e036bde2b45da5788f
sudo/TODO
Todd C. Miller e05905dd16 checkpoint
2004-12-17 18:12:20 +00:00

130 lines
4.7 KiB
Plaintext
Raw Blame History

TODO list (most will be addressed in sudo 2.0)
01) Redo parsing to be more like op(8) with true command aliases where
can specify uid, gid(s) and part/all of the environment.
02) Add a SHELLS reserved word that checks against /etc/shells.
03) Make the sudoers file accessible via NIS, Hesiod, and maybe NetInfo.
04) Add a -h (?) flag to sudo for a history mechanism.
05) Add an option to set LD_LIBRARY_PATH?
06) Add Prog_Alias facility (Prog_Alias VI = /usr/secure/bin/vi +args).
07) Add generic STREAMS support for getting interfaces and netmasks.
08) Add support for "safe scripts" by checking for shell script
cookie (first two bytes are "#!") and execing the shell outselves
after doing the stat to guard against spoofing. This should avoid
the race condition caused by going through namei() twice...
09) Make runas_user a struct "runas" with user and group components.
(maybe uid and gid too???)
10) Add -g group/gid option.
11) Should be able to mix Cmnd_Alias's and command args. Ie:
pete ALL=PASSWD [A-z]*,!PASSWD root
where PASSWD was defined to be /usr/bin/passwd.
This requires the arg parsing to happen in the yacc grammer.
At the very least, commands and args have to become separate
tokens in the lexer.
12) Add a per-tty restriction? Ie: only can run foo from /dev/console.
13) Add test for how to read ether interfaces in configure script
14) Use strtol() and strtoul(), not atoi()
15) Make syslog stuff work on vanilla ultrix
16) Implement date_format and log_format options.
17) Add support for: Default:user@host
18) Make visudo rcs-aware
19) Some people want to be able to specify a special password in sudoers
in addition or instead of the normal one. The best argument for
this so far is to be able to use separate passwords for the
target users that are not the passwd file ones.
20) Add support for trusted users. E.g. allow user to run a certain
command regardless of what dir it is in if it is owned by the
trusted user.
21) Add a flag similar to '-l' but that spits out sudo commands in
a format suitable for cut & paste into sudoers.
22) Someone wants a recursive version of the dir specifier. Ie:
SOME_MODIFIER:/usr/local/ to allow anything under /usr/local to be run.
23) An option to set the shell to the target user would make sense.
See other target user-related issues above.
24) Add an option (-D) to dump the defaults after the sudoers file
has been parsed. Should only be available to root and should
allow a -u user modifier. Maybe dump all of sudoers?
25) For sudo 1.7 wipe out the environment by default.
26) Allow /etc/sudoers to be a symlink but require the parent dir to
be root-owned and not writable by anything else. Should really
traverse the tree to the root doing this.
27) Improve interfaces.c STREAMS code (see ntpd's ntp_io.c for hints)
28) Wildcard support for user and group names? (netgroup too?)
29) If root_sudo is off, still allow sudo -u to non-root users?
30) Use proper links in .pod files
31) Parse gids like %#0
32) For AIX, call getuserattr() to get resource limits and set them
as appropriate, see:
http://nscp.upenn.edu/aix4.3html/libs/basetrf1/getuserattr.htm#A16691a89
33) Add an insult_path variable that is intialized to "builtin" but that
can point to other files containing an insult count as the first
line and that have a constant record length (sparse files) for
easy seeking.
34) Some way of using a new pty for the program run via sudo would prevent
access to the caller's /dev/tty (but probably makes job control tricky).
35) Maybe have a database of checksums that commands are verified against.
Basically replace the st_ino/st_dev check with a checksum lookup.
36) Look into testing writability of a file via sudoedit *before* doing
the edit; e.g., try opening with O_APPEND.
37) Add Makefile.in bits to autogenerate Solaris and Irix packages
38) Add monitor support for Solaris using /proc/$$/ctl w/ PCSENTRY
(use PRSABORT flag to indicate failure).
39) Add a session mode where sudo allocates a pty and logs everything
that occurs ala script(1).
40) Use pam_open_session() and pam_close_session() (requires a persistent
sudo process to call pam_close_session()). Maybe add xauth support for
the non-pam case?
41) Should "monitor" and MONITOR/NOMONITOR be disabled for non-systrace?
42) Add substitution mechanism in sudoers to subst, e.g. editors for sudoedit
43) Move prototypes to extern.h
44) Get rid of VALIDATE_NOT_OK and just set/clear VALIDATE_OK
45) visudo -c should also sanity check aliases
46) Use AC_CHECK_DECLS for systems w/o proper prototypes? Maybe errno too?
47) nicer defaults output for "sudo -l" and implement for LDAP too
Reference in New Issue View Git Blame Copy Permalink