version 1.1, 2012/02/21 16:23:02
|
version 1.1.1.2, 2012/05/29 12:26:49
|
Line 65 DDEESSCCRRIIPPTTIIOONN
|
Line 65 DDEESSCCRRIIPPTTIIOONN
|
distinct ways _s_u_d_o_e_r_s can deal with environment variables. |
distinct ways _s_u_d_o_e_r_s can deal with environment variables. |
|
|
By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to |
By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to |
be executed with a minimal environment containing TERM, PATH, HOME, | be executed with a new, minimal environment. On AIX (and Linux systems |
MAIL, SHELL, LOGNAME, USER and USERNAME in addition to variables from | without PAM), the environment is initialized with the contents of the |
the invoking process permitted by the _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. | _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is |
This is effectively a whitelist for environment variables. | enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v |
| settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new environment contains the TERM, |
| PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables |
| in addition to variables from the invoking process permitted by the |
| _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. This is effectively a whitelist for |
| environment variables. |
|
|
If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not |
If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not |
explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited |
explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited |
Line 94 DDEESSCCRRIIPPTTIIOONN
|
Line 99 DDEESSCCRRIIPPTTIIOONN
|
_s_u_d_o_e_r_s will initialize the environment regardless of the value of |
_s_u_d_o_e_r_s will initialize the environment regardless of the value of |
_e_n_v___r_e_s_e_t. The _D_I_S_P_L_A_Y, _P_A_T_H and _T_E_R_M variables remain unchanged; |
_e_n_v___r_e_s_e_t. The _D_I_S_P_L_A_Y, _P_A_T_H and _T_E_R_M variables remain unchanged; |
_H_O_M_E, _M_A_I_L, _S_H_E_L_L, _U_S_E_R, and _L_O_G_N_A_M_E are set based on the target user. |
_H_O_M_E, _M_A_I_L, _S_H_E_L_L, _U_S_E_R, and _L_O_G_N_A_M_E are set based on the target user. |
On Linux and AIX systems the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are also | On AIX (and Linux systems without PAM), the contents of |
included. All other environment variables are removed. | _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are also included. On BSD systems, if the |
| _u_s_e___l_o_g_i_n_c_l_a_s_s option is enabled, the _p_a_t_h and _s_e_t_e_n_v variables in |
| _/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All other environment variables are |
| removed. |
|
|
|
Finally, if the _e_n_v___f_i_l_e option is defined, any variables present in |
|
that file will be set to their specified values as long as they would |
|
not conflict with an existing environment variable. |
|
|
SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT |
SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT |
The _s_u_d_o_e_r_s file is composed of two types of entries: aliases |
The _s_u_d_o_e_r_s file is composed of two types of entries: aliases |
(basically variables) and user specifications (which specify who may |
(basically variables) and user specifications (which specify who may |
Line 198 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
Line 210 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
below). For instance, the QAS AD plugin supports the following |
below). For instance, the QAS AD plugin supports the following |
formats: |
formats: |
|
|
+o Group in the same domain: "Group Name" | o Group in the same domain: "Group Name" |
|
|
+o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN" | o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN" |
|
|
+o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" | o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" |
|
|
Note that quotes around group names are optional. Unquoted strings |
Note that quotes around group names are optional. Unquoted strings |
must use a backslash (\) to escape spaces and special characters. See |
must use a backslash (\) to escape spaces and special characters. See |
Line 473 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
Line 485 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
|
|
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
|
|
See the "PREVENTING SHELL ESCAPES" section below for more details on | See the "Preventing Shell Escapes" section below for more details on |
how NOEXEC works and whether or not it will work on your system. |
how NOEXEC works and whether or not it will work on your system. |
|
|
_S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V |
_S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V |
Line 560 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
Line 572 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
A hard limit of 128 nested include files is enforced to prevent include |
A hard limit of 128 nested include files is enforced to prevent include |
file loops. |
file loops. |
|
|
The file name may include the %h escape, signifying the short form of | If the path to the include file is not fully-qualified (does not begin |
the host name. I.e., if the machine's host name is "xerxes", then | with a _/), it must be located in the same directory as the sudoers file |
| it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line: |
|
|
|
#include sudoers.local |
|
|
|
the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. |
|
|
|
The file name may also include the %h escape, signifying the short form |
|
of the host name. I.e., if the machine's host name is "xerxes", then |
|
|
#include /etc/sudoers.%h |
#include /etc/sudoers.%h |
|
|
will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. |
will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. |
Line 662 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 682 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
use the EDITOR or VISUAL if they match a value |
use the EDITOR or VISUAL if they match a value |
specified in editor. This flag is _o_f_f by default. |
specified in editor. This flag is _o_f_f by default. |
|
|
env_reset If set, ssuuddoo will reset the environment to only contain | env_reset If set, ssuuddoo will run the command in a minimal |
the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_* | environment containing the TERM, PATH, HOME, MAIL, |
variables. Any variables in the caller's environment | SHELL, LOGNAME, USER, USERNAME and SUDO_* variables. |
that match the env_keep and env_check lists are then | Any variables in the caller's environment that match |
added. The default contents of the env_keep and | the env_keep and env_check lists are then added, |
env_check lists are displayed when ssuuddoo is run by root | followed by any variables present in the file specified |
with the _-_V option. If the _s_e_c_u_r_e___p_a_t_h option is set, | by the _e_n_v___f_i_l_e option (if any). The default contents |
its value will be used for the PATH environment | of the env_keep and env_check lists are displayed when |
variable. This flag is _o_n by default. | ssuuddoo is run by root with the _-_V option. If the |
| _s_e_c_u_r_e___p_a_t_h option is set, its value will be used for |
| the PATH environment variable. This flag is _o_n by |
| default. |
|
|
fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell- |
fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell- |
style globbing when matching path names. However, |
style globbing when matching path names. However, |
Line 800 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 823 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
noexec If set, all commands run via ssuuddoo will behave as if the |
noexec If set, all commands run via ssuuddoo will behave as if the |
NOEXEC tag has been set, unless overridden by a EXEC |
NOEXEC tag has been set, unless overridden by a EXEC |
tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as |
tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as |
well as the "PREVENTING SHELL ESCAPES" section at the | well as the "Preventing Shell Escapes" section at the |
end of this manual. This flag is _o_f_f by default. |
end of this manual. This flag is _o_f_f by default. |
|
|
path_info Normally, ssuuddoo will tell the user when a command could |
path_info Normally, ssuuddoo will tell the user when a command could |
Line 1087 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1110 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
%h will expand to the host name of the machine. |
%h will expand to the host name of the machine. |
Default is *** SECURITY information for %h ***. |
Default is *** SECURITY information for %h ***. |
|
|
noexec_file This option is deprecated and will be removed in a | noexec_file This option is no longer supported. The path to the |
future release of ssuuddoo. The path to the noexec file | noexec file should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f |
should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. | file. |
|
|
passprompt The default prompt to use when asking for a password; |
passprompt The default prompt to use when asking for a password; |
can be overridden via the --pp option or the SUDO_PROMPT |
can be overridden via the --pp option or the SUDO_PROMPT |
Line 1158 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1181 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
|
|
SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: |
SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: |
|
|
env_file The _e_n_v___f_i_l_e options specifies the fully qualified path to | env_file The _e_n_v___f_i_l_e option specifies the fully qualified path to a |
a file containing variables to be set in the environment of | file containing variables to be set in the environment of |
the program being run. Entries in this file should either |
the program being run. Entries in this file should either |
be of the form VARIABLE=value or export VARIABLE=value. |
be of the form VARIABLE=value or export VARIABLE=value. |
The value may optionally be surrounded by single or double |
The value may optionally be surrounded by single or double |
Line 1325 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1348 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
variables to keep is displayed when ssuuddoo is run by root |
variables to keep is displayed when ssuuddoo is run by root |
with the _-_V option. |
with the _-_V option. |
|
|
|
SSUUDDOO..CCOONNFF |
|
The _/_e_t_c_/_s_u_d_o_._c_o_n_f file determines which plugins the ssuuddoo front end |
|
will load. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it contains no |
|
Plugin lines, ssuuddoo will use the _s_u_d_o_e_r_s security policy and I/O |
|
logging, which corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file. |
|
|
|
# |
|
# Default /etc/sudo.conf file |
|
# |
|
# Format: |
|
# Plugin plugin_name plugin_path plugin_options ... |
|
# Path askpass /path/to/askpass |
|
# Path noexec /path/to/sudo_noexec.so |
|
# Debug sudo /var/log/sudo_debug all@warn |
|
# Set disable_coredump true |
|
# |
|
# The plugin_path is relative to /usr/local/libexec unless |
|
# fully qualified. |
|
# The plugin_name corresponds to a global symbol in the plugin |
|
# that contains the plugin interface structure. |
|
# The plugin_options are optional. |
|
# |
|
Plugin policy_plugin sudoers.so |
|
Plugin io_plugin sudoers.so |
|
|
|
PPLLUUGGIINN OOPPTTIIOONNSS |
|
Starting with ssuuddoo 1.8.5 it is possible to pass options to the _s_u_d_o_e_r_s |
|
plugin. Options may be listed after the path to the plugin (i.e. after |
|
_s_u_d_o_e_r_s_._s_o); multiple options should be space-separated. For example: |
|
|
|
Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440 |
|
|
|
The following plugin options are supported: |
|
|
|
sudoers_file=pathname |
|
The _s_u_d_o_e_r_s___f_i_l_e option can be used to override the default |
|
path to the _s_u_d_o_e_r_s file. |
|
|
|
sudoers_uid=uid |
|
The _s_u_d_o_e_r_s___u_i_d option can be used to override the default |
|
owner of the sudoers file. It should be specified as a |
|
numeric user ID. |
|
|
|
sudoers_gid=gid |
|
The _s_u_d_o_e_r_s___g_i_d option can be used to override the default |
|
group of the sudoers file. It should be specified as a |
|
numeric group ID. |
|
|
|
sudoers_mode=mode |
|
The _s_u_d_o_e_r_s___m_o_d_e option can be used to override the default |
|
file mode for the sudoers file. It should be specified as an |
|
octal value. |
|
|
|
DDEEBBUUGG FFLLAAGGSS |
|
Versions 1.8.4 and higher of the _s_u_d_o_e_r_s plugin supports a debugging |
|
framework that can help track down what the plugin is doing internally |
|
if there is a problem. This can be configured in the _/_e_t_c_/_s_u_d_o_._c_o_n_f |
|
file as described in _s_u_d_o(1m). |
|
|
|
The _s_u_d_o_e_r_s plugin uses the same debug flag format as ssuuddoo itself: |
|
_s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y. |
|
|
|
The priorities used by _s_u_d_o_e_r_s, in order of decreasing severity, are: |
|
_c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority, |
|
when specified, also includes all priorities higher than it. For |
|
example, a priority of _n_o_t_i_c_e would include debug messages logged at |
|
_n_o_t_i_c_e and higher. |
|
|
|
The following subsystems are used by _s_u_d_o_e_r_s: |
|
|
|
_a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing |
|
|
|
_a_l_l matches every subsystem |
|
|
|
_a_u_d_i_t BSM and Linux audit code |
|
|
|
_a_u_t_h user authentication |
|
|
|
_d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings |
|
|
|
_e_n_v environment handling |
|
|
|
_l_d_a_p LDAP-based sudoers |
|
|
|
_l_o_g_g_i_n_g logging support |
|
|
|
_m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s |
|
|
|
_n_e_t_i_f network interface handling |
|
|
|
_n_s_s network service switch handling in _s_u_d_o_e_r_s |
|
|
|
_p_a_r_s_e_r _s_u_d_o_e_r_s file parsing |
|
|
|
_p_e_r_m_s permission setting |
|
|
|
_p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin. |
|
|
|
_p_t_y pseudo-tty related code |
|
|
|
_r_b_t_r_e_e redblack tree internals |
|
|
|
_u_t_i_l utility functions |
|
|
FFIILLEESS |
FFIILLEESS |
|
_/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration |
|
|
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what |
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what |
|
|
_/_e_t_c_/_g_r_o_u_p Local groups file |
_/_e_t_c_/_g_r_o_u_p Local groups file |
Line 1337 FFIILLEESS
|
Line 1466 FFIILLEESS
|
_/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the |
_/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the |
_s_u_d_o_e_r_s security policy |
_s_u_d_o_e_r_s security policy |
|
|
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on Linux and | _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and |
AIX | Linux systems |
|
|
EEXXAAMMPPLLEESS |
EEXXAAMMPPLLEESS |
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit |
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit |
Line 1521 EEXXAAMMPPLLEESS
|
Line 1650 EEXXAAMMPPLLEESS
|
encapsulating in a shell script. |
encapsulating in a shell script. |
|
|
SSEECCUURRIITTYY NNOOTTEESS |
SSEECCUURRIITTYY NNOOTTEESS |
|
LLiimmiittaattiioonnss ooff tthhee ''!!'' ooppeerraattoorr |
It is generally not effective to "subtract" commands from ALL using the |
It is generally not effective to "subtract" commands from ALL using the |
'!' operator. A user can trivially circumvent this by copying the |
'!' operator. A user can trivially circumvent this by copying the |
desired command to a different name and then executing that. For |
desired command to a different name and then executing that. For |
Line 1534 SSEECCUURRIITTYY NNOOTTEESS
|
Line 1664 SSEECCUURRIITTYY NNOOTTEESS
|
kind of restrictions should be considered advisory at best (and |
kind of restrictions should be considered advisory at best (and |
reinforced by policy). |
reinforced by policy). |
|
|
Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not possible to | In general, if a user has sudo ALL there is nothing to prevent them |
reliably negate commands where the path name includes globbing (aka | from creating their own program that gives them a root shell (or making |
wildcard) characters. This is because the C library's _f_n_m_a_t_c_h(3) | their own copy of a shell) regardless of any '!' elements in the user |
function cannot resolve relative paths. While this is typically only | specification. |
an inconvenience for rules that grant privileges, it can result in a | |
security issue for rules that subtract or revoke privileges. | |
|
|
|
SSeeccuurriittyy iimmpplliiccaattiioonnss ooff _f_a_s_t___g_l_o_b |
|
If the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably |
|
negate commands where the path name includes globbing (aka wildcard) |
|
characters. This is because the C library's _f_n_m_a_t_c_h(3) function cannot |
|
resolve relative paths. While this is typically only an inconvenience |
|
for rules that grant privileges, it can result in a security issue for |
|
rules that subtract or revoke privileges. |
|
|
For example, given the following _s_u_d_o_e_r_s entry: |
For example, given the following _s_u_d_o_e_r_s entry: |
|
|
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, |
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, |
Line 1549 SSEECCUURRIITTYY NNOOTTEESS
|
Line 1685 SSEECCUURRIITTYY NNOOTTEESS
|
User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by |
User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by |
changing to _/_u_s_r_/_b_i_n and running ./passwd root instead. |
changing to _/_u_s_r_/_b_i_n and running ./passwd root instead. |
|
|
PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS | PPrreevveennttiinngg SShheellll EEssccaappeess |
Once ssuuddoo executes a program, that program is free to do whatever it |
Once ssuuddoo executes a program, that program is free to do whatever it |
pleases, including run other programs. This can be a security issue |
pleases, including run other programs. This can be a security issue |
since it is not uncommon for a program to allow shell escapes, which |
since it is not uncommon for a program to allow shell escapes, which |
Line 1606 PPRREEVVEENNTTIINNGG SSHHEELLLL EESSC
|
Line 1742 PPRREEVVEENNTTIINNGG SSHHEELLLL EESSC
|
privilege escalation. In the specific case of an editor, a safer |
privilege escalation. In the specific case of an editor, a safer |
approach is to give the user permission to run ssuuddooeeddiitt. |
approach is to give the user permission to run ssuuddooeeddiitt. |
|
|
SSEECCUURRIITTYY NNOOTTEESS | TTiimmee ssttaammpp ffiillee cchheecckkss |
_s_u_d_o_e_r_s will check the ownership of its time stamp directory |
_s_u_d_o_e_r_s will check the ownership of its time stamp directory |
(_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is |
(_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is |
not owned by root or if it is writable by a user other than root. On |
not owned by root or if it is writable by a user other than root. On |
Line 1645 SSEECCUURRIITTYY NNOOTTEESS
|
Line 1781 SSEECCUURRIITTYY NNOOTTEESS
|
Administrators should not rely on this feature as it is not universally |
Administrators should not rely on this feature as it is not universally |
available. |
available. |
|
|
If users have sudo ALL there is nothing to prevent them from creating |
|
their own program that gives them a root shell (or making their own |
|
copy of a shell) regardless of any '!' elements in the user |
|
specification. |
|
|
|
SSEEEE AALLSSOO |
SSEEEE AALLSSOO |
_r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _m_k_t_e_m_p(3), _s_t_r_f_t_i_m_e(3), |
_r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _m_k_t_e_m_p(3), _s_t_r_f_t_i_m_e(3), |
_s_u_d_o_e_r_s_._l_d_a_p(4), _s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o(1m), _v_i_s_u_d_o(1m) |
_s_u_d_o_e_r_s_._l_d_a_p(4), _s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o(1m), _v_i_s_u_d_o(1m) |
Line 1683 DDIISSCCLLAAIIMMEERR
|
Line 1814 DDIISSCCLLAAIIMMEERR
|
|
|
|
|
|
|
1.8.3 September 16, 2011 SUDOERS(4) | 1.8.5 March 28, 2012 SUDOERS(4) |