version 1.1.1.5, 2013/10/14 07:56:34
|
version 1.1.1.6, 2014/06/15 16:12:54
|
Line 87 DDEESSCCRRIIPPTTIIOONN
|
Line 87 DDEESSCCRRIIPPTTIIOONN
|
the _s_u_d_o_e_r_s lookup is still done for root, not the user specified by |
the _s_u_d_o_e_r_s lookup is still done for root, not the user specified by |
SUDO_USER. |
SUDO_USER. |
|
|
_s_u_d_o_e_r_s uses time stamp files for credential caching. Once a user has | _s_u_d_o_e_r_s uses per-user time stamp files for credential caching. Once a |
been authenticated, the time stamp is updated and the user may then use | user has been authenticated, a record is written containing the uid that |
sudo without a password for a short period of time (5 minutes unless | was used to authenticate, the terminal session ID, and a time stamp |
overridden by the _t_i_m_e_o_u_t option). By default, _s_u_d_o_e_r_s uses a tty-based | (using a monotonic clock if one is available). The user may then use |
time stamp which means that there is a separate time stamp for each of a | ssuuddoo without a password for a short period of time (5 minutes unless |
user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to force | overridden by the _t_i_m_e_o_u_t option). By default, _s_u_d_o_e_r_s uses a separate |
the use of a single time stamp for all of a user's sessions. | record for each tty, which means that a user's login sessions are |
| authenticated separately. The _t_t_y___t_i_c_k_e_t_s option can be disabled to |
| force the use of a single time stamp for all of a user's sessions. |
|
|
_s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as |
_s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as |
errors) to syslog(3), a log file, or both. By default, _s_u_d_o_e_r_s will log |
errors) to syslog(3), a log file, or both. By default, _s_u_d_o_e_r_s will log |
Line 815 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 817 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
This flag is _o_n by default when ssuuddoo is compiled with |
This flag is _o_n by default when ssuuddoo is compiled with |
zzlliibb support. |
zzlliibb support. |
|
|
|
use_netgroups If set, netgroups (prefixed with `+'), may be used in |
|
place of a user or host. For LDAP-based sudoers, |
|
netgroup support requires an expensive substring match |
|
on the server. If netgroups are not needed, this |
|
option can be disabled to reduce the load on the LDAP |
|
server. This flag is _o_n by default. |
|
|
exec_background By default, ssuuddoo runs a command as the foreground |
exec_background By default, ssuuddoo runs a command as the foreground |
process as long as ssuuddoo itself is running in the |
process as long as ssuuddoo itself is running in the |
foreground. When the _e_x_e_c___b_a_c_k_g_r_o_u_n_d flag is enabled |
foreground. When the _e_x_e_c___b_a_c_k_g_r_o_u_n_d flag is enabled |
Line 910 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 919 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
If the system is configured to use the _/_e_t_c_/_h_o_s_t_s file |
If the system is configured to use the _/_e_t_c_/_h_o_s_t_s file |
in preference to DNS, the ``canonical'' host name may |
in preference to DNS, the ``canonical'' host name may |
not be fully-qualified. The order that sources are |
not be fully-qualified. The order that sources are |
queried for hosts name resolution is usually specified | queried for host name resolution is usually specified |
in the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f, |
in the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f, |
_/_e_t_c_/_h_o_s_t_._c_o_n_f, or, in some cases, _/_e_t_c_/_r_e_s_o_l_v_._c_o_n_f |
_/_e_t_c_/_h_o_s_t_._c_o_n_f, or, in some cases, _/_e_t_c_/_r_e_s_o_l_v_._c_o_n_f |
file. In the _/_e_t_c_/_h_o_s_t_s file, the first host name of |
file. In the _/_e_t_c_/_h_o_s_t_s file, the first host name of |
Line 1120 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1129 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
This flag is _o_n by default. |
This flag is _o_n by default. |
|
|
rootpw If set, ssuuddoo will prompt for the root password instead |
rootpw If set, ssuuddoo will prompt for the root password instead |
of the password of the invoking user. This flag is _o_f_f | of the password of the invoking user when running a |
by default. | command or editing a file. This flag is _o_f_f by |
| default. |
|
|
runaspw If set, ssuuddoo will prompt for the password of the user |
runaspw If set, ssuuddoo will prompt for the password of the user |
defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) |
defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) |
instead of the password of the invoking user. This | instead of the password of the invoking user when |
flag is _o_f_f by default. | running a command or editing a file. This flag is _o_f_f |
| by default. |
|
|
set_home If enabled and ssuuddoo is invoked with the --ss option the |
set_home If enabled and ssuuddoo is invoked with the --ss option the |
HOME environment variable will be set to the home |
HOME environment variable will be set to the home |
Line 1185 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1196 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
|
|
targetpw If set, ssuuddoo will prompt for the password of the user |
targetpw If set, ssuuddoo will prompt for the password of the user |
specified by the --uu option (defaults to root) instead |
specified by the --uu option (defaults to root) instead |
of the password of the invoking user. In addition, the | of the password of the invoking user when running a |
time stamp file name will include the target user's | command or editing a file. Note that this flag |
name. Note that this flag precludes the use of a uid | precludes the use of a uid not listed in the passwd |
not listed in the passwd database as an argument to the | database as an argument to the --uu option. This flag is |
--uu option. This flag is _o_f_f by default. | _o_f_f by default. |
|
|
tty_tickets If set, users must authenticate on a per-tty basis. |
tty_tickets If set, users must authenticate on a per-tty basis. |
With this flag enabled, ssuuddoo will use a file named for | With this flag enabled, ssuuddoo will use a separate record |
the tty the user is logged in on in the user's time | in the time stamp file for each tty. If disabled, a |
stamp directory. If disabled, the time stamp of the | single record is used for all login sessions. This |
directory is used instead. This flag is _o_n by default. | flag is _o_n by default. |
|
|
umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s |
umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s |
without modification. This makes it possible to |
without modification. This makes it possible to |
Line 1357 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1368 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
will be truncated and overwritten unless _i_o_l_o_g___f_i_l_e |
will be truncated and overwritten unless _i_o_l_o_g___f_i_l_e |
ends in six or more Xs. |
ends in six or more Xs. |
|
|
|
lecture_status_dir |
|
The directory in which ssuuddoo stores per-user lecture |
|
status files. Once a user has received the lecture, a |
|
zero-length file is created in this directory so that |
|
ssuuddoo will not lecture the user again. This directory |
|
should _n_o_t be cleared when the system reboots. The |
|
default is _/_v_a_r_/_a_d_m_/_s_u_d_o_/_l_e_c_t_u_r_e_d. |
|
|
limitprivs The default Solaris limit privileges to use when |
limitprivs The default Solaris limit privileges to use when |
constructing a new privilege set for a command. This |
constructing a new privilege set for a command. This |
bounds all privileges of the executing process. The |
bounds all privileges of the executing process. The |
Line 1381 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1400 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Once the local sequence number reaches the value of |
Once the local sequence number reaches the value of |
_m_a_x_s_e_q, it will ``roll over'' to zero, after which |
_m_a_x_s_e_q, it will ``roll over'' to zero, after which |
ssuuddooeerrss will truncate and re-use any existing I/O log |
ssuuddooeerrss will truncate and re-use any existing I/O log |
pathnames. | path names. |
|
|
This setting is only supported by version 1.8.7 or |
This setting is only supported by version 1.8.7 or |
higher. |
higher. |
Line 1472 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1491 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
to ``C''. |
to ``C''. |
|
|
timestampdir The directory in which ssuuddoo stores its time stamp |
timestampdir The directory in which ssuuddoo stores its time stamp |
files. The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. | files. This directory should be cleared when the |
| system reboots. The default is _/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s. |
|
|
timestampowner The owner of the time stamp directory and the time | timestampowner The owner of the lecture status directory, time stamp |
stamps stored therein. The default is root. | directory and all files stored therein. The default is |
| root. |
|
|
type The default SELinux type to use when constructing a new |
type The default SELinux type to use when constructing a new |
security context to run the command. The default type |
security context to run the command. The default type |
Line 1810 LLOOGG FFOORRMMAATT
|
Line 1831 LLOOGG FFOORRMMAATT
|
`N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin |
`N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin |
line in the sudo.conf(4) file. |
line in the sudo.conf(4) file. |
|
|
unable to open /var/adm/sudo/username/ttyname | unable to open /var/run/sudo/ts/username |
_s_u_d_o_e_r_s was unable to read or create the user's time stamp file. | _s_u_d_o_e_r_s was unable to read or create the user's time stamp file. This |
| can happen when _t_i_m_e_s_t_a_m_p_o_w_n_e_r is set to a user other than root and |
| the mode on _/_v_a_r_/_r_u_n_/_s_u_d_o is not searchable by group or other. The |
| default mode for _/_v_a_r_/_r_u_n_/_s_u_d_o is 0711. |
|
|
unable to write to /var/adm/sudo/username/ttyname | unable to write to /var/run/sudo/ts/username |
_s_u_d_o_e_r_s was unable to write to the user's time stamp file. |
_s_u_d_o_e_r_s was unable to write to the user's time stamp file. |
|
|
unable to mkdir to /var/adm/sudo/username | /var/run/sudo/ts is owned by uid X, should be Y |
_s_u_d_o_e_r_s was unable to create the user's time stamp directory. | The time stamp directory is owned by a user other than _t_i_m_e_s_t_a_m_p_o_w_n_e_r. |
| This can occur when the value of _t_i_m_e_s_t_a_m_p_o_w_n_e_r has been changed. |
| _s_u_d_o_e_r_s will ignore the time stamp directory until the owner is |
| corrected. |
|
|
|
/var/run/sudo/ts is group writable |
|
The time stamp directory is group-writable; it should be writable only |
|
by _t_i_m_e_s_t_a_m_p_o_w_n_e_r. The default mode for the time stamp directory is |
|
0700. _s_u_d_o_e_r_s will ignore the time stamp directory until the mode is |
|
corrected. |
|
|
NNootteess oonn llooggggiinngg vviiaa ssyysslloogg |
NNootteess oonn llooggggiinngg vviiaa ssyysslloogg |
By default, _s_u_d_o_e_r_s logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and |
By default, _s_u_d_o_e_r_s logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and |
_p_r_o_g_n_a_m_e fields are added by the syslog daemon, not _s_u_d_o_e_r_s itself. As |
_p_r_o_g_n_a_m_e fields are added by the syslog daemon, not _s_u_d_o_e_r_s itself. As |
Line 1859 FFIILLEESS
|
Line 1892 FFIILLEESS
|
|
|
_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files |
_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files |
|
|
_/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the | _/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s Directory containing time stamps for the |
_s_u_d_o_e_r_s security policy |
_s_u_d_o_e_r_s security policy |
|
|
|
_/_v_a_r_/_a_d_m_/_s_u_d_o_/_l_e_c_t_u_r_e_d Directory containing lecture status files for |
|
the _s_u_d_o_e_r_s security policy |
|
|
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and |
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and |
Linux systems |
Linux systems |
|
|
Line 2145 SSEECCUURRIITTYY NNOOTTEESS
|
Line 2181 SSEECCUURRIITTYY NNOOTTEESS
|
as root are still capable of many potentially hazardous operations (such |
as root are still capable of many potentially hazardous operations (such |
as changing or overwriting files) that could lead to unintended privilege |
as changing or overwriting files) that could lead to unintended privilege |
escalation. In the specific case of an editor, a safer approach is to |
escalation. In the specific case of an editor, a safer approach is to |
give the user permission to run ssuuddooeeddiitt. | give the user permission to run ssuuddooeeddiitt (see below). |
|
|
|
SSeeccuurree eeddiittiinngg |
|
The _s_u_d_o_e_r_s plugin includes ssuuddooeeddiitt support which allows users to |
|
securely edit files with the editor of their choice. As ssuuddooeeddiitt is a |
|
built-in command, it must be specified in _s_u_d_o_e_r_s without a leading path. |
|
However, it may take command line arguments just as a normal command |
|
does. For example, to allow user operator to edit the ``message of the |
|
day'' file: |
|
|
|
operator sudoedit /etc/motd |
|
|
|
The operator user then runs ssuuddooeeddiitt as follows: |
|
|
|
$ sudoedit /etc/motd |
|
|
|
The editor will run as the operator user, not root, on a temporary copy |
|
of _/_e_t_c_/_m_o_t_d. After the file has been edited, _/_e_t_c_/_m_o_t_d will be updated |
|
with the contents of the temporary copy. |
|
|
TTiimmee ssttaammpp ffiillee cchheecckkss |
TTiimmee ssttaammpp ffiillee cchheecckkss |
_s_u_d_o_e_r_s will check the ownership of its time stamp directory |
_s_u_d_o_e_r_s will check the ownership of its time stamp directory |
(_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is | (_/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s by default) and ignore the directory's contents if it |
not owned by root or if it is writable by a user other than root. On | is not owned by root or if it is writable by a user other than root. |
systems that allow non-root users to give away files via chown(2), if the | Older versions of ssuuddoo stored time stamp files in _/_t_m_p; this is no longer |
time stamp directory is located in a world-writable directory (e.g., | recommended as it may be possible for a user to create the time stamp |
_/_t_m_p), it is possible for a user to create the time stamp directory | themselves on systems that allow unprivileged users to change the |
before ssuuddoo is run. However, because _s_u_d_o_e_r_s checks the ownership and | ownership of files they create. |
mode of the directory and its contents, the only damage that can be done | |
is to ``hide'' files by putting them in the time stamp dir. This is | |
unlikely to happen since once the time stamp dir is owned by root and | |
inaccessible by any other user, the user placing files there would be | |
unable to get them back out. | |
|
|
|
While the time stamp directory _s_h_o_u_l_d be cleared at reboot time, not all |
|
systems contain a _/_v_a_r_/_r_u_n directory. To avoid potential problems, |
|
_s_u_d_o_e_r_s will ignore time stamp files that date from before the machine |
|
booted on systems where the boot time is available. |
|
|
|
Some systems with graphical desktop environments allow unprivileged users |
|
to change the system clock. Since _s_u_d_o_e_r_s relies on the system clock for |
|
time stamp validation, it may be possible on such systems for a user to |
|
run ssuuddoo for longer than _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t by setting the clock back. To |
|
combat this, _s_u_d_o_e_r_s uses a monotonic clock (which never moves backwards) |
|
for its time stamps if the system supports it. |
|
|
_s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps |
_s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps |
with a date greater than current_time + 2 * TIMEOUT will be ignored and |
with a date greater than current_time + 2 * TIMEOUT will be ignored and |
sudo will log and complain. This is done to keep a user from creating | _s_u_d_o_e_r_s will log and complain. |
his/her own time stamp with a bogus date on systems that allow users to | |
give away files if the time stamp directory is located in a world- | |
writable directory. | |
|
|
On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time |
|
stamps that date from before the machine booted. |
|
|
|
Since time stamp files live in the file system, they can outlive a user's |
Since time stamp files live in the file system, they can outlive a user's |
login session. As a result, a user may be able to login, run a command |
login session. As a result, a user may be able to login, run a command |
with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without |
with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without |
authenticating so long as the time stamp file's modification time is | authenticating so long as the record's time stamp is within 5 minutes (or |
within 5 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s). When | whatever value the timeout is set to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s |
the _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp has per-tty granularity | option is enabled, the time stamp record includes the device number of |
but still may outlive the user's session. On Linux systems where the | the terminal the user authenticated with. This provides per-tty |
devpts filesystem is used, Solaris systems with the devices filesystem, | granularity but time stamp records still may outlive the user's session. |
as well as other systems that utilize a devfs filesystem that | The time stamp record also includes the session ID of the process that |
monotonically increase the inode number of devices as they are created | last authenticated. This prevents processes in different terminal |
(such as Mac OS X), _s_u_d_o_e_r_s is able to determine when a tty-based time | sessions from using the same time stamp record. It also helps reduce the |
stamp file is stale and will ignore it. Administrators should not rely | chance that a user will be able to run ssuuddoo without entering a password |
on this feature as it is not universally available. | when logging out and back in again on the same terminal. |
|
|
DDEEBBUUGGGGIINNGG |
DDEEBBUUGGGGIINNGG |
Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible |
Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible |
Line 2234 DDEEBBUUGGGGIINNGG
|
Line 2289 DDEEBBUUGGGGIINNGG
|
|
|
_r_b_t_r_e_e redblack tree internals |
_r_b_t_r_e_e redblack tree internals |
|
|
|
_s_s_s_d SSSD-based sudoers |
|
|
_u_t_i_l utility functions |
_u_t_i_l utility functions |
For example: |
For example: |
|
|
Line 2272 DDIISSCCLLAAIIMMEERR
|
Line 2329 DDIISSCCLLAAIIMMEERR
|
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for |
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for |
complete details. |
complete details. |
|
|
Sudo 1.8.8 August 31, 2013 Sudo 1.8.8 | Sudo 1.8.10 February 15, 2014 Sudo 1.8.10 |