|
version 1.1, 2012/02/21 16:23:02
|
version 1.1.1.2, 2012/05/29 12:26:49
|
|
Line 65 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 65 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| distinct ways _�s_�u_�d_�o_�e_�r_�s can deal with environment variables. |
distinct ways _�s_�u_�d_�o_�e_�r_�s can deal with environment variables. |
| |
|
| By default, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is enabled. This causes commands to |
By default, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is enabled. This causes commands to |
| be executed with a minimal environment containing TERM, PATH, HOME, | be executed with a new, minimal environment. On AIX (and Linux systems |
| MAIL, SHELL, LOGNAME, USER and USERNAME in addition to variables from | without PAM), the environment is initialized with the contents of the |
| the invoking process permitted by the _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�k_�e_�e_�p options. | _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t file. On BSD systems, if the _�u_�s_�e_�__�l_�o_�g_�i_�n_�c_�l_�a_�s_�s option is |
| This is effectively a whitelist for environment variables. | enabled, the environment is initialized based on the _�p_�a_�t_�h and _�s_�e_�t_�e_�n_�v |
| | settings in _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f. The new environment contains the TERM, |
| | PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables |
| | in addition to variables from the invoking process permitted by the |
| | _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�k_�e_�e_�p options. This is effectively a whitelist for |
| | environment variables. |
| |
|
| If, however, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is disabled, any variables not |
If, however, the _�e_�n_�v_�__�r_�e_�s_�e_�t option is disabled, any variables not |
| explicitly denied by the _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�d_�e_�l_�e_�t_�e options are inherited |
explicitly denied by the _�e_�n_�v_�__�c_�h_�e_�c_�k and _�e_�n_�v_�__�d_�e_�l_�e_�t_�e options are inherited |
|
Line 94 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 99 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| _�s_�u_�d_�o_�e_�r_�s will initialize the environment regardless of the value of |
_�s_�u_�d_�o_�e_�r_�s will initialize the environment regardless of the value of |
| _�e_�n_�v_�__�r_�e_�s_�e_�t. The _�D_�I_�S_�P_�L_�A_�Y, _�P_�A_�T_�H and _�T_�E_�R_�M variables remain unchanged; |
_�e_�n_�v_�__�r_�e_�s_�e_�t. The _�D_�I_�S_�P_�L_�A_�Y, _�P_�A_�T_�H and _�T_�E_�R_�M variables remain unchanged; |
| _�H_�O_�M_�E, _�M_�A_�I_�L, _�S_�H_�E_�L_�L, _�U_�S_�E_�R, and _�L_�O_�G_�N_�A_�M_�E are set based on the target user. |
_�H_�O_�M_�E, _�M_�A_�I_�L, _�S_�H_�E_�L_�L, _�U_�S_�E_�R, and _�L_�O_�G_�N_�A_�M_�E are set based on the target user. |
| On Linux and AIX systems the contents of _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t are also | On AIX (and Linux systems without PAM), the contents of |
| included. All other environment variables are removed. | _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t are also included. On BSD systems, if the |
| | _�u_�s_�e_�__�l_�o_�g_�i_�n_�c_�l_�a_�s_�s option is enabled, the _�p_�a_�t_�h and _�s_�e_�t_�e_�n_�v variables in |
| | _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f are also applied. All other environment variables are |
| | removed. |
| |
|
| |
Finally, if the _�e_�n_�v_�__�f_�i_�l_�e option is defined, any variables present in |
| |
that file will be set to their specified values as long as they would |
| |
not conflict with an existing environment variable. |
| |
|
| S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�OR�RM�MA�AT�T |
S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�OR�RM�MA�AT�T |
| The _�s_�u_�d_�o_�e_�r_�s file is composed of two types of entries: aliases |
The _�s_�u_�d_�o_�e_�r_�s file is composed of two types of entries: aliases |
| (basically variables) and user specifications (which specify who may |
(basically variables) and user specifications (which specify who may |
|
Line 198 S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�OR�RM�MA�AT�T
|
Line 210 S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�OR�RM�MA�AT�T
|
| below). For instance, the QAS AD plugin supports the following |
below). For instance, the QAS AD plugin supports the following |
| formats: |
formats: |
| |
|
| +�o Group in the same domain: "Group Name" | o Group in the same domain: "Group Name" |
| |
|
| +�o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN" | o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN" |
| |
|
| +�o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" | o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" |
| |
|
| Note that quotes around group names are optional. Unquoted strings |
Note that quotes around group names are optional. Unquoted strings |
| must use a backslash (\) to escape spaces and special characters. See |
must use a backslash (\) to escape spaces and special characters. See |
|
Line 473 S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�OR�RM�MA�AT�T
|
Line 485 S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�OR�RM�MA�AT�T
|
| |
|
| aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
| |
|
| See the "PREVENTING SHELL ESCAPES" section below for more details on | See the "Preventing Shell Escapes" section below for more details on |
| how NOEXEC works and whether or not it will work on your system. |
how NOEXEC works and whether or not it will work on your system. |
| |
|
| _�S_�E_�T_�E_�N_�V _�a_�n_�d _�N_�O_�S_�E_�T_�E_�N_�V |
_�S_�E_�T_�E_�N_�V _�a_�n_�d _�N_�O_�S_�E_�T_�E_�N_�V |
|
Line 560 S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�OR�RM�MA�AT�T
|
Line 572 S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�OR�RM�MA�AT�T
|
| A hard limit of 128 nested include files is enforced to prevent include |
A hard limit of 128 nested include files is enforced to prevent include |
| file loops. |
file loops. |
| |
|
| The file name may include the %h escape, signifying the short form of | If the path to the include file is not fully-qualified (does not begin |
| the host name. I.e., if the machine's host name is "xerxes", then | with a _�/), it must be located in the same directory as the sudoers file |
| | it was included from. For example, if _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s contains the line: |
| |
|
| |
#include sudoers.local |
| |
|
| |
the file that will be included is _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�l_�o_�c_�a_�l. |
| |
|
| |
The file name may also include the %h escape, signifying the short form |
| |
of the host name. I.e., if the machine's host name is "xerxes", then |
| |
|
| #include /etc/sudoers.%h |
#include /etc/sudoers.%h |
| |
|
| will cause s�su�ud�do�o to include the file _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�x_�e_�r_�x_�e_�s. |
will cause s�su�ud�do�o to include the file _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s_�._�x_�e_�r_�x_�e_�s. |
|
Line 662 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 682 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| use the EDITOR or VISUAL if they match a value |
use the EDITOR or VISUAL if they match a value |
| specified in editor. This flag is _�o_�f_�f by default. |
specified in editor. This flag is _�o_�f_�f by default. |
| |
|
| env_reset If set, s�su�ud�do�o will reset the environment to only contain | env_reset If set, s�su�ud�do�o will run the command in a minimal |
| the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_* | environment containing the TERM, PATH, HOME, MAIL, |
| variables. Any variables in the caller's environment | SHELL, LOGNAME, USER, USERNAME and SUDO_* variables. |
| that match the env_keep and env_check lists are then | Any variables in the caller's environment that match |
| added. The default contents of the env_keep and | the env_keep and env_check lists are then added, |
| env_check lists are displayed when s�su�ud�do�o is run by root | followed by any variables present in the file specified |
| with the _�-_�V option. If the _�s_�e_�c_�u_�r_�e_�__�p_�a_�t_�h option is set, | by the _�e_�n_�v_�__�f_�i_�l_�e option (if any). The default contents |
| its value will be used for the PATH environment | of the env_keep and env_check lists are displayed when |
| variable. This flag is _�o_�n by default. | s�su�ud�do�o is run by root with the _�-_�V option. If the |
| | _�s_�e_�c_�u_�r_�e_�__�p_�a_�t_�h option is set, its value will be used for |
| | the PATH environment variable. This flag is _�o_�n by |
| | default. |
| |
|
| fast_glob Normally, s�su�ud�do�o uses the _�g_�l_�o_�b(3) function to do shell- |
fast_glob Normally, s�su�ud�do�o uses the _�g_�l_�o_�b(3) function to do shell- |
| style globbing when matching path names. However, |
style globbing when matching path names. However, |
|
Line 800 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 823 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| noexec If set, all commands run via s�su�ud�do�o will behave as if the |
noexec If set, all commands run via s�su�ud�do�o will behave as if the |
| NOEXEC tag has been set, unless overridden by a EXEC |
NOEXEC tag has been set, unless overridden by a EXEC |
| tag. See the description of _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C below as |
tag. See the description of _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C below as |
| well as the "PREVENTING SHELL ESCAPES" section at the | well as the "Preventing Shell Escapes" section at the |
| end of this manual. This flag is _�o_�f_�f by default. |
end of this manual. This flag is _�o_�f_�f by default. |
| |
|
| path_info Normally, s�su�ud�do�o will tell the user when a command could |
path_info Normally, s�su�ud�do�o will tell the user when a command could |
|
Line 1087 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 1110 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| %h will expand to the host name of the machine. |
%h will expand to the host name of the machine. |
| Default is *** SECURITY information for %h ***. |
Default is *** SECURITY information for %h ***. |
| |
|
| noexec_file This option is deprecated and will be removed in a | noexec_file This option is no longer supported. The path to the |
| future release of s�su�ud�do�o. The path to the noexec file | noexec file should now be set in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f |
| should now be set in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file. | file. |
| |
|
| passprompt The default prompt to use when asking for a password; |
passprompt The default prompt to use when asking for a password; |
| can be overridden via the -�-p�p option or the SUDO_PROMPT |
can be overridden via the -�-p�p option or the SUDO_PROMPT |
|
Line 1158 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 1181 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| |
|
| S�St�tr�ri�in�ng�gs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t: |
S�St�tr�ri�in�ng�gs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t: |
| |
|
| env_file The _�e_�n_�v_�__�f_�i_�l_�e options specifies the fully qualified path to | env_file The _�e_�n_�v_�__�f_�i_�l_�e option specifies the fully qualified path to a |
| a file containing variables to be set in the environment of | file containing variables to be set in the environment of |
| the program being run. Entries in this file should either |
the program being run. Entries in this file should either |
| be of the form VARIABLE=value or export VARIABLE=value. |
be of the form VARIABLE=value or export VARIABLE=value. |
| The value may optionally be surrounded by single or double |
The value may optionally be surrounded by single or double |
|
Line 1325 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
Line 1348 S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
|
| variables to keep is displayed when s�su�ud�do�o is run by root |
variables to keep is displayed when s�su�ud�do�o is run by root |
| with the _�-_�V option. |
with the _�-_�V option. |
| |
|
| |
S�SU�UD�DO�O.�.C�CO�ON�NF�F |
| |
The _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file determines which plugins the s�su�ud�do�o front end |
| |
will load. If no _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file is present, or it contains no |
| |
Plugin lines, s�su�ud�do�o will use the _�s_�u_�d_�o_�e_�r_�s security policy and I/O |
| |
logging, which corresponds to the following _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file. |
| |
|
| |
# |
| |
# Default /etc/sudo.conf file |
| |
# |
| |
# Format: |
| |
# Plugin plugin_name plugin_path plugin_options ... |
| |
# Path askpass /path/to/askpass |
| |
# Path noexec /path/to/sudo_noexec.so |
| |
# Debug sudo /var/log/sudo_debug all@warn |
| |
# Set disable_coredump true |
| |
# |
| |
# The plugin_path is relative to /usr/local/libexec unless |
| |
# fully qualified. |
| |
# The plugin_name corresponds to a global symbol in the plugin |
| |
# that contains the plugin interface structure. |
| |
# The plugin_options are optional. |
| |
# |
| |
Plugin policy_plugin sudoers.so |
| |
Plugin io_plugin sudoers.so |
| |
|
| |
P�PL�LU�UG�GI�IN�N O�OP�PT�TI�IO�ON�NS�S |
| |
Starting with s�su�ud�do�o 1.8.5 it is possible to pass options to the _�s_�u_�d_�o_�e_�r_�s |
| |
plugin. Options may be listed after the path to the plugin (i.e. after |
| |
_�s_�u_�d_�o_�e_�r_�s_�._�s_�o); multiple options should be space-separated. For example: |
| |
|
| |
Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440 |
| |
|
| |
The following plugin options are supported: |
| |
|
| |
sudoers_file=pathname |
| |
The _�s_�u_�d_�o_�e_�r_�s_�__�f_�i_�l_�e option can be used to override the default |
| |
path to the _�s_�u_�d_�o_�e_�r_�s file. |
| |
|
| |
sudoers_uid=uid |
| |
The _�s_�u_�d_�o_�e_�r_�s_�__�u_�i_�d option can be used to override the default |
| |
owner of the sudoers file. It should be specified as a |
| |
numeric user ID. |
| |
|
| |
sudoers_gid=gid |
| |
The _�s_�u_�d_�o_�e_�r_�s_�__�g_�i_�d option can be used to override the default |
| |
group of the sudoers file. It should be specified as a |
| |
numeric group ID. |
| |
|
| |
sudoers_mode=mode |
| |
The _�s_�u_�d_�o_�e_�r_�s_�__�m_�o_�d_�e option can be used to override the default |
| |
file mode for the sudoers file. It should be specified as an |
| |
octal value. |
| |
|
| |
D�DE�EB�BU�UG�G F�FL�LA�AG�GS�S |
| |
Versions 1.8.4 and higher of the _�s_�u_�d_�o_�e_�r_�s plugin supports a debugging |
| |
framework that can help track down what the plugin is doing internally |
| |
if there is a problem. This can be configured in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f |
| |
file as described in _�s_�u_�d_�o(1m). |
| |
|
| |
The _�s_�u_�d_�o_�e_�r_�s plugin uses the same debug flag format as s�su�ud�do�o itself: |
| |
_�s_�u_�b_�s_�y_�s_�t_�e_�m@_�p_�r_�i_�o_�r_�i_�t_�y. |
| |
|
| |
The priorities used by _�s_�u_�d_�o_�e_�r_�s, in order of decreasing severity, are: |
| |
_�c_�r_�i_�t, _�e_�r_�r, _�w_�a_�r_�n, _�n_�o_�t_�i_�c_�e, _�d_�i_�a_�g, _�i_�n_�f_�o, _�t_�r_�a_�c_�e and _�d_�e_�b_�u_�g. Each priority, |
| |
when specified, also includes all priorities higher than it. For |
| |
example, a priority of _�n_�o_�t_�i_�c_�e would include debug messages logged at |
| |
_�n_�o_�t_�i_�c_�e and higher. |
| |
|
| |
The following subsystems are used by _�s_�u_�d_�o_�e_�r_�s: |
| |
|
| |
_�a_�l_�i_�a_�s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing |
| |
|
| |
_�a_�l_�l matches every subsystem |
| |
|
| |
_�a_�u_�d_�i_�t BSM and Linux audit code |
| |
|
| |
_�a_�u_�t_�h user authentication |
| |
|
| |
_�d_�e_�f_�a_�u_�l_�t_�s _�s_�u_�d_�o_�e_�r_�s _�D_�e_�f_�a_�u_�l_�t_�s settings |
| |
|
| |
_�e_�n_�v environment handling |
| |
|
| |
_�l_�d_�a_�p LDAP-based sudoers |
| |
|
| |
_�l_�o_�g_�g_�i_�n_�g logging support |
| |
|
| |
_�m_�a_�t_�c_�h matching of users, groups, hosts and netgroups in _�s_�u_�d_�o_�e_�r_�s |
| |
|
| |
_�n_�e_�t_�i_�f network interface handling |
| |
|
| |
_�n_�s_�s network service switch handling in _�s_�u_�d_�o_�e_�r_�s |
| |
|
| |
_�p_�a_�r_�s_�e_�r _�s_�u_�d_�o_�e_�r_�s file parsing |
| |
|
| |
_�p_�e_�r_�m_�s permission setting |
| |
|
| |
_�p_�l_�u_�g_�i_�n The equivalent of _�m_�a_�i_�n for the plugin. |
| |
|
| |
_�p_�t_�y pseudo-tty related code |
| |
|
| |
_�r_�b_�t_�r_�e_�e redblack tree internals |
| |
|
| |
_�u_�t_�i_�l utility functions |
| |
|
| F�FI�IL�LE�ES�S |
F�FI�IL�LE�ES�S |
| |
_�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f Sudo front end configuration |
| |
|
| _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s List of who can run what |
_�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s List of who can run what |
| |
|
| _�/_�e_�t_�c_�/_�g_�r_�o_�u_�p Local groups file |
_�/_�e_�t_�c_�/_�g_�r_�o_�u_�p Local groups file |
|
Line 1337 F�FI�IL�LE�ES�S
|
Line 1466 F�FI�IL�LE�ES�S
|
| _�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o Directory containing time stamps for the |
_�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o Directory containing time stamps for the |
| _�s_�u_�d_�o_�e_�r_�s security policy |
_�s_�u_�d_�o_�e_�r_�s security policy |
| |
|
| _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t Initial environment for -�-i�i mode on Linux and | _�/_�e_�t_�c_�/_�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t Initial environment for -�-i�i mode on AIX and |
| AIX | Linux systems |
| |
|
| E�EX�XA�AM�MP�PL�LE�ES�S |
E�EX�XA�AM�MP�PL�LE�ES�S |
| Below are example _�s_�u_�d_�o_�e_�r_�s entries. Admittedly, some of these are a bit |
Below are example _�s_�u_�d_�o_�e_�r_�s entries. Admittedly, some of these are a bit |
|
Line 1521 E�EX�XA�AM�MP�PL�LE�ES�S
|
Line 1650 E�EX�XA�AM�MP�PL�LE�ES�S
|
| encapsulating in a shell script. |
encapsulating in a shell script. |
| |
|
| S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S |
S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S |
| |
L�Li�im�mi�it�ta�at�ti�io�on�ns�s o�of�f t�th�he�e '�'!�!'�' o�op�pe�er�ra�at�to�or�r |
| It is generally not effective to "subtract" commands from ALL using the |
It is generally not effective to "subtract" commands from ALL using the |
| '!' operator. A user can trivially circumvent this by copying the |
'!' operator. A user can trivially circumvent this by copying the |
| desired command to a different name and then executing that. For |
desired command to a different name and then executing that. For |
|
Line 1534 S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S
|
Line 1664 S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S
|
| kind of restrictions should be considered advisory at best (and |
kind of restrictions should be considered advisory at best (and |
| reinforced by policy). |
reinforced by policy). |
| |
|
| Furthermore, if the _�f_�a_�s_�t_�__�g_�l_�o_�b option is in use, it is not possible to | In general, if a user has sudo ALL there is nothing to prevent them |
| reliably negate commands where the path name includes globbing (aka | from creating their own program that gives them a root shell (or making |
| wildcard) characters. This is because the C library's _�f_�n_�m_�a_�t_�c_�h(3) | their own copy of a shell) regardless of any '!' elements in the user |
| function cannot resolve relative paths. While this is typically only | specification. |
| an inconvenience for rules that grant privileges, it can result in a | |
| security issue for rules that subtract or revoke privileges. | |
| |
|
| |
S�Se�ec�cu�ur�ri�it�ty�y i�im�mp�pl�li�ic�ca�at�ti�io�on�ns�s o�of�f _�f_�a_�s_�t_�__�g_�l_�o_�b |
| |
If the _�f_�a_�s_�t_�__�g_�l_�o_�b option is in use, it is not possible to reliably |
| |
negate commands where the path name includes globbing (aka wildcard) |
| |
characters. This is because the C library's _�f_�n_�m_�a_�t_�c_�h(3) function cannot |
| |
resolve relative paths. While this is typically only an inconvenience |
| |
for rules that grant privileges, it can result in a security issue for |
| |
rules that subtract or revoke privileges. |
| |
|
| For example, given the following _�s_�u_�d_�o_�e_�r_�s entry: |
For example, given the following _�s_�u_�d_�o_�e_�r_�s entry: |
| |
|
| john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, |
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, |
|
Line 1549 S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S
|
Line 1685 S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S
|
| User j�jo�oh�hn�n can still run /usr/bin/passwd root if _�f_�a_�s_�t_�__�g_�l_�o_�b is enabled by |
User j�jo�oh�hn�n can still run /usr/bin/passwd root if _�f_�a_�s_�t_�__�g_�l_�o_�b is enabled by |
| changing to _�/_�u_�s_�r_�/_�b_�i_�n and running ./passwd root instead. |
changing to _�/_�u_�s_�r_�/_�b_�i_�n and running ./passwd root instead. |
| |
|
| P�PR�RE�EV�VE�EN�NT�TI�IN�NG�G S�SH�HE�EL�LL�L E�ES�SC�CA�AP�PE�ES�S | P�Pr�re�ev�ve�en�nt�ti�in�ng�g S�Sh�he�el�ll�l E�Es�sc�ca�ap�pe�es�s |
| Once s�su�ud�do�o executes a program, that program is free to do whatever it |
Once s�su�ud�do�o executes a program, that program is free to do whatever it |
| pleases, including run other programs. This can be a security issue |
pleases, including run other programs. This can be a security issue |
| since it is not uncommon for a program to allow shell escapes, which |
since it is not uncommon for a program to allow shell escapes, which |
|
Line 1606 P�PR�RE�EV�VE�EN�NT�TI�IN�NG�G S�SH�HE�EL�LL�L E�ES�SC
|
Line 1742 P�PR�RE�EV�VE�EN�NT�TI�IN�NG�G S�SH�HE�EL�LL�L E�ES�SC
|
| privilege escalation. In the specific case of an editor, a safer |
privilege escalation. In the specific case of an editor, a safer |
| approach is to give the user permission to run s�su�ud�do�oe�ed�di�it�t. |
approach is to give the user permission to run s�su�ud�do�oe�ed�di�it�t. |
| |
|
| S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S | T�Ti�im�me�e s�st�ta�am�mp�p f�fi�il�le�e c�ch�he�ec�ck�ks�s |
| _�s_�u_�d_�o_�e_�r_�s will check the ownership of its time stamp directory |
_�s_�u_�d_�o_�e_�r_�s will check the ownership of its time stamp directory |
| (_�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o by default) and ignore the directory's contents if it is |
(_�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o by default) and ignore the directory's contents if it is |
| not owned by root or if it is writable by a user other than root. On |
not owned by root or if it is writable by a user other than root. On |
|
Line 1645 S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S
|
Line 1781 S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S
|
| Administrators should not rely on this feature as it is not universally |
Administrators should not rely on this feature as it is not universally |
| available. |
available. |
| |
|
| If users have sudo ALL there is nothing to prevent them from creating |
|
| their own program that gives them a root shell (or making their own |
|
| copy of a shell) regardless of any '!' elements in the user |
|
| specification. |
|
| |
|
| S�SE�EE�E A�AL�LS�SO�O |
S�SE�EE�E A�AL�LS�SO�O |
| _�r_�s_�h(1), _�s_�u(1), _�f_�n_�m_�a_�t_�c_�h(3), _�g_�l_�o_�b(3), _�m_�k_�t_�e_�m_�p(3), _�s_�t_�r_�f_�t_�i_�m_�e(3), |
_�r_�s_�h(1), _�s_�u(1), _�f_�n_�m_�a_�t_�c_�h(3), _�g_�l_�o_�b(3), _�m_�k_�t_�e_�m_�p(3), _�s_�t_�r_�f_�t_�i_�m_�e(3), |
| _�s_�u_�d_�o_�e_�r_�s_�._�l_�d_�a_�p(4), _�s_�u_�d_�o_�__�p_�l_�u_�g_�i_�n(1m), _�s_�u_�d_�o(1m), _�v_�i_�s_�u_�d_�o(1m) |
_�s_�u_�d_�o_�e_�r_�s_�._�l_�d_�a_�p(4), _�s_�u_�d_�o_�__�p_�l_�u_�g_�i_�n(1m), _�s_�u_�d_�o(1m), _�v_�i_�s_�u_�d_�o(1m) |
|
Line 1683 D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
|
Line 1814 D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
|
| |
|
| |
|
| |
|
| 1.8.3 September 16, 2011 SUDOERS(4) | 1.8.5 March 28, 2012 SUDOERS(4) |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc