--- embedaddon/sudo/doc/sudoers.cat 2013/10/14 07:56:34 1.1.1.5 +++ embedaddon/sudo/doc/sudoers.cat 2014/06/15 16:12:54 1.1.1.6 @@ -87,13 +87,15 @@ DDEESSCCRRIIPPTTIIOONN the _s_u_d_o_e_r_s lookup is still done for root, not the user specified by SUDO_USER. - _s_u_d_o_e_r_s uses time stamp files for credential caching. Once a user has - been authenticated, the time stamp is updated and the user may then use - sudo without a password for a short period of time (5 minutes unless - overridden by the _t_i_m_e_o_u_t option). By default, _s_u_d_o_e_r_s uses a tty-based - time stamp which means that there is a separate time stamp for each of a - user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to force - the use of a single time stamp for all of a user's sessions. + _s_u_d_o_e_r_s uses per-user time stamp files for credential caching. Once a + user has been authenticated, a record is written containing the uid that + was used to authenticate, the terminal session ID, and a time stamp + (using a monotonic clock if one is available). The user may then use + ssuuddoo without a password for a short period of time (5 minutes unless + overridden by the _t_i_m_e_o_u_t option). By default, _s_u_d_o_e_r_s uses a separate + record for each tty, which means that a user's login sessions are + authenticated separately. The _t_t_y___t_i_c_k_e_t_s option can be disabled to + force the use of a single time stamp for all of a user's sessions. _s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as errors) to syslog(3), a log file, or both. By default, _s_u_d_o_e_r_s will log @@ -815,6 +817,13 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS This flag is _o_n by default when ssuuddoo is compiled with zzlliibb support. + use_netgroups If set, netgroups (prefixed with `+'), may be used in + place of a user or host. For LDAP-based sudoers, + netgroup support requires an expensive substring match + on the server. If netgroups are not needed, this + option can be disabled to reduce the load on the LDAP + server. This flag is _o_n by default. + exec_background By default, ssuuddoo runs a command as the foreground process as long as ssuuddoo itself is running in the foreground. When the _e_x_e_c___b_a_c_k_g_r_o_u_n_d flag is enabled @@ -910,7 +919,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS If the system is configured to use the _/_e_t_c_/_h_o_s_t_s file in preference to DNS, the ``canonical'' host name may not be fully-qualified. The order that sources are - queried for hosts name resolution is usually specified + queried for host name resolution is usually specified in the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f, _/_e_t_c_/_h_o_s_t_._c_o_n_f, or, in some cases, _/_e_t_c_/_r_e_s_o_l_v_._c_o_n_f file. In the _/_e_t_c_/_h_o_s_t_s file, the first host name of @@ -1120,13 +1129,15 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS This flag is _o_n by default. rootpw If set, ssuuddoo will prompt for the root password instead - of the password of the invoking user. This flag is _o_f_f - by default. + of the password of the invoking user when running a + command or editing a file. This flag is _o_f_f by + default. runaspw If set, ssuuddoo will prompt for the password of the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) - instead of the password of the invoking user. This - flag is _o_f_f by default. + instead of the password of the invoking user when + running a command or editing a file. This flag is _o_f_f + by default. set_home If enabled and ssuuddoo is invoked with the --ss option the HOME environment variable will be set to the home @@ -1185,17 +1196,17 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS targetpw If set, ssuuddoo will prompt for the password of the user specified by the --uu option (defaults to root) instead - of the password of the invoking user. In addition, the - time stamp file name will include the target user's - name. Note that this flag precludes the use of a uid - not listed in the passwd database as an argument to the - --uu option. This flag is _o_f_f by default. + of the password of the invoking user when running a + command or editing a file. Note that this flag + precludes the use of a uid not listed in the passwd + database as an argument to the --uu option. This flag is + _o_f_f by default. tty_tickets If set, users must authenticate on a per-tty basis. - With this flag enabled, ssuuddoo will use a file named for - the tty the user is logged in on in the user's time - stamp directory. If disabled, the time stamp of the - directory is used instead. This flag is _o_n by default. + With this flag enabled, ssuuddoo will use a separate record + in the time stamp file for each tty. If disabled, a + single record is used for all login sessions. This + flag is _o_n by default. umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s without modification. This makes it possible to @@ -1357,6 +1368,14 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS will be truncated and overwritten unless _i_o_l_o_g___f_i_l_e ends in six or more Xs. + lecture_status_dir + The directory in which ssuuddoo stores per-user lecture + status files. Once a user has received the lecture, a + zero-length file is created in this directory so that + ssuuddoo will not lecture the user again. This directory + should _n_o_t be cleared when the system reboots. The + default is _/_v_a_r_/_a_d_m_/_s_u_d_o_/_l_e_c_t_u_r_e_d. + limitprivs The default Solaris limit privileges to use when constructing a new privilege set for a command. This bounds all privileges of the executing process. The @@ -1381,7 +1400,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS Once the local sequence number reaches the value of _m_a_x_s_e_q, it will ``roll over'' to zero, after which ssuuddooeerrss will truncate and re-use any existing I/O log - pathnames. + path names. This setting is only supported by version 1.8.7 or higher. @@ -1472,10 +1491,12 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS to ``C''. timestampdir The directory in which ssuuddoo stores its time stamp - files. The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. + files. This directory should be cleared when the + system reboots. The default is _/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s. - timestampowner The owner of the time stamp directory and the time - stamps stored therein. The default is root. + timestampowner The owner of the lecture status directory, time stamp + directory and all files stored therein. The default is + root. type The default SELinux type to use when constructing a new security context to run the command. The default type @@ -1810,15 +1831,27 @@ LLOOGG FFOORRMMAATT `N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin line in the sudo.conf(4) file. - unable to open /var/adm/sudo/username/ttyname - _s_u_d_o_e_r_s was unable to read or create the user's time stamp file. + unable to open /var/run/sudo/ts/username + _s_u_d_o_e_r_s was unable to read or create the user's time stamp file. This + can happen when _t_i_m_e_s_t_a_m_p_o_w_n_e_r is set to a user other than root and + the mode on _/_v_a_r_/_r_u_n_/_s_u_d_o is not searchable by group or other. The + default mode for _/_v_a_r_/_r_u_n_/_s_u_d_o is 0711. - unable to write to /var/adm/sudo/username/ttyname + unable to write to /var/run/sudo/ts/username _s_u_d_o_e_r_s was unable to write to the user's time stamp file. - unable to mkdir to /var/adm/sudo/username - _s_u_d_o_e_r_s was unable to create the user's time stamp directory. + /var/run/sudo/ts is owned by uid X, should be Y + The time stamp directory is owned by a user other than _t_i_m_e_s_t_a_m_p_o_w_n_e_r. + This can occur when the value of _t_i_m_e_s_t_a_m_p_o_w_n_e_r has been changed. + _s_u_d_o_e_r_s will ignore the time stamp directory until the owner is + corrected. + /var/run/sudo/ts is group writable + The time stamp directory is group-writable; it should be writable only + by _t_i_m_e_s_t_a_m_p_o_w_n_e_r. The default mode for the time stamp directory is + 0700. _s_u_d_o_e_r_s will ignore the time stamp directory until the mode is + corrected. + NNootteess oonn llooggggiinngg vviiaa ssyysslloogg By default, _s_u_d_o_e_r_s logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and _p_r_o_g_n_a_m_e fields are added by the syslog daemon, not _s_u_d_o_e_r_s itself. As @@ -1859,9 +1892,12 @@ FFIILLEESS _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files - _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the + _/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s Directory containing time stamps for the _s_u_d_o_e_r_s security policy + _/_v_a_r_/_a_d_m_/_s_u_d_o_/_l_e_c_t_u_r_e_d Directory containing lecture status files for + the _s_u_d_o_e_r_s security policy + _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and Linux systems @@ -2145,45 +2181,64 @@ SSEECCUURRIITTYY NNOOTTEESS as root are still capable of many potentially hazardous operations (such as changing or overwriting files) that could lead to unintended privilege escalation. In the specific case of an editor, a safer approach is to - give the user permission to run ssuuddooeeddiitt. + give the user permission to run ssuuddooeeddiitt (see below). + SSeeccuurree eeddiittiinngg + The _s_u_d_o_e_r_s plugin includes ssuuddooeeddiitt support which allows users to + securely edit files with the editor of their choice. As ssuuddooeeddiitt is a + built-in command, it must be specified in _s_u_d_o_e_r_s without a leading path. + However, it may take command line arguments just as a normal command + does. For example, to allow user operator to edit the ``message of the + day'' file: + + operator sudoedit /etc/motd + + The operator user then runs ssuuddooeeddiitt as follows: + + $ sudoedit /etc/motd + + The editor will run as the operator user, not root, on a temporary copy + of _/_e_t_c_/_m_o_t_d. After the file has been edited, _/_e_t_c_/_m_o_t_d will be updated + with the contents of the temporary copy. + TTiimmee ssttaammpp ffiillee cchheecckkss _s_u_d_o_e_r_s will check the ownership of its time stamp directory - (_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is - not owned by root or if it is writable by a user other than root. On - systems that allow non-root users to give away files via chown(2), if the - time stamp directory is located in a world-writable directory (e.g., - _/_t_m_p), it is possible for a user to create the time stamp directory - before ssuuddoo is run. However, because _s_u_d_o_e_r_s checks the ownership and - mode of the directory and its contents, the only damage that can be done - is to ``hide'' files by putting them in the time stamp dir. This is - unlikely to happen since once the time stamp dir is owned by root and - inaccessible by any other user, the user placing files there would be - unable to get them back out. + (_/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s by default) and ignore the directory's contents if it + is not owned by root or if it is writable by a user other than root. + Older versions of ssuuddoo stored time stamp files in _/_t_m_p; this is no longer + recommended as it may be possible for a user to create the time stamp + themselves on systems that allow unprivileged users to change the + ownership of files they create. + While the time stamp directory _s_h_o_u_l_d be cleared at reboot time, not all + systems contain a _/_v_a_r_/_r_u_n directory. To avoid potential problems, + _s_u_d_o_e_r_s will ignore time stamp files that date from before the machine + booted on systems where the boot time is available. + + Some systems with graphical desktop environments allow unprivileged users + to change the system clock. Since _s_u_d_o_e_r_s relies on the system clock for + time stamp validation, it may be possible on such systems for a user to + run ssuuddoo for longer than _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t by setting the clock back. To + combat this, _s_u_d_o_e_r_s uses a monotonic clock (which never moves backwards) + for its time stamps if the system supports it. + _s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps with a date greater than current_time + 2 * TIMEOUT will be ignored and - sudo will log and complain. This is done to keep a user from creating - his/her own time stamp with a bogus date on systems that allow users to - give away files if the time stamp directory is located in a world- - writable directory. + _s_u_d_o_e_r_s will log and complain. - On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time - stamps that date from before the machine booted. - Since time stamp files live in the file system, they can outlive a user's login session. As a result, a user may be able to login, run a command with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without - authenticating so long as the time stamp file's modification time is - within 5 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s). When - the _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp has per-tty granularity - but still may outlive the user's session. On Linux systems where the - devpts filesystem is used, Solaris systems with the devices filesystem, - as well as other systems that utilize a devfs filesystem that - monotonically increase the inode number of devices as they are created - (such as Mac OS X), _s_u_d_o_e_r_s is able to determine when a tty-based time - stamp file is stale and will ignore it. Administrators should not rely - on this feature as it is not universally available. + authenticating so long as the record's time stamp is within 5 minutes (or + whatever value the timeout is set to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s + option is enabled, the time stamp record includes the device number of + the terminal the user authenticated with. This provides per-tty + granularity but time stamp records still may outlive the user's session. + The time stamp record also includes the session ID of the process that + last authenticated. This prevents processes in different terminal + sessions from using the same time stamp record. It also helps reduce the + chance that a user will be able to run ssuuddoo without entering a password + when logging out and back in again on the same terminal. DDEEBBUUGGGGIINNGG Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible @@ -2234,6 +2289,8 @@ DDEEBBUUGGGGIINNGG _r_b_t_r_e_e redblack tree internals + _s_s_s_d SSSD-based sudoers + _u_t_i_l utility functions For example: @@ -2272,4 +2329,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -Sudo 1.8.8 August 31, 2013 Sudo 1.8.8 +Sudo 1.8.10 February 15, 2014 Sudo 1.8.10