--- embedaddon/sudo/doc/sudoers.man.in 2013/10/14 07:56:34 1.1.1.5 +++ embedaddon/sudo/doc/sudoers.man.in 2014/06/15 16:12:54 1.1.1.6 @@ -1,7 +1,7 @@ .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in .\" -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2014 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "@mansectsu@" "August 31, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual" +.TH "SUDOERS" "@mansectsu@" "February 15, 2014" "Sudo @PACKAGE_VERSION@" "Programmer's Manual" .nh .if n .ad l .SH "NAME" @@ -206,10 +206,14 @@ lookup is still done for root, not the user specified \fRSUDO_USER\fR. .PP \fIsudoers\fR -uses time stamp files for credential caching. -Once a -user has been authenticated, the time stamp is updated and the user -may then use sudo without a password for a short period of time +uses per-user time stamp files for credential caching. +Once a user has been authenticated, a record is written +containing the uid that was used to authenticate, the +terminal session ID, and a time stamp +(using a monotonic clock if one is available). +The user may then use +\fBsudo\fR +without a password for a short period of time (\fR@timeout@\fR minutes unless overridden by the \fItimeout\fR @@ -217,8 +221,8 @@ option) \&. By default, \fIsudoers\fR -uses a tty-based time stamp which means that -there is a separate time stamp for each of a user's login sessions. +uses a separate record for each tty, which means that +a user's login sessions are authenticated separately. The \fItty_tickets\fR option can be disabled to force the use of a @@ -330,7 +334,7 @@ The list of environment variables that \fBsudo\fR allows or denies is contained in the output of -``\fRsudo -V\fR'' +\(lq\fRsudo -V\fR\(rq when run as root. .PP Note that the dynamic linker on most operating systems will remove @@ -431,7 +435,7 @@ EBNF also contains the following operators, which many readers will recognize from regular expressions. Do not, however, confuse them with -``wildcard'' +\(lqwildcard\(rq characters, which have different meanings. .TP 6n \fR\&?\fR @@ -500,7 +504,7 @@ A \fRNAME\fR is a string of uppercase letters, numbers, and underscore characters -(`_'). +(\(oq_\(cq). A \fRNAME\fR \fBmust\fR @@ -508,7 +512,7 @@ start with an uppercase letter. It is possible to put several alias definitions of the same type on a single line, joined by a colon -(`:\&'). +(\(oq:\&\(cq). E.g., .nf .sp @@ -541,24 +545,24 @@ A \fRUser_List\fR is made up of one or more user names, user IDs (prefixed with -`#'), +\(oq#\(cq), system group names and IDs (prefixed with -`%' +\(oq%\(cq and -`%#' +\(oq%#\(cq respectively), netgroups (prefixed with -`+'), +\(oq+\(cq), non-Unix group names and IDs (prefixed with -`%:' +\(oq%:\(cq and -`%:#' +\(oq%:#\(cq respectively) and \fRUser_Alias\fRes. Each list item may be prefixed with zero or more -`\&!' +\(oq\&!\(cq operators. An odd number of -`\&!' +\(oq\&!\(cq operators negate the value of the item; an even number just cancel each other out. .PP @@ -602,7 +606,7 @@ for more information. .PP Note that quotes around group names are optional. Unquoted strings must use a backslash -(`\e') +(\(oq\e\(cq) to escape spaces and special characters. See \fIOther special characters and reserved words\fR @@ -658,10 +662,10 @@ A \fRHost_List\fR is made up of one or more host names, IP addresses, network numbers, netgroups (prefixed with -`+') +\(oq+\(cq) and other aliases. Again, the value of an item may be negated with the -`\&!' +\(oq\&!\(cq operator. If you do not specify a netmask along with the network number, \fBsudo\fR @@ -686,7 +690,7 @@ Note that only inspects actual network interfaces; this means that IP address 127.0.0.1 (localhost) will never match. Also, the host name -``localhost'' +\(lqlocalhost\(rq will only match if that is the actual host name, which is usually only the case for non-networked systems. .nf @@ -733,7 +737,7 @@ may only be run command line arguments. A directory is a fully qualified path name ending in a -`/'. +\(oq/\(cq. When you specify a directory in a \fRCmnd_List\fR, the user will be able to run any file within that directory @@ -747,14 +751,14 @@ in the must match exactly those given by the user on the command line (or match the wildcards if there are any). Note that the following characters must be escaped with a -`\e' +\(oq\e\(cq if they are used in command arguments: -`,\&', -`:\&', -`=\&', -`\e'. +\(oq,\&\(cq, +\(oq:\&\(cq, +\(oq=\&\(cq, +\(oq\e\(cq. The built-in command -``\fRsudoedit\fR'' +\(lq\fRsudoedit\fR\(rq is used to permit a user to run \fBsudo\fR with the @@ -763,7 +767,7 @@ option (or as \fBsudoedit\fR). It may take command line arguments just as a normal command does. Note that -``\fRsudoedit\fR'' +\(lq\fRsudoedit\fR\(rq is a command built into \fBsudo\fR itself and must be specified in @@ -845,7 +849,7 @@ values, or \fBlists\fR. Flags are implicitly boolean and can be turned off via the -`\&!' +\(oq\&!\(cq operator. Some integer, string and list parameters may also be used in a boolean context to disable them. @@ -854,7 +858,7 @@ in double quotes (\&"") when they contain multiple words. Special characters may be escaped with a backslash -(`\e'). +(\(oq\e\(cq). .PP Lists have two additional assignment operators, \fR+=\fR @@ -906,7 +910,7 @@ run as but this can be changed on a per-command basis. .PP The basic structure of a user specification is -``who where = (as_whom) what''. +\(lqwho where = (as_whom) what\(rq. Let's break that down into its constituent parts: .SS "Runas_Spec" A @@ -918,7 +922,7 @@ A fully-specified consists of two \fRRunas_List\fRs (as defined above) separated by a colon -(`:\&') +(\(oq:\&\(cq) and enclosed in a set of parentheses. The first \fRRunas_List\fR @@ -1118,7 +1122,7 @@ $ ppriv -l .fi .PP In addition, there are several -``special'' +\(lqspecial\(rq privilege strings: .TP 10n none @@ -1135,9 +1139,9 @@ the default set of privileges normal users are granted .PP Privileges can be excluded from a set by prefixing the privilege name with either an -`\&!' +\(oq\&!\(cq or -`\-' +\(oq\-\(cq character. .SS "Tag_Spec" A command may have zero or more tags associated with it. @@ -1189,13 +1193,13 @@ Conversely, the \fRPASSWD\fR tag can be used to reverse things. For example: -.RS .nf .sp -.RS 0n +.RS 2n ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm .RE .fi +.RS 2n .sp would allow the user \fBray\fR @@ -1215,7 +1219,7 @@ run without a password the entry would be: .nf .sp -.RS 0n +.RS 2n ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm .RE .fi @@ -1230,10 +1234,10 @@ By default, if the \fRNOPASSWD\fR tag is applied to any of the entries for a user on the current host, he or she will be able to run -``\fRsudo -l\fR'' +\(lq\fRsudo -l\fR\(rq without a password. Additionally, a user may only run -``\fRsudo -v\fR'' +\(lq\fRsudo -v\fR\(rq without a password if the \fRNOPASSWD\fR tag is present for all a user's entries that pertain to the current host. @@ -1242,9 +1246,7 @@ This behavior may be overridden via the and \fIlistpw\fR options. -.PP .RE -.PD 0 .TP 2n \fINOEXEC\fR and \fIEXEC\fR .sp @@ -1264,23 +1266,20 @@ may run and \fI/usr/bin/vi\fR but shell escapes will be disabled. -.RS .nf .sp -.RS 0n +.RS 2n aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi .RE .fi +.RS 2n .sp See the \fIPreventing shell escapes\fR section below for more details on how \fRNOEXEC\fR works and whether or not it will work on your system. -.PD -.PP .RE -.PD 0 .TP 2n \fISETENV\fR and \fINOSETENV\fR .sp @@ -1308,7 +1307,6 @@ the tag is implied for that command; this default may be overridden by use of the \fRNOSETENV\fR tag. -.PD .TP 2n \fILOG_INPUT\fR and \fINOLOG_INPUT\fR .sp @@ -1365,15 +1363,15 @@ in the specified range. .TP 10n \fR\ex\fR For any character -`x', +\(oqx\(cq, evaluates to -`x'. +\(oqx\(cq. This is used to escape special characters such as: -`*', -`\&?', -`[\&', +\(oq*\(cq, +\(oq\&?\(cq, +\(oq[\&\(cq, and -`]\&'. +\(oq]\&\(cq. .PP Character classes may also be used if your system's glob(3) @@ -1381,7 +1379,7 @@ and fnmatch(3) functions support them. However, because the -`:\&' +\(oq:\&\(cq character has special meaning in \fIsudoers\fR, it must be @@ -1390,14 +1388,14 @@ For example: .nf .sp .RS 4n -/bin/ls [[\:alpha\:]]* +/bin/ls [[:\&alpha:\&]]* .RE .fi .PP Would match any file name beginning with a letter. .PP Note that a forward slash -(`/') +(\(oq/\(cq) will \fBnot\fR be matched by @@ -1423,9 +1421,9 @@ arbitrary strings and not just path names. Wildcards in command line arguments should be used with care. Because command line arguments are matched as a single, concatenated string, a wildcard such as -`\&?' +\(oq\&?\(cq or -`*' +\(oq*\(cq can match multiple words. For example, while a sudoers entry like: .nf @@ -1468,7 +1466,7 @@ sudoedit Command line arguments to the \fIsudoedit\fR built-in command should always be path names, so a forward slash -(`/') +(\(oq/\(cq) will not be matched by a wildcard. .SS "Including other files from within sudoers" It is possible to include other @@ -1521,7 +1519,7 @@ file loops. .PP If the path to the include file is not fully-qualified (does not begin with a -`/', +\(oq/\(cq, it must be located in the same directory as the sudoers file it was included from. For example, if @@ -1541,7 +1539,7 @@ The file name may also include the \fR%h\fR escape, signifying the short form of the host name. In other words, if the machine's host name is -``xerxes'', +\(lqxerxes\(rq, then .nf .sp @@ -1575,9 +1573,9 @@ For example, given: will read each file in \fI/etc/sudoers.d\fR, skipping file names that end in -`~' +\(oq~\(cq or contain a -`.\&' +\(oq.\&\(cq character to avoid causing problems with package manager or editor temporary/backup files. Files are parsed in sorted lexical order. @@ -1606,7 +1604,7 @@ with the flag to edit the files directly. .SS "Other special characters and reserved words" The pound sign -(`#') +(\(oq#\(cq) is used to indicate a comment (unless it is part of a #include directive or unless it occurs in the context of a user name and is followed by one or more digits, in which case it is treated as a @@ -1637,7 +1635,7 @@ can be dangerous since in a command context, it allows command on the system. .PP An exclamation point -(`\&!') +(\(oq\&!\(cq) can be used as a logical \fInot\fR operator in a list or @@ -1646,7 +1644,7 @@ as well as in front of a \fRCmnd\fR. This allows one to exclude certain values. For the -`\&!' +\(oq\&!\(cq operator to be effective, there must be something for it to exclude. For example, to match all users except for root one would use: .nf @@ -1668,42 +1666,42 @@ is omitted, as in: .PP it would explicitly deny root but not match any other users. This is different from a true -``negation'' +\(lqnegation\(rq operator. .PP Note, however, that using a -`\&!' +\(oq\&!\(cq in conjunction with the built-in \fBALL\fR alias to allow a user to run -``all but a few'' +\(lqall but a few\(rq commands rarely works as intended (see \fISECURITY NOTES\fR below). .PP Long lines can be continued with a backslash -(`\e') +(\(oq\e\(cq) as the last character on the line. .PP White space between elements in a list as well as special syntactic characters in a \fIUser Specification\fR -(`=\&', -`:\&', -`(\&', -`)\&') +(\(oq=\&\(cq, +\(oq:\&\(cq, +\(oq(\&\(cq, +\(oq)\&\(cq) is optional. .PP The following characters must be escaped with a backslash -(`\e') +(\(oq\e\(cq) when used as part of a word (e.g.\& a user name or host name): -`\&!', -`=\&', -`:\&', -`,\&', -`(\&', -`)\&', -`\e'. +\(oq\&!\(cq, +\(oq=\&\(cq, +\(oq:\&\(cq, +\(oq,\&\(cq, +\(oq(\&\(cq, +\(oq)\&\(cq, +\(oq\e\(cq. .SH "SUDOERS OPTIONS" \fBsudo\fR's behavior can be modified by @@ -1779,6 +1777,18 @@ is compiled with \fBzlib\fR support. .TP 18n +use_netgroups +If set, netgroups (prefixed with +\(oq+\(cq), +may be used in place of a user or host. +For LDAP-based sudoers, netgroup support requires an expensive +substring match on the server. +If netgroups are not needed, this option can be disabled to reduce the +load on the LDAP server. +This flag is +\fIon\fR +by default. +.TP 18n exec_background By default, \fBsudo\fR @@ -1860,8 +1870,7 @@ if they match a value specified in \fReditor\fR. This flag is \fI@env_editor@\fR -by -default. +by default. .TP 18n env_reset If set, @@ -1931,7 +1940,7 @@ or \fI../bin/ls\fR. This has security implications when path names that include globbing characters are used with the negation operator, -`!\&', +\(oq!\&\(cq, as such rules can be trivially bypassed. As such, this option should not be used when \fIsudoers\fR @@ -1950,7 +1959,7 @@ command) does not contain the domain name. In other words, instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). This option is only effective when the -``canonical'' +\(lqcanonical\(rq host name, as returned by the \fBgetaddrinfo\fR() or @@ -1962,9 +1971,9 @@ for host name resolution. If the system is configured to use the \fI/etc/hosts\fR file in preference to DNS, the -``canonical'' +\(lqcanonical\(rq host name may not be fully-qualified. -The order that sources are queried for hosts name resolution +The order that sources are queried for host name resolution is usually specified in the \fI@nsswitch_conf@\fR, \fI@netsvc_conf@\fR, @@ -1975,18 +1984,19 @@ file. In the \fI/etc/hosts\fR file, the first host name of the entry is considered to be the -``canonical'' +\(lqcanonical\(rq name; subsequent names are aliases that are not used by \fBsudoers\fR. For example, the following hosts file line for the machine -``xyzzy'' +\(lqxyzzy\(rq has the fully-qualified domain name as the -``canonical'' +\(lqcanonical\(rq host name, and the short version as an alias. .sp -.RS 6n +.RS 24n 192.168.1.1 xyzzy.sudo.ws xyzzy .RE +.RS 18n .sp If the machine's hosts file entry is not formatted properly, the \fIfqdn\fR @@ -2001,7 +2011,7 @@ to make DNS lookups which renders unusable if DNS stops working (for example if the machine is disconnected from the network). Also note that just like with the hosts file, you must use the -``canonical'' +\(lqcanonical\(rq name as DNS knows it. That is, you may not use a host alias (\fRCNAME\fR @@ -2012,6 +2022,7 @@ aliases from DNS. This flag is \fI@fqdn@\fR by default. +.RE .TP 18n ignore_dot If set, @@ -2080,7 +2091,7 @@ by default) using a unique session ID that is included in the normal \fBsudo\fR log line, prefixed with -``\fRTSID=\fR''. +\(lq\fRTSID=\fR\(rq. The \fIiolog_file\fR option may be used to control the format of the session ID. @@ -2113,7 +2124,7 @@ by default) using a unique session ID that is included in the normal \fBsudo\fR log line, prefixed with -``\fRTSID=\fR''. +\(lq\fRTSID=\fR\(rq. The \fIiolog_file\fR option may be used to control the format of the session ID. @@ -2270,7 +2281,7 @@ The password prompt specified by \fIpassprompt\fR will normally only be used if the password prompt provided by systems such as PAM matches the string -``Password:''. +\(lqPassword:\(rq. If \fIpassprompt_override\fR is set, @@ -2348,10 +2359,10 @@ If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users from -``chaining'' +\(lqchaining\(rq \fBsudo\fR commands to get a root shell by doing something like -``\fRsudo sudo /bin/sh\fR''. +\(lq\fRsudo sudo /bin/sh\fR\(rq. Note, however, that turning off \fIroot_sudo\fR will also prevent root from running @@ -2366,7 +2377,8 @@ by default. rootpw If set, \fBsudo\fR -will prompt for the root password instead of the password of the invoking user. +will prompt for the root password instead of the password of the invoking user +when running a command or editing a file. This flag is \fIoff\fR by default. @@ -2378,7 +2390,8 @@ will prompt for the password of the user defined by th \fIrunas_default\fR option (defaults to \fR@runas_default@\fR) -instead of the password of the invoking user. +instead of the password of the invoking user +when running a command or editing a file. This flag is \fIoff\fR by default. @@ -2521,8 +2534,8 @@ by the \fB\-u\fR option (defaults to \fRroot\fR) -instead of the password of the invoking user. -In addition, the time stamp file name will include the target user's name. +instead of the password of the invoking user +when running a command or editing a file. Note that this flag precludes the use of a uid not listed in the passwd database as an argument to the \fB\-u\fR @@ -2535,9 +2548,8 @@ tty_tickets If set, users must authenticate on a per-tty basis. With this flag enabled, \fBsudo\fR -will use a file named for the tty the user is -logged in on in the user's time stamp directory. -If disabled, the time stamp of the directory is used instead. +will use a separate record in the time stamp file for each tty. +If disabled, a single record is used for all login sessions. This flag is \fI@tty_tickets@\fR by default. @@ -2610,7 +2622,7 @@ flag is set, \fBsudo\fR will prompt for a password even when it would be visible on the screen. This makes it possible to run things like -``\fRssh somehost sudo ls\fR'' +\(lq\fRssh somehost sudo ls\fR\(rq since by default, ssh(1) does @@ -2680,9 +2692,9 @@ If set to a value less than \fR0\fR the user's time stamp will never expire. This can be used to allow users to create or delete their own time stamps via -``\fRsudo -v\fR'' +\(lq\fRsudo -v\fR\(rq and -``\fRsudo -k\fR'' +\(lq\fRsudo -k\fR\(rq respectively. .TP 18n umask @@ -2711,7 +2723,7 @@ unless insults are enabled. .TP 18n editor A colon -(`:\&') +(\(oq:\&\(cq) separated list of editors allowed to be used with \fBvisudo\fR. \fBvisudo\fR @@ -2739,14 +2751,17 @@ The default is \fI@iolog_dir@\fR. .sp The following percent -(`%') +(\(oq%\(cq) escape sequences are supported: -.RS +.PP +.RS 18n +.PD 0 .TP 6n \fR%{seq}\fR expanded to a monotonically increasing base-36 sequence number, such as 0100A5, where every two digits are used to form a new directory, e.g.\& \fI01/00/A5\fR +.PD .TP 6n \fR%{user}\fR expanded to the invoking user's login name @@ -2773,13 +2788,11 @@ strftime(3) function will be expanded. .sp To include a literal -`%' +\(oq%\(cq character, the string -`%%' +\(oq%%\(cq should be used. -.PP .RE -.PD 0 .TP 18n iolog_file The path name, relative to @@ -2797,12 +2810,12 @@ Note that \fIiolog_file\fR may contain directory components. The default is -``\fR%{seq}\fR''. +\(lq\fR%{seq}\fR\(rq. .sp See the \fIiolog_dir\fR option above for a list of supported percent -(`%') +(\(oq%\(cq) escape sequences. .sp In addition to the escape sequences, path names that end in six or @@ -2824,8 +2837,21 @@ overwritten unless ends in six or more \fRX\fRs. -.PD .TP 18n +lecture_status_dir +The directory in which +\fBsudo\fR +stores per-user lecture status files. +Once a user has received the lecture, a zero-length file is +created in this directory so that +\fBsudo\fR +will not lecture the user again. +This directory should +\fInot\fR +be cleared when the system reboots. +The default is +\fI@vardir@/lectured\fR. +.TP 18n limitprivs The default Solaris limit privileges to use when constructing a new privilege set for a command. @@ -2844,32 +2870,32 @@ The escape \fR%h\fR will expand to the host name of the machine. Default is -``\fR@mailsub@\fR''. +\(lq\fR@mailsub@\fR\(rq. .TP 18n maxseq The maximum sequence number that will be substituted for the -``\fR%{seq}\fR'' +\(lq\fR%{seq}\fR\(rq escape in the I/O log file (see the \fIiolog_dir\fR description above for more information). While the value substituted for -``\fR%{seq}\fR'' +\(lq\fR%{seq}\fR\(rq is in base 36, \fImaxseq\fR itself should be expressed in decimal. Values larger than 2176782336 (which corresponds to the base 36 sequence number -``ZZZZZZ'') +\(lqZZZZZZ\(rq) will be silently truncated to 2176782336. The default value is 2176782336. .sp Once the local sequence number reaches the value of \fImaxseq\fR, it will -``roll over'' +\(lqroll over\(rq to zero, after which \fBsudoers\fR -will truncate and re-use any existing I/O log pathnames. +will truncate and re-use any existing I/O log path names. .sp This setting is only supported by version 1.8.7 or higher. .TP 18n @@ -2888,7 +2914,7 @@ name used when the \fB\-i\fR option is specified. The default value is -``\fR@pam_login_service@\fR''. +\(lq\fR@pam_login_service@\fR\(rq. See the description of \fIpam_service\fR for more information. @@ -2904,7 +2930,7 @@ file or a file in the \fI/etc/pam.d\fR directory. The default value is -``\fRsudo\fR''. +\(lq\fRsudo\fR\(rq. .sp This setting is only supported by version 1.8.8 or higher. .TP 18n @@ -2915,15 +2941,18 @@ option or the \fRSUDO_PROMPT\fR environment variable. The following percent -(`%') +(\(oq%\(cq) escape sequences are supported: -.RS +.PP +.RS 18n +.PD 0 .TP 6n \fR%H\fR expanded to the local host name including the domain name (only if the machine's host name is fully qualified or the \fIfqdn\fR option is set) +.PD .TP 6n \fR%h\fR expanded to the local host name without the domain name @@ -2952,10 +2981,8 @@ characters are collapsed into a single character .PP The default value is -``\fR@passprompt@\fR''. -.PP +\(lq\fR@passprompt@\fR\(rq. .RE -.PD 0 .TP 18n privs The default Solaris privileges to use when constructing a new @@ -2973,7 +3000,6 @@ The default privileges may be overridden on a per-comm This option is only available if \fBsudoers\fR is built on Solaris 10 or higher. -.PD .TP 18n role The default SELinux role to use when constructing a new security @@ -3022,17 +3048,19 @@ Locale to use when parsing the sudoers file, logging c sending email. Note that changing the locale may affect how sudoers is interpreted. Defaults to -``\fRC\fR''. +\(lq\fRC\fR\(rq. .TP 18n timestampdir The directory in which \fBsudo\fR stores its time stamp files. +This directory should be cleared when the system reboots. The default is -\fI@timedir@\fR. +\fI@rundir@/ts\fR. .TP 18n timestampowner -The owner of the time stamp directory and the time stamps stored therein. +The owner of the lecture status directory, time stamp directory and all +files stored therein. The default is \fRroot\fR. .TP 18n @@ -3054,9 +3082,9 @@ The option specifies the fully qualified path to a file containing variables to be set in the environment of the program being run. Entries in this file should either be of the form -``\fRVARIABLE=value\fR'' +\(lq\fRVARIABLE=value\fR\(rq or -``\fRexport VARIABLE=value\fR''. +\(lq\fRexport VARIABLE=value\fR\(rq. The value may optionally be surrounded by single or double quotes. Variables in this file are subject to other \fBsudo\fR @@ -3091,10 +3119,13 @@ lecture This option controls when a short lecture will be printed along with the password prompt. It has the following possible values: -.RS +.PP +.RS 14n +.PD 0 .TP 8n always Always lecture the user. +.PD .TP 8n never Never lecture the user. @@ -3111,9 +3142,7 @@ Negating the option results in a value of being used. The default value is \fI@lecture@\fR. -.PP .RE -.PD 0 .TP 14n lecture_file Path to a file containing an alternate @@ -3123,7 +3152,6 @@ file exists. By default, \fBsudo\fR uses a built-in lecture. -.PD .TP 14n listpw This option controls when a password will be required when a user runs @@ -3132,7 +3160,9 @@ with the \fB\-l\fR option. It has the following possible values: -.RS +.PP +.RS 14n +.PD 0 .TP 10n all All the user's @@ -3141,6 +3171,7 @@ entries for the current host must have the \fRNOPASSWD\fR flag set to avoid entering a password. +.PD .TP 10n always The user must always enter a password to use the @@ -3168,9 +3199,7 @@ Negating the option results in a value of being used. The default value is \fIany\fR. -.PP .RE -.PD 0 .TP 14n logfile Path to the @@ -3181,7 +3210,6 @@ negating this option turns it off. By default, \fBsudo\fR logs via syslog. -.PD .TP 14n mailerflags Flags to use when invoking mailer. Defaults to @@ -3193,7 +3221,7 @@ Defaults to the path to sendmail found at configure ti .TP 14n mailfrom Address to use for the -``from'' +\(lqfrom\(rq address when sending warning and error mail. The address should be enclosed in double quotes (\&"") @@ -3227,9 +3255,9 @@ to have a sane \fRPATH\fR environment variable you may want to use this. Another use is if you want to have the -``root path'' +\(lqroot path\(rq be separate from the -``user path''. +\(lquser path\(rq. Users in the group specified by the \fIexempt_group\fR option are not affected by @@ -3266,7 +3294,9 @@ with the \fB\-v\fR option. It has the following possible values: -.RS +.PP +.RS 14n +.PD 0 .TP 8n all All the user's @@ -3274,6 +3304,7 @@ All the user's entries for the current host must have the \fRNOPASSWD\fR flag set to avoid entering a password. +.PD .TP 8n always The user must always enter a password to use the @@ -3307,9 +3338,9 @@ The default value is env_check Environment variables to be removed from the user's environment if the variable's value contains -`%' +\(oq%\(cq or -`/' +\(oq/\(cq characters. This can be used to guard against printf-style format vulnerabilities in poorly-written programs. @@ -3414,16 +3445,12 @@ The path to the group file should be specified as an o to the plugin. For example, if the group file to be used is \fI/etc/sudo-group\fR: -.RS .nf .sp -.RS 0n +.RS 10n Defaults group_plugin="group_file.so /etc/sudo-group" .RE .fi -.PP -.RE -.PD 0 .TP 10n system_group The @@ -3435,15 +3462,12 @@ and This plugin can be used in instances where the user belongs to groups not present in the user's supplemental group vector. This plugin takes no options: -.RS .nf .sp -.RS 0n +.RS 10n Defaults group_plugin=system_group.so .RE .fi -.RE -.PD .PP The group provider plugin API is described in detail in sudo_plugin(@mansectsu@). @@ -3470,7 +3494,7 @@ Where the fields are as follows: date The date the command was run. Typically, this is in the format -``MMM, DD, HH:MM:SS''. +\(lqMMM, DD, HH:MM:SS\(rq. If logging via syslog(3), the actual date format is controlled by the syslog daemon. @@ -3500,13 +3524,13 @@ The login name of the user who ran .TP 14n ttyname The short name of the terminal (e.g.\& -``console'', -``tty01'', +\(lqconsole\(rq, +\(lqtty01\(rq, or -``pts/0'') +\(lqpts/0\(rq) \fBsudo\fR was run on, or -``unknown'' +\(lqunknown\(rq if there was no terminal present. .TP 14n cwd @@ -3538,7 +3562,7 @@ The actual command that was executed. Messages are logged using the locale specified by \fIsudoers_locale\fR, which defaults to the -``\fRC\fR'' +\(lq\fRC\fR\(rq locale. .SS "Denied command log entries" If the user is not allowed to run the command, the reason for the denial @@ -3621,9 +3645,9 @@ using group permissions to avoid this problem. Consider either changing the ownership of \fI@sysconfdir@/sudoers\fR or adding an argument like -``sudoers_uid=N'' +\(lqsudoers_uid=N\(rq (where -`N' +\(oqN\(cq is the user ID that owns the \fIsudoers\fR file) to the end of the @@ -3650,9 +3674,9 @@ file has the wrong owner. If you wish to change the \fIsudoers\fR file owner, please add -``sudoers_uid=N'' +\(lqsudoers_uid=N\(rq (where -`N' +\(oqN\(cq is the user ID that owns the \fIsudoers\fR file) to the @@ -3671,7 +3695,7 @@ The file must not be world-writable, the default file mode is 0440 (readable by owner and group, writable by none). The default mode may be changed via the -``sudoers_mode'' +\(lqsudoers_mode\(rq option to the \fBsudoers\fR \fRPlugin\fR @@ -3686,9 +3710,9 @@ file has the wrong group ownership. If you wish to change the \fIsudoers\fR file group ownership, please add -``sudoers_gid=N'' +\(lqsudoers_gid=N\(rq (where -`N' +\(oqN\(cq is the group ID that owns the \fIsudoers\fR file) to the @@ -3698,17 +3722,37 @@ line in the sudo.conf(@mansectform@) file. .TP 3n -unable to open @timedir@/username/ttyname +unable to open @rundir@/ts/username \fIsudoers\fR was unable to read or create the user's time stamp file. +This can happen when +\fItimestampowner\fR +is set to a user other than root and the mode on +\fI@rundir@\fR +is not searchable by group or other. +The default mode for +\fI@rundir@\fR +is 0711. .TP 3n -unable to write to @timedir@/username/ttyname +unable to write to @rundir@/ts/username \fIsudoers\fR was unable to write to the user's time stamp file. .TP 3n -unable to mkdir to @timedir@/username +@rundir@/ts is owned by uid X, should be Y +The time stamp directory is owned by a user other than +\fItimestampowner\fR. +This can occur when the value of +\fItimestampowner\fR +has been changed. \fIsudoers\fR -was unable to create the user's time stamp directory. +will ignore the time stamp directory until the owner is corrected. +.TP 3n +@rundir@/ts is group writable +The time stamp directory is group-writable; it should be writable only by +\fItimestampowner\fR. +The default mode for the time stamp directory is 0700. +\fIsudoers\fR +will ignore the time stamp directory until the mode is corrected. .SS "Notes on logging via syslog" By default, \fIsudoers\fR @@ -3731,9 +3775,9 @@ To prevent the command line arguments from being trunc \fBsudoers\fR will split up log messages that are larger than 960 characters (not including the date, hostname, and the string -``sudo''). +\(lqsudo\(rq). When a message is split, additional parts will include the string -``(command continued)'' +\(lq(command continued)\(rq after the user name and before the continued command line arguments. .SS "Notes on logging to a file" If the @@ -3773,7 +3817,7 @@ on the log files. If the \fIloglinelen\fR option is set to 0 (or negated with a -`\&!'), +\(oq\&!\(cq), word wrap will be disabled. .SH "FILES" .TP 26n @@ -3792,11 +3836,16 @@ List of network groups \fI@iolog_dir@\fR I/O log files .TP 26n -\fI@timedir@\fR +\fI@rundir@/ts\fR Directory containing time stamps for the \fIsudoers\fR security policy .TP 26n +\fI@vardir@/lectured\fR +Directory containing lecture status files for the +\fIsudoers\fR +security policy +.TP 26n \fI/etc/environment\fR Initial environment for \fB\-i\fR @@ -4082,9 +4131,9 @@ may run any command on machines in the netgroup. \fBsudo\fR knows that -``biglab'' +\(lqbiglab\(rq is a netgroup due to the -`+' +\(oq+\(cq prefix. .nf .sp @@ -4218,13 +4267,13 @@ Any user may mount or unmount a CD-ROM on the machines This is a bit tedious for users to type, so it is a prime candidate for encapsulating in a shell script. .SH "SECURITY NOTES" -.SS "Limitations of the `!\&' operator" +.SS "Limitations of the \(oq!\&\(cq operator" It is generally not effective to -``subtract'' +\(lqsubtract\(rq commands from \fBALL\fR using the -`!\&' +\(oq!\&\(cq operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. @@ -4251,7 +4300,7 @@ In general, if a user has sudo \fBALL\fR there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any -`!\&' +\(oq!\&\(cq elements in the user specification. .SS "Security implications of \fIfast_glob\fR" If the @@ -4355,13 +4404,13 @@ for a command, use the tag as documented in the User Specification section above. Here is that example again: -.RS .nf .sp -.RS 0n +.RS 10n aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi .RE .fi +.RS 10n .sp This allows user \fBaaron\fR @@ -4387,44 +4436,93 @@ operations (such as changing or overwriting files) tha to unintended privilege escalation. In the specific case of an editor, a safer approach is to give the user permission to run -\fBsudoedit\fR. +\fBsudoedit\fR +(see below). +.SS "Secure editing" +The +\fIsudoers\fR +plugin includes +\fBsudoedit\fR +support which allows users to securely edit files with the editor +of their choice. +As +\fBsudoedit\fR +is a built-in command, it must be specified in +\fIsudoers\fR +without a leading path. +However, it may take command line arguments just as a normal command does. +For example, to allow user operator to edit the +\(lqmessage of the day\(rq +file: +.nf +.sp +.RS 6n +operator sudoedit /etc/motd +.RE +.fi +.PP +The operator user then runs +\fBsudoedit\fR +as follows: +.nf +.sp +.RS 6n +$ sudoedit /etc/motd +.RE +.fi +.PP +The editor will run as the operator user, not root, on a temporary copy of +\fI/etc/motd\fR. +After the file has been edited, +\fI/etc/motd\fR +will be updated with the contents of the temporary copy. .SS "Time stamp file checks" \fIsudoers\fR will check the ownership of its time stamp directory -(\fI@timedir@\fR +(\fI@rundir@/ts\fR by default) and ignore the directory's contents if it is not owned by root or if it is writable by a user other than root. -On systems that allow non-root users to give away files via -chown(2), -if the time stamp directory is located in a world-writable -directory (e.g.\&, -\fI/tmp\fR), -it is possible for a user to create the time stamp directory before +Older versions of \fBsudo\fR -is run. -However, because +stored time stamp files in +\fI/tmp\fR; +this is no longer recommended as it may be possible for a user +to create the time stamp themselves on systems that allow +unprivileged users to change the ownership of files they create. +.PP +While the time stamp directory +\fIshould\fR +be cleared at reboot time, not all systems contain a +\fI/var/run\fR +directory. +To avoid potential problems, \fIsudoers\fR -checks the ownership and mode of the directory and its -contents, the only damage that can be done is to -``hide'' -files by putting them in the time stamp dir. -This is unlikely to happen since once the time stamp dir is owned by root -and inaccessible by any other user, the user placing files there would be -unable to get them back out. +will ignore time stamp files that date from before the machine booted +on systems where the boot time is available. .PP +Some systems with graphical desktop environments allow unprivileged +users to change the system clock. +Since \fIsudoers\fR +relies on the system clock for time stamp validation, it may be +possible on such systems for a user to run +\fBsudo\fR +for longer than +\fItimestamp_timeout\fR +by setting the clock back. +To combat this, +\fIsudoers\fR +uses a monotonic clock (which never moves backwards) for its time stamps +if the system supports it. +.PP +\fIsudoers\fR will not honor time stamps set far in the future. Time stamps with a date greater than current_time + 2 * \fRTIMEOUT\fR -will be ignored and sudo will log and complain. -This is done to keep a user from creating his/her own time stamp with a -bogus date on systems that allow users to give away files if the time -stamp directory is located in a world-writable directory. -.PP -On systems where the boot time is available, +will be ignored and \fIsudoers\fR -will ignore time stamps that date from before the machine booted. +will log and complain. .PP Since time stamp files live in the file system, they can outlive a user's login session. @@ -4432,24 +4530,24 @@ As a result, a user may be able to login, run a comman \fBsudo\fR after authenticating, logout, login again, and run \fBsudo\fR -without authenticating so long as the time stamp file's modification -time is within +without authenticating so long as the record's time stamp is within \fR@timeout@\fR -minutes (or whatever the timeout is set to in +minutes (or whatever value the timeout is set to in \fIsudoers\fR). When the \fItty_tickets\fR -option is enabled, the time stamp has per-tty granularity but still +option is enabled, the time stamp record includes the device +number of the terminal the user authenticated with. +This provides per-tty granularity but time stamp records still may outlive the user's session. -On Linux systems where the devpts filesystem is used, Solaris systems -with the devices filesystem, as well as other systems that utilize a -devfs filesystem that monotonically increase the inode number of devices -as they are created (such as Mac OS X), -\fIsudoers\fR -is able to determine when a tty-based time stamp file is stale and will -ignore it. -Administrators should not rely on this feature as it is not universally -available. +The time stamp record also includes the session ID of the process +that last authenticated. +This prevents processes in different terminal sessions from using +the same time stamp record. +It also helps reduce the chance that a user will be able to run +\fBsudo\fR +without entering a password when logging out and back in again +on the same terminal. .SH "DEBUGGING" Versions 1.8.4 and higher of the \fBsudoers\fR @@ -4545,11 +4643,13 @@ pseudo-tty related code \fIrbtree\fR redblack tree internals .TP 10n +\fIsssd\fR +SSSD-based sudoers +.TP 10n \fIutil\fR utility functions .PD 0 .PP -.PD For example: .nf .sp @@ -4557,6 +4657,7 @@ For example: Debug sudo /var/log/sudo_debug match@info,nss@info .RE .fi +.PD .PP For more information, see the sudo.conf(@mansectform@) @@ -4610,7 +4711,7 @@ search the archives. .SH "DISCLAIMER" \fBsudo\fR is provided -``AS IS'' +\(lqAS IS\(rq and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed.