|
version 1.1, 2012/02/21 16:23:02
|
version 1.1.1.2, 2012/05/29 12:26:49
|
|
Line 1
|
Line 1
|
| Copyright (c) 1994-1996, 1998-2005, 2007-2011 | Copyright (c) 1994-1996, 1998-2005, 2007-2012 |
| Todd C. Miller <Todd.Miller@courtesan.com> |
Todd C. Miller <Todd.Miller@courtesan.com> |
| |
|
| Permission to use, copy, modify, and distribute this software for any |
Permission to use, copy, modify, and distribute this software for any |
|
Line 89 environment are inherited by the command to be run. T
|
Line 89 environment are inherited by the command to be run. T
|
| distinct ways I<sudoers> can deal with environment variables. |
distinct ways I<sudoers> can deal with environment variables. |
| |
|
| By default, the I<env_reset> option is enabled. This causes commands |
By default, the I<env_reset> option is enabled. This causes commands |
| to be executed with a minimal environment containing C<TERM>, | to be executed with a new, minimal environment. On AIX (and Linux |
| C<PATH>, C<HOME>, C<MAIL>, C<SHELL>, C<LOGNAME>, C<USER> and C<USERNAME> in | systems without PAM), the environment is initialized with the |
| addition to variables from the invoking process permitted by the | contents of the F</etc/environment> file. On BSD systems, if the |
| | I<use_loginclass> option is enabled, the environment is initialized |
| | based on the I<path> and I<setenv> settings in F</etc/login.conf>. |
| | The new environment contains the C<TERM>, C<PATH>, C<HOME>, C<MAIL>, |
| | C<SHELL>, C<LOGNAME>, C<USER>, C<USERNAME> and C<SUDO_*> variables |
| | in addition to variables from the invoking process permitted by the |
| I<env_check> and I<env_keep> options. This is effectively a whitelist |
I<env_check> and I<env_keep> options. This is effectively a whitelist |
| for environment variables. |
for environment variables. |
| |
|
|
Line 119 As a special case, if B<sudo>'s B<-i> option (initial
|
Line 124 As a special case, if B<sudo>'s B<-i> option (initial
|
| specified, I<sudoers> will initialize the environment regardless |
specified, I<sudoers> will initialize the environment regardless |
| of the value of I<env_reset>. The I<DISPLAY>, I<PATH> and I<TERM> |
of the value of I<env_reset>. The I<DISPLAY>, I<PATH> and I<TERM> |
| variables remain unchanged; I<HOME>, I<MAIL>, I<SHELL>, I<USER>, |
variables remain unchanged; I<HOME>, I<MAIL>, I<SHELL>, I<USER>, |
| and I<LOGNAME> are set based on the target user. On Linux and AIX | and I<LOGNAME> are set based on the target user. On AIX (and Linux |
| systems the contents of F</etc/environment> are also included. All | systems without PAM), the contents of F</etc/environment> are also |
| other environment variables are removed. | included. On BSD systems, if the I<use_loginclass> option is |
| | enabled, the I<path> and I<setenv> variables in F</etc/login.conf> |
| | are also applied. All other environment variables are removed. |
| |
|
| |
Finally, if the I<env_file> option is defined, any variables present |
| |
in that file will be set to their specified values as long as they |
| |
would not conflict with an existing environment variable. |
| |
|
| =head1 SUDOERS FILE FORMAT |
=head1 SUDOERS FILE FORMAT |
| |
|
| The I<sudoers> file is composed of two types of entries: aliases |
The I<sudoers> file is composed of two types of entries: aliases |
|
Line 537 and F</usr/bin/vi> but shell escapes will be disabled.
|
Line 548 and F</usr/bin/vi> but shell escapes will be disabled.
|
| |
|
| aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
| |
|
| See the L<PREVENTING SHELL ESCAPES> section below for more details | See the L<Preventing Shell Escapes> section below for more details |
| on how C<NOEXEC> works and whether or not it will work on your system. |
on how C<NOEXEC> works and whether or not it will work on your system. |
| |
|
| =head3 SETENV and NOSETENV |
=head3 SETENV and NOSETENV |
|
Line 655 F</etc/sudoers> will be processed. Files that are inc
|
Line 666 F</etc/sudoers> will be processed. Files that are inc
|
| themselves include other files. A hard limit of 128 nested include |
themselves include other files. A hard limit of 128 nested include |
| files is enforced to prevent include file loops. |
files is enforced to prevent include file loops. |
| |
|
| The file name may include the C<%h> escape, signifying the short form | If the path to the include file is not fully-qualified (does not |
| | begin with a F</>), it must be located in the same directory as the |
| | sudoers file it was included from. For example, if F</etc/sudoers> |
| | contains the line: |
| | |
| | =over 4 |
| | |
| | C<#include sudoers.local> |
| | |
| | =back |
| | |
| | the file that will be included is F</etc/sudoers.local>. |
| | |
| | The file name may also include the C<%h> escape, signifying the short form |
| of the host name. I.e., if the machine's host name is "xerxes", then |
of the host name. I.e., if the machine's host name is "xerxes", then |
| |
|
| C<#include /etc/sudoers.%h> |
C<#include /etc/sudoers.%h> |
|
Line 770 default.
|
Line 794 default.
|
| |
|
| =item env_reset |
=item env_reset |
| |
|
| If set, B<sudo> will reset the environment to only contain the | If set, B<sudo> will run the command in a minimal environment |
| LOGNAME, MAIL, SHELL, USER, USERNAME and the C<SUDO_*> variables. Any | containing the C<TERM>, C<PATH>, C<HOME>, C<MAIL>, C<SHELL>, |
| | C<LOGNAME>, C<USER>, C<USERNAME> and C<SUDO_*> variables. Any |
| variables in the caller's environment that match the C<env_keep> |
variables in the caller's environment that match the C<env_keep> |
| and C<env_check> lists are then added. The default contents of the | and C<env_check> lists are then added, followed by any variables |
| C<env_keep> and C<env_check> lists are displayed when B<sudo> is | present in the file specified by the I<env_file> option (if any). |
| run by root with the I<-V> option. If the I<secure_path> option | The default contents of the C<env_keep> and C<env_check> lists are |
| is set, its value will be used for the C<PATH> environment variable. | displayed when B<sudo> is run by root with the I<-V> option. If |
| This flag is I<@env_reset@> by default. | the I<secure_path> option is set, its value will be used for the |
| | C<PATH> environment variable. This flag is I<@env_reset@> by |
| | default. |
| |
|
| =item fast_glob |
=item fast_glob |
| |
|
|
Line 921 by default.
|
Line 948 by default.
|
| |
|
| If set, all commands run via B<sudo> will behave as if the C<NOEXEC> |
If set, all commands run via B<sudo> will behave as if the C<NOEXEC> |
| tag has been set, unless overridden by a C<EXEC> tag. See the |
tag has been set, unless overridden by a C<EXEC> tag. See the |
| description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL | description of I<NOEXEC and EXEC> below as well as the L<Preventing Shell |
| ESCAPES> section at the end of this manual. This flag is I<off> by default. | Escapes> section at the end of this manual. This flag is I<off> by default. |
| |
|
| =item path_info |
=item path_info |
| |
|
|
Line 1256 Default is C<@mailsub@>.
|
Line 1283 Default is C<@mailsub@>.
|
| |
|
| =item noexec_file |
=item noexec_file |
| |
|
| This option is deprecated and will be removed in a future release | This option is no longer supported. The path to the noexec file |
| of B<sudo>. The path to the noexec file should now be set in the | should now be set in the F<@sysconfdir@/sudo.conf> file. |
| F<@sysconfdir@/sudo.conf> file. | |
| |
|
| =item passprompt |
=item passprompt |
| |
|
|
Line 1358 B<Strings that can be used in a boolean context>:
|
Line 1384 B<Strings that can be used in a boolean context>:
|
| |
|
| =item env_file |
=item env_file |
| |
|
| The I<env_file> options specifies the fully qualified path to a | The I<env_file> option specifies the fully qualified path to a |
| file containing variables to be set in the environment of the program |
file containing variables to be set in the environment of the program |
| being run. Entries in this file should either be of the form |
being run. Entries in this file should either be of the form |
| C<VARIABLE=value> or C<export VARIABLE=value>. The value may |
C<VARIABLE=value> or C<export VARIABLE=value>. The value may |
|
Line 1576 is displayed when B<sudo> is run by root with the I<-V
|
Line 1602 is displayed when B<sudo> is run by root with the I<-V
|
| |
|
| =back |
=back |
| |
|
| |
=head1 SUDO.CONF |
| |
|
| |
The F<@sysconfdir@/sudo.conf> file determines which plugins the |
| |
B<sudo> front end will load. If no F<@sysconfdir@/sudo.conf> file |
| |
is present, or it contains no C<Plugin> lines, B<sudo> will use the |
| |
I<sudoers> security policy and I/O logging, which corresponds to |
| |
the following F<@sysconfdir@/sudo.conf> file. |
| |
|
| |
# |
| |
# Default @sysconfdir@/sudo.conf file |
| |
# |
| |
# Format: |
| |
# Plugin plugin_name plugin_path plugin_options ... |
| |
# Path askpass /path/to/askpass |
| |
# Path noexec /path/to/sudo_noexec.so |
| |
# Debug sudo /var/log/sudo_debug all@warn |
| |
# Set disable_coredump true |
| |
# |
| |
# The plugin_path is relative to @prefix@/libexec unless |
| |
# fully qualified. |
| |
# The plugin_name corresponds to a global symbol in the plugin |
| |
# that contains the plugin interface structure. |
| |
# The plugin_options are optional. |
| |
# |
| |
Plugin policy_plugin sudoers.so |
| |
Plugin io_plugin sudoers.so |
| |
|
| |
=head2 PLUGIN OPTIONS |
| |
|
| |
Starting with B<sudo> 1.8.5 it is possible to pass options to the |
| |
I<sudoers> plugin. Options may be listed after the path to the |
| |
plugin (i.e. after F<sudoers.so>); multiple options should be |
| |
space-separated. For example: |
| |
|
| |
Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440 |
| |
|
| |
The following plugin options are supported: |
| |
|
| |
=over 10 |
| |
|
| |
=item sudoers_file=pathname |
| |
|
| |
The I<sudoers_file> option can be used to override the default path |
| |
to the I<sudoers> file. |
| |
|
| |
=item sudoers_uid=uid |
| |
|
| |
The I<sudoers_uid> option can be used to override the default owner |
| |
of the sudoers file. It should be specified as a numeric user ID. |
| |
|
| |
=item sudoers_gid=gid |
| |
|
| |
The I<sudoers_gid> option can be used to override the default group |
| |
of the sudoers file. It should be specified as a numeric group ID. |
| |
|
| |
=item sudoers_mode=mode |
| |
|
| |
The I<sudoers_mode> option can be used to override the default file |
| |
mode for the sudoers file. It should be specified as an octal value. |
| |
|
| |
=back |
| |
|
| |
=head2 DEBUG FLAGS |
| |
|
| |
Versions 1.8.4 and higher of the I<sudoers> plugin supports a |
| |
debugging framework that can help track down what the plugin is |
| |
doing internally if there is a problem. This can be configured in |
| |
the F<@sysconfdir@/sudo.conf> file as described in L<sudo(8)>. |
| |
|
| |
The I<sudoers> plugin uses the same debug flag format as B<sudo> |
| |
itself: I<subsystem>@I<priority>. |
| |
|
| |
The priorities used by I<sudoers>, in order of decreasing severity, |
| |
are: I<crit>, I<err>, I<warn>, I<notice>, I<diag>, I<info>, I<trace> |
| |
and I<debug>. Each priority, when specified, also includes all |
| |
priorities higher than it. For example, a priority of I<notice> |
| |
would include debug messages logged at I<notice> and higher. |
| |
|
| |
The following subsystems are used by I<sudoers>: |
| |
|
| |
=over 10 |
| |
|
| |
=item I<alias> |
| |
|
| |
C<User_Alias>, C<Runas_Alias>, C<Host_Alias> and C<Cmnd_Alias> processing |
| |
|
| |
=item I<all> |
| |
|
| |
matches every subsystem |
| |
|
| |
=item I<audit> |
| |
|
| |
BSM and Linux audit code |
| |
|
| |
=item I<auth> |
| |
|
| |
user authentication |
| |
|
| |
=item I<defaults> |
| |
|
| |
I<sudoers> I<Defaults> settings |
| |
|
| |
=item I<env> |
| |
|
| |
environment handling |
| |
|
| |
=item I<ldap> |
| |
|
| |
LDAP-based sudoers |
| |
|
| |
=item I<logging> |
| |
|
| |
logging support |
| |
|
| |
=item I<match> |
| |
|
| |
matching of users, groups, hosts and netgroups in I<sudoers> |
| |
|
| |
=item I<netif> |
| |
|
| |
network interface handling |
| |
|
| |
=item I<nss> |
| |
|
| |
network service switch handling in I<sudoers> |
| |
|
| |
=item I<parser> |
| |
|
| |
I<sudoers> file parsing |
| |
|
| |
=item I<perms> |
| |
|
| |
permission setting |
| |
|
| |
=item I<plugin> |
| |
|
| |
The equivalent of I<main> for the plugin. |
| |
|
| |
=item I<pty> |
| |
|
| |
pseudo-tty related code |
| |
|
| |
=item I<rbtree> |
| |
|
| |
redblack tree internals |
| |
|
| |
=item I<util> |
| |
|
| |
utility functions |
| |
|
| |
=back |
| |
|
| =head1 FILES |
=head1 FILES |
| |
|
| =over 24 |
=over 24 |
| |
|
| |
=item F<@sysconfdir@/sudo.conf> |
| |
|
| |
Sudo front end configuration |
| |
|
| =item F<@sysconfdir@/sudoers> |
=item F<@sysconfdir@/sudoers> |
| |
|
| List of who can run what |
List of who can run what |
|
Line 1602 Directory containing time stamps for the I<sudoers> se
|
Line 1784 Directory containing time stamps for the I<sudoers> se
|
| |
|
| =item F</etc/environment> |
=item F</etc/environment> |
| |
|
| Initial environment for B<-i> mode on Linux and AIX | Initial environment for B<-i> mode on AIX and Linux systems |
| |
|
| =back |
=back |
| |
|
|
Line 1792 for encapsulating in a shell script.
|
Line 1974 for encapsulating in a shell script.
|
| |
|
| =head1 SECURITY NOTES |
=head1 SECURITY NOTES |
| |
|
| |
=head2 Limitations of the '!' operator |
| |
|
| It is generally not effective to "subtract" commands from C<ALL> |
It is generally not effective to "subtract" commands from C<ALL> |
| using the '!' operator. A user can trivially circumvent this |
using the '!' operator. A user can trivially circumvent this |
| by copying the desired command to a different name and then |
by copying the desired command to a different name and then |
|
Line 1805 different name, or use a shell escape from an editor o
|
Line 1989 different name, or use a shell escape from an editor o
|
| program. Therefore, these kind of restrictions should be considered |
program. Therefore, these kind of restrictions should be considered |
| advisory at best (and reinforced by policy). |
advisory at best (and reinforced by policy). |
| |
|
| Furthermore, if the I<fast_glob> option is in use, it is not possible | In general, if a user has sudo C<ALL> there is nothing to prevent |
| | them from creating their own program that gives them a root shell |
| | (or making their own copy of a shell) regardless of any '!' elements |
| | in the user specification. |
| | |
| | =head2 Security implications of I<fast_glob> |
| | |
| | If the I<fast_glob> option is in use, it is not possible |
| to reliably negate commands where the path name includes globbing |
to reliably negate commands where the path name includes globbing |
| (aka wildcard) characters. This is because the C library's |
(aka wildcard) characters. This is because the C library's |
| L<fnmatch(3)> function cannot resolve relative paths. While this |
L<fnmatch(3)> function cannot resolve relative paths. While this |
|
Line 1821 For example, given the following I<sudoers> entry:
|
Line 2012 For example, given the following I<sudoers> entry:
|
| User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is |
User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is |
| enabled by changing to F</usr/bin> and running C<./passwd root> instead. |
enabled by changing to F</usr/bin> and running C<./passwd root> instead. |
| |
|
| =head1 PREVENTING SHELL ESCAPES | =head2 Preventing Shell Escapes |
| |
|
| Once B<sudo> executes a program, that program is free to do whatever |
Once B<sudo> executes a program, that program is free to do whatever |
| it pleases, including run other programs. This can be a security |
it pleases, including run other programs. This can be a security |
|
Line 1885 to unintended privilege escalation. In the specific c
|
Line 2076 to unintended privilege escalation. In the specific c
|
| editor, a safer approach is to give the user permission to run |
editor, a safer approach is to give the user permission to run |
| B<sudoedit>. |
B<sudoedit>. |
| |
|
| =head1 SECURITY NOTES | =head2 Time stamp file checks |
| |
|
| I<sudoers> will check the ownership of its time stamp directory |
I<sudoers> will check the ownership of its time stamp directory |
| (F<@timedir@> by default) and ignore the directory's contents if |
(F<@timedir@> by default) and ignore the directory's contents if |
|
Line 1925 monotonically increase the inode number of devices as
|
Line 2116 monotonically increase the inode number of devices as
|
| created (such as Mac OS X), I<sudoers> is able to determine when a |
created (such as Mac OS X), I<sudoers> is able to determine when a |
| tty-based time stamp file is stale and will ignore it. Administrators |
tty-based time stamp file is stale and will ignore it. Administrators |
| should not rely on this feature as it is not universally available. |
should not rely on this feature as it is not universally available. |
| |
|
| If users have sudo C<ALL> there is nothing to prevent them from |
|
| creating their own program that gives them a root shell (or making |
|
| their own copy of a shell) regardless of any '!' elements in the |
|
| user specification. |
|
| |
|
| =head1 SEE ALSO |
=head1 SEE ALSO |
| |
|
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.pod CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc