Annotation of src/usr.bin/sudo/TODO, Revision 1.6
1.1 millert 1: TODO list (most will be addressed in sudo 2.0)
2:
3: 01) Redo parsing to be more like op(8) with true command aliases where
4: can specify uid, gid(s) and part/all of the environment.
5:
1.3 millert 6: 02) Add a SHELLS reserved word that checks against /etc/shells.
1.1 millert 7:
1.3 millert 8: 03) Make the sudoers file accessible via NIS, Hesiod, and maybe NetInfo.
1.1 millert 9:
1.3 millert 10: 04) Add a -h (?) flag to sudo for a history mechanism.
1.1 millert 11:
1.3 millert 12: 05) Add an option to set LD_LIBRARY_PATH?
1.1 millert 13:
1.3 millert 14: 06) Add Prog_Alias facility (Prog_Alias VI = /usr/secure/bin/vi +args).
1.1 millert 15:
1.3 millert 16: 07) check for <net/errno.h> in configure and include it in sudo.c if it exists.
1.1 millert 17:
1.3 millert 18: 08) Add generic STREAMS support for getting interfaces and netmasks.
1.1 millert 19:
1.3 millert 20: 09) Add support for "safe scripts" by checking for shell script
1.1 millert 21: cookie (first two bytes are "#!") and execing the shell outselves
22: after doing the stat to guard against spoofing. This should avoid
23: the race condition caused by going through namei() twice...
24:
1.3 millert 25: 10) Overhaul testsudoers to use things from parse.o so we don't reimplement
1.1 millert 26: things.
27:
1.3 millert 28: 11) Make runas_user a struct "runas" with user and group components.
1.1 millert 29: (maybe uid and gid too???)
30:
1.3 millert 31: 12) Add -g group/gid option.
1.1 millert 32:
1.3 millert 33: 13) Should be able to mix Cmnd_Alias's and command args. Ie:
1.1 millert 34: pete ALL=PASSWD [A-z]*,!PASSWD root
35: where PASSWD was defined to be /usr/bin/passwd.
36: This requires the arg parsing to happen in the yacc grammer.
37: At the very least, commands and args have to become separate
38: tokens in the lexer.
39:
1.3 millert 40: 14) Add a per-tty restriction? Ie: only can run foo from /dev/console.
1.1 millert 41:
1.3 millert 42: 15) Add test for how to read ether interfaces in configure script
1.1 millert 43:
1.3 millert 44: 16) Add configure check for $(CC) -R and use it in addition to -L
1.1 millert 45:
1.3 millert 46: 17) An option to make "sudo -s" use the target user's shell might be nice
47: (and more like su). Overlaps with the upcoming -i option.
1.1 millert 48:
1.3 millert 49: 18) Add configure option to enable old behavior of visudo (O_EXCL)?
1.1 millert 50: --without-sudoers-lock?
51:
1.3 millert 52: 19) Profile sudo again (is the yacc grammar optimal?)
1.1 millert 53:
1.3 millert 54: 20) Zero out encrypted passwords after use. Use an Exit function or
1.1 millert 55: some such (have to hook in to emalloc() and friends).
56: Hard (impossible?) to be thorough w/ atexit/on_exit.
57:
1.3 millert 58: 21) Make 'sudo -l user' if run as root do a "sudo -l" output for the specified
1.1 millert 59: user.
60:
1.3 millert 61: 22) Use strtol() and strtoul(), not atoi()
62:
63: 24) Look into %e, %p, %k in parse.lex
64:
1.6 ! millert 65: 24) Make syslog stuff work on vanilla ultrix
1.3 millert 66:
1.6 ! millert 67: 25) Implement date_format and log_format options.
1.3 millert 68:
1.6 ! millert 69: 26) Add support for: Default:user@host
1.3 millert 70:
1.6 ! millert 71: 27) Do login-style -sh hack for sudo -s? (new option or do it always?)
1.1 millert 72:
1.6 ! millert 73: 28) Make visudo rcs-aware
1.1 millert 74:
1.6 ! millert 75: 29) Add support for parsing multiple sudoers files. Basically make
1.3 millert 76: _PATH_SUDOERS be a colon-separated list of pathname like EDITOR.
77: Requires _PATH_SUDOERS_TMP chages (perhaps "%s.tmp").
1.1 millert 78:
1.6 ! millert 79: 30) Add -i (simulate initial login) option as per 946 +sudo
1.3 millert 80: (requires two-pass parser). Also add "default_path" Defaults option
81: to go with it. (See MINUS_I.patch)
1.1 millert 82:
1.6 ! millert 83: 31) Some people want to be able to specify a special password in sudoers
1.5 millert 84: in addition or instead of the normal one. The best argument for
85: this so far is to be able to use separate passwords for the
86: target users that are not the passwd file ones.
1.1 millert 87:
1.6 ! millert 88: 32) Add support for trusted users. E.g. allow user to run a certain
1.3 millert 89: command regardless of what dir it is in if it is owned by the
90: trusted user.
1.1 millert 91:
1.6 ! millert 92: 33) Add mechanism to choose logfile based on RunasUser
1.1 millert 93:
1.6 ! millert 94: 34) Split the parser into two stages. The first parse checks for
1.3 millert 95: syntax and sets the Defaults options and sets up the
96: data structures to check a user. The second stage does
97: the actual user check.
1.2 millert 98:
1.6 ! millert 99: 35) Add a flag similar to '-l' but that spits out sudo commands in
1.3 millert 100: a format suitable for cut & paste (requires parser overhaul first).
1.4 millert 101:
1.6 ! millert 102: 36) Someone wants a recursive version of the dir specifier. Ie:
1.4 millert 103: SOME_MODIFIER:/usr/local/ to allow anything under /usr/local to be run.
104:
1.6 ! millert 105: 37) An option to set the shell to the target user would make sense.
1.4 millert 106: See other target user-related issues above.
107:
1.6 ! millert 108: 38) Add an option (-D) to dump the defaults after the sudoers file
1.4 millert 109: has been parsed. Should only be available to root and should
110: allow a -u user modifier.
111:
1.6 ! millert 112: 39) For sudo 1.7 wipe out the environment by default.
! 113:
! 114: 40) Allow /etc/sudoers to be a symlink but require the parent dir to
! 115: be root-owned and not writable by anything else. Should really
! 116: traverse the tree to the root doing this.
! 117:
! 118: 41) Improve interfaces.c STREAMS code (see ntpd's ntp_io.c for hints)
! 119:
! 120: 42) Wildcard support for user and group names? (netgroup too?)
! 121:
! 122: 43) If root_sudo is off, still allow sudo -u to non-root users?
! 123:
! 124: 44) Add configure option to id user based on euid not ruid?
! 125:
! 126: 45) Split $EDITOR/$VISUAL in visudo into an argument vector based on whitespace
! 127:
! 128: 46) Make Kerberos paths and libs situation as sane as possible