=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/sudo/Attic/sudoers.5,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- src/usr.bin/sudo/Attic/sudoers.5 2003/04/14 06:39:24 1.16 +++ src/usr.bin/sudo/Attic/sudoers.5 2004/09/28 15:10:51 1.17 @@ -1,38 +1,24 @@ -.\" Copyright (c) 1994-1996,1998-2003 Todd C. Miller -.\" All rights reserved. +.\" Copyright (c) 1994-1996,1998-2004 Todd C. Miller .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. The name of the author may not be used to endorse or promote products -.\" derived from this software without specific prior written permission -.\" from the author. -.\" -.\" 4. Products derived from this software may not be called "Sudo" nor -.\" may "Sudo" appear in their names without specific prior written -.\" permission from the author. -.\" -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL -.\" THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -.\" EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -.\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; -.\" OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -.\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $Sudo: sudoers.man.in,v 1.24 2003/03/15 20:33:31 millert Exp $ -.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13 +.\" Sponsored in part by the Defense Advanced Research Projects +.\" Agency (DARPA) and Air Force Research Laboratory, Air Force +.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. +.\" +.\" $Sudo: sudoers.man.in,v 1.46 2004/09/06 20:46:28 millert Exp $ +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 .\" .\" Standard preamble: .\" ======================================================================== @@ -163,17 +149,22 @@ .\" ======================================================================== .\" .IX Title "SUDOERS 5" -.TH SUDOERS 5 "March 13, 2003" "1.6.7" "MAINTENANCE COMMANDS" +.TH SUDOERS 5 "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" .IX Header "DESCRIPTION" -The \fIsudoers\fR file is composed of two types of entries: -aliases (basically variables) and user specifications -(which specify who may run what). The grammar of \fIsudoers\fR -will be described below in Extended Backus-Naur Form (\s-1EBNF\s0). -Don't despair if you don't know what \s-1EBNF\s0 is; it is fairly -simple, and the definitions below are annotated. +The \fIsudoers\fR file is composed of two types of entries: aliases +(basically variables) and user specifications (which specify who +may run what). +.PP +When multiple entries match for a user, they are applied in order. +Where there are conflicting values, the last match is used (which +is not necessarily the most specific match). +.PP +The \fIsudoers\fR grammar will be described below in Extended Backus-Naur +Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is +fairly simple, and the definitions below are annotated. .Sh "Quick guide to \s-1EBNF\s0" .IX Subsection "Quick guide to EBNF" \&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. @@ -269,12 +260,11 @@ \& '!'* User_Alias .Ve .PP -A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, uids -(prefixed with '#'), System groups (prefixed with '%'), -netgroups (prefixed with '+') and other aliases. Each list -item may be prefixed with one or more '!' operators. An odd number -of '!' operators negate the value of the item; an even number -just cancel each other out. +A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, system groups +(prefixed with '%'), netgroups (prefixed with '+') and other aliases. +Each list item may be prefixed with one or more '!' operators. +An odd number of '!' operators negate the value of the item; an even +number just cancel each other out. .PP .Vb 2 \& Runas_List ::= Runas_User | @@ -291,7 +281,11 @@ .PP A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that it can also contain uids (prefixed with '#') and instead of \f(CW\*(C`User_Alias\*(C'\fRes -it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. +it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that usernames and groups +are matched as strings. In other words, two users (groups) with +the same uid (gid) are considered to be distinct. If you wish to +match all usernames with the same uid (e.g. root and toor), you +can use a uid instead (#0 in the example given). .PP .Vb 2 \& Host_List ::= Host | @@ -313,7 +307,7 @@ of the host's ethernet interface(s) will be used when matching. The netmask may be specified either in dotted quad notation (e.g. 255.255.255.0) or \s-1CIDR\s0 notation (number of bits, e.g. 24). A hostname -may include shell-style wildcards (see `Wildcards' section below), +may include shell-style wildcards (see the Wildcards section below), but unless the \f(CW\*(C`hostname\*(C'\fR command on your machine returns the fully qualified hostname, you'll need to use the \fIfqdn\fR option for wildcards to be useful. @@ -329,15 +323,16 @@ \& filename '""' .Ve .PP -.Vb 3 +.Vb 4 \& Cmnd ::= '!'* commandname | \& '!'* directory | +\& '!'* "sudoedit" | \& '!'* Cmnd_Alias .Ve .PP A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other aliases. A commandname is a fully qualified filename which may include -shell-style wildcards (see `Wildcards' section below). A simple +shell-style wildcards (see the Wildcards section below). A simple filename allows the user to run the command with any arguments he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command @@ -350,20 +345,21 @@ in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line (or match the wildcards if there are any). Note that the following characters must be escaped with a '\e' if they are used in command -arguments: ',', ':', '=', '\e'. +arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR +is used to permit a user to run \fBsudo\fR with the \fB\-e\fR flag (or +as \fBsudoedit\fR). It may take command line arguments just as +a normal command does. .Sh "Defaults" .IX Subsection "Defaults" Certain configuration options may be changed from their default values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These may affect all users on any host, all users on a specific host, a -specific user, or commands being run as a specific user. When -multiple entries match, they are applied in order. Where there are -conflicting values, the last value on a matching line takes effect. +specific user, or commands being run as a specific user. .PP .Vb 4 -\& Default_Type ::= 'Defaults' || -\& 'Defaults' '@' Host || -\& 'Defaults' ':' User || +\& Default_Type ::= 'Defaults' | +\& 'Defaults' '@' Host | +\& 'Defaults' ':' User | \& 'Defaults' '>' RunasUser .Ve .PP @@ -371,11 +367,16 @@ \& Default_Entry ::= Default_Type Parameter_List .Ve .PP +.Vb 2 +\& Parameter_List ::= Parameter | +\& Parameter ',' Parameter_List +.Ve +.PP .Vb 4 -\& Parameter ::= Parameter '=' Value || -\& Parameter '+=' Value || -\& Parameter '-=' Value || -\& '!'* Parameter || +\& Parameter ::= Parameter '=' Value | +\& Parameter '+=' Value | +\& Parameter '-=' Value | +\& '!'* Parameter .Ve .PP Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR. @@ -390,10 +391,6 @@ It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element that does not exist in a list. .PP -Note that since the \fIsudoers\fR file is parsed in order the best place -to put the Defaults section is after the Host, User, and Cmnd aliases -but before the user specifications. -.PP \&\fBFlags\fR: .IP "long_otp_prompt" 12 .IX Item "long_otp_prompt" @@ -406,7 +403,10 @@ .IX Item "ignore_dot" If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This -flag is \fIon\fR by default. +flag is \fIoff\fR by default. Currently, while it is possible +to set \fIignore_dot\fR in \fIsudoers\fR, its value is not used. This option +should be considered read-only (it will be fixed in a future version +of \fBsudo\fR). .IP "mail_always" 12 .IX Item "mail_always" Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR. @@ -429,8 +429,8 @@ .IX Item "mail_no_perms" If set, mail will be sent to the \fImailto\fR user if the invoking user is allowed to use \fBsudo\fR but the command they are trying is not -listed in their \fIsudoers\fR file entry. This flag is \fIoff\fR -by default. +listed in their \fIsudoers\fR file entry or is explicitly denied. +This flag is \fIoff\fR by default. .IP "tty_tickets" 12 .IX Item "tty_tickets" If set, users must authenticate on a per-tty basis. Normally, @@ -438,10 +438,6 @@ the user running it. With this flag enabled, \fBsudo\fR will use a file named for the tty the user is logged in on in that directory. This flag is \fIoff\fR by default. -.IP "lecture" 12 -.IX Item "lecture" -If set, a user will receive a short lecture the first time he/she -runs \fBsudo\fR. This flag is \fIon\fR by default. .IP "authenticate" 12 .IX Item "authenticate" If set, users must authenticate themselves via a password (or other @@ -452,7 +448,10 @@ .IX Item "root_sudo" If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something -like \f(CW"sudo sudo /bin/sh"\fR. +like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR +will also prevent root and from running \fBsudoedit\fR. +Disabling \fIroot_sudo\fR provides no real additional security; it +exists purely for historical reasons. This flag is \fIon\fR by default. .IP "log_host" 12 .IX Item "log_host" @@ -541,13 +540,15 @@ .IP "runaspw" 12 .IX Item "runaspw" If set, \fBsudo\fR will prompt for the password of the user defined by the -\&\fIrunas_default\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password -of the invoking user. This flag is \fIoff\fR by default. +\&\fIrunas_default\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the +password of the invoking user. This flag is \fIoff\fR by default. .IP "targetpw" 12 .IX Item "targetpw" If set, \fBsudo\fR will prompt for the password of the user specified by the \fB\-u\fR flag (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the -invoking user. This flag is \fIoff\fR by default. +invoking user. Note that this precludes the use of a uid not listed +in the passwd database as an argument to the \fB\-u\fR flag. +This flag is \fIoff\fR by default. .IP "set_logname" 12 .IX Item "set_logname" Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR and \f(CW\*(C`USER\*(C'\fR environment variables @@ -583,6 +584,21 @@ If set, \fBsudo\fR will apply the defaults specified for the target user's login class if one exists. Only available if \fBsudo\fR is configured with the \-\-with\-logincap option. This flag is \fIoff\fR by default. +.IP "noexec" 12 +.IX Item "noexec" +If set, all commands run via sudo will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR +tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the +description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default. +.IP "ignore_local_sudoers" 12 +.IX Item "ignore_local_sudoers" +If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped. +This is intended for an Enterprises that wish to prevent the usage of local +sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of +rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers. +When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist. +Since this options tells sudo how to behave when no specific \s-1LDAP\s0 entries +have been matched, this sudoOption is only meaningful for the cn=defaults +section. This flag is \fIoff\fR by default. .PP \&\fBIntegers\fR: .IP "passwd_tries" 12 @@ -670,6 +686,8 @@ .IX Item "runas_default" The default user to run commands as if the \fB\-u\fR flag is not specified on the command line. This defaults to \f(CW\*(C`root\*(C'\fR. +Note that if \fIrunas_default\fR is set it \fBmust\fR occur before +any \f(CW\*(C`Runas_Alias\*(C'\fR specifications. .IP "syslog_goodpri" 12 .IX Item "syslog_goodpri" Syslog priority to use when user authenticates successfully. @@ -685,8 +703,37 @@ \&\s-1USER\s0 environment variable if possible, or the first editor in the list that exists and is executable. The default is the path to vi on your system. +.IP "noexec_file" 12 +.IX Item "noexec_file" +Path to a shared library containing dummy versions of the \fIexecv()\fR, +\&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error. +This is used to implement the \fInoexec\fR functionality on systems that +support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI/usr/libexec/sudo_noexec.so\fR. .PP \&\fBStrings that can be used in a boolean context\fR: +.IP "lecture" 12 +.IX Item "lecture" +This option controls when a short lecture will be printed along with +the password prompt. It has the following possible values: +.RS 12 +.IP "never" 8 +.IX Item "never" +Never lecture the user. +.IP "once" 8 +.IX Item "once" +Only lecture the user the first time they run \fBsudo\fR. +.IP "always" 8 +.IX Item "always" +Always lecture the user. +.RE +.RS 12 +.Sp +The default value is \fIonce\fR. +.RE +.IP "lecture_file" 12 +.IX Item "lecture_file" +Path to a file containing an alternate sudo lecture that will +be used in place of the standard lecture if the named file exists. .IP "logfile" 12 .IX Item "logfile" Path to the \fBsudo\fR log file (not the syslog log file). Setting a path @@ -694,7 +741,7 @@ .IP "syslog" 12 .IX Item "syslog" Syslog facility if syslog is being used for logging (negate to -disable syslog logging). Defaults to \f(CW\*(C`local2\*(C'\fR. +disable syslog logging). Defaults to \f(CW\*(C`authpriv\*(C'\fR. .IP "mailerpath" 12 .IX Item "mailerpath" Path to mail program used to send warning mail. @@ -793,17 +840,18 @@ to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \&\f(CW\*(C`!\*(C'\fR operators respectively. This list has no default members. .PP -When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values for the syslog -facility (the value of the \fBsyslog\fR Parameter): \fBauthpriv\fR (if your \s-1OS\s0 -supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR, -\&\fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR. The following -syslog priorities are supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, -\&\fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR. +When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values +for the syslog facility (the value of the \fBsyslog\fR Parameter): +\&\fBauthpriv\fR (if your \s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, +\&\fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, +\&\fBlocal6\fR, and \fBlocal7\fR. The following syslog priorities are +supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, +\&\fBnotice\fR, and \fBwarning\fR. .Sh "User Specification" .IX Subsection "User Specification" .Vb 2 -\& User_Spec ::= User_list Host_List '=' Cmnd_Spec_List \e -\& (':' User_Spec)* +\& User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e +\& (':' Host_List '=' Cmnd_Spec_List)* .Ve .PP .Vb 2 @@ -812,13 +860,17 @@ .Ve .PP .Vb 1 -\& Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd +\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd .Ve .PP .Vb 1 \& Runas_Spec ::= '(' Runas_List ')' .Ve .PP +.Vb 1 +\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:') +.Ve +.PP A \fBuser specification\fR determines which commands a user may run (and as what user) on specified hosts. By default, commands are run as \fBroot\fR, but this can be changed on a per-command basis. @@ -840,7 +892,7 @@ \&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g., .PP .Vb 1 -\& sudo -u operator /bin/ls. +\& $ sudo -u operator /bin/ls. .Ve .PP It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an @@ -852,8 +904,18 @@ .PP Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR, but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR. -.Sh "\s-1NOPASSWD\s0 and \s-1PASSWD\s0" +.Sh "Tag_Spec" +.IX Subsection "Tag_Spec" +A command may have zero or more tags associated with it. There are +four possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR. +Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the +\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the +opposite tag (ie: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`EXEC\*(C'\fR +overrides \f(CW\*(C`NOEXEC\*(C'\fR). +.PP +\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR .IX Subsection "NOPASSWD and PASSWD" +.PP By default, \fBsudo\fR requires that a user authenticate him or herself before running a command. This behavior can be modified via the \&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets @@ -883,12 +945,29 @@ \&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present for all a user's entries that pertain to the current host. This behavior may be overridden via the verifypw and listpw options. -.Sh "Wildcards (aka meta characters):" -.IX Subsection "Wildcards (aka meta characters):" -\&\fBsudo\fR allows shell-style \fIwildcards\fR to be used in pathnames -as well as command line arguments in the \fIsudoers\fR file. Wildcard -matching is done via the \fB\s-1POSIX\s0\fR \f(CWfnmatch(3)\fR routine. Note that -these are \fInot\fR regular expressions. +.PP +\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR +.IX Subsection "NOEXEC and EXEC" +.PP +If sudo has been compiled with \fInoexec\fR support and the underlying +operating system support it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent +a dynamically-linked executable from running further commands itself. +.PP +In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR +and \fI/usr/bin/vi\fR but shell escapes will be disabled. +.PP +.Vb 1 +\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi +.Ve +.PP +See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details +on how \fInoexec\fR works and whether or not it will work on your system. +.Sh "Wildcards" +.IX Subsection "Wildcards" +\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters) +to be used in pathnames as well as command line arguments in the +\&\fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR +\&\fIfnmatch\fR\|(3) routine. Note that these are \fInot\fR regular expressions. .ie n .IP "\*(C`*\*(C'" 8 .el .IP "\f(CW\*(C`*\*(C'\fR" 8 .IX Item "*" @@ -920,9 +999,37 @@ \& /usr/bin/* .Ve .PP -match \f(CW\*(C`/usr/bin/who\*(C'\fR but not \f(CW\*(C`/usr/bin/X11/xterm\*(C'\fR. -.Sh "Exceptions to wildcard rules:" -.IX Subsection "Exceptions to wildcard rules:" +match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR. +.PP +\&\s-1WARNING:\s0 a pathname with wildcards will \fBnot\fR match a user command +that consists of a relative path. In other words, given the +following \fIsudoers\fR entry: +.PP +.Vb 1 +\& billy workstation = /usr/bin/* +.Ve +.PP +user billy will be able to run any command in /usr/bin as root, such +as \fI/usr/bin/w\fR. The following two command will be allowed (the first +assumes that \fI/usr/bin\fR is in the user's path): +.PP +.Vb 2 +\& $ sudo w +\& $ sudo /usr/bin/w +.Ve +.PP +However, this will not: +.PP +.Vb 2 +\& $ cd /usr/bin +\& $ sudo ./w +.Ve +.PP +For this reason you should only \fBgrant\fR access to commands using +wildcards and never \fBrestrict\fR access using them. This limitation +will be removed in a future version of \fBsudo\fR. +.Sh "Exceptions to wildcard rules" +.IX Subsection "Exceptions to wildcard rules" The following exceptions apply to the above rules: .ie n .IP """""" 8 .el .IP "\f(CW``''\fR" 8 @@ -930,8 +1037,8 @@ If the empty string \f(CW""\fR is the only command line argument in the \&\fIsudoers\fR entry it means that command is not allowed to be run with \fBany\fR arguments. -.Sh "Other special characters and reserved words:" -.IX Subsection "Other special characters and reserved words:" +.Sh "Other special characters and reserved words" +.IX Subsection "Other special characters and reserved words" The pound sign ('#') is used to indicate a comment (unless it occurs in the context of a user name and is followed by one or more digits, in which case it is treated as a uid). Both the @@ -962,8 +1069,22 @@ The following characters must be escaped with a backslash ('\e') when used as part of a word (e.g. a username or hostname): \&'@', '!', '=', ':', ',', '(', ')', '\e'. +.SH "FILES" +.IX Header "FILES" +.Vb 3 +\& /etc/sudoers List of who can run what +\& /etc/group Local groups file +\& /etc/netgroup List of network groups +.Ve .SH "EXAMPLES" .IX Header "EXAMPLES" +Since the \fIsudoers\fR file is parsed in a single pass, order is +important. In general, you should structure \fIsudoers\fR such that +the \f(CW\*(C`Host_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, and \f(CW\*(C`Cmnd_Alias\*(C'\fR specifications +come first, followed by any \f(CW\*(C`Default_Entry\*(C'\fR lines, and finally the +\&\f(CW\*(C`Runas_Alias\*(C'\fR and user specifications. The basic rule of thumb +is you cannot reference an Alias that has not already been defined. +.PP Below are example \fIsudoers\fR entries. Admittedly, some of these are a bit contrived. First, we define our \fIaliases\fR: .PP @@ -999,8 +1120,8 @@ \& Cmnd_Alias KILL = /usr/bin/kill \& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm \& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown -\& Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt -\& Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot +\& Cmnd_Alias HALT = /usr/sbin/halt +\& Cmnd_Alias REBOOT = /usr/sbin/reboot \& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e \& /usr/local/bin/tcsh, /usr/bin/rsh, \e \& /usr/local/bin/zsh @@ -1011,7 +1132,7 @@ \&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all cases. We don't want to subject the full time staff to the \fBsudo\fR lecture, user \fBmillert\fR need not give a password, and we don't -want to set the \f(CW\*(C`LOGNAME\*(C'\fR or \f(CW\*(C`USER\*(C'\fR environment variables when +want to reset the \f(CW\*(C`LOGNAME\*(C'\fR or \f(CW\*(C`USER\*(C'\fR environment variables when running commands as root. Additionally, on the machines in the \&\fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional local log file and make sure we log the year in each log line since the log entries @@ -1071,8 +1192,8 @@ (the class B network \f(CW128.138.0.0\fR). .PP .Vb 2 -\& operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\e -\& /usr/oper/bin/ +\& operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e +\& sudoedit /etc/printcap, /usr/oper/bin/ .Ve .PP The \fBoperator\fR user may run commands limited to simple maintenance. @@ -1192,6 +1313,69 @@ different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). +.SH "PREVENTING SHELL ESCAPES" +.IX Header "PREVENTING SHELL ESCAPES" +Once \fBsudo\fR executes a program, that program is free to do whatever +it pleases, including run other programs. This can be a security +issue since it is not uncommon for a program to allow shell escapes, +which lets a user bypass \fBsudo\fR's restrictions. Common programs +that permit shell escapes include shells (obviously), editors, +paginators, mail and terminal programs. +.PP +Many systems that support shared libraries have the ability to +override default library functions by pointing an environment +variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library. +On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to +prevent a program run by sudo from executing any other programs. +Note, however, that this applies only to native dynamically-linked +executables. Statically-linked executables and foreign executables +running under binary emulation are not affected. +.PP +To tell whether or not \fBsudo\fR supports \fInoexec\fR, you can run +the following as root: +.PP +.Vb 1 +\& sudo -V | grep "dummy exec" +.Ve +.PP +If the resulting output contains a line that begins with: +.PP +.Vb 1 +\& File containing dummy exec functions: +.Ve +.PP +then \fBsudo\fR may be able to replace the exec family of functions +in the standard library with its own that simply return an error. +Unfortunately, there is no foolproof way to know whether or not +\&\fInoexec\fR will work at compile\-time. \fINoexec\fR should work on +SunOS, Solaris, *BSD, Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, and HP-UX +11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fINoexec\fR +is expected to work on most operating systems that support the +\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's +manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, +dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported. +.PP +To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented +in the User Specification section above. Here is that example again: +.PP +.Vb 1 +\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi +.Ve +.PP +This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR +with \fInoexec\fR enabled. This will prevent those two commands from +executing other commands (such as a shell). If you are unsure +whether or not your system is capable of supporting \fInoexec\fR you +can always just try it out and see if it works. +.PP +Note that disabling shell escapes is not a panacea. Programs running +as root are still capable of many potentially hazardous operations +(such as changing or overwriting files) that could lead to unintended +privilege escalation. In the specific case of an editor, a safer +approach is to give the user permission to run \fBsudoedit\fR. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(8), visudo(8) .SH "CAVEATS" .IX Header "CAVEATS" The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR @@ -1204,13 +1388,22 @@ case), you either need to have the machine's hostname be fully qualified as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in \&\fIsudoers\fR. -.SH "FILES" -.IX Header "FILES" -.Vb 3 -\& /etc/sudoers List of who can run what -\& /etc/group Local groups file -\& /etc/netgroup List of network groups -.Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIsudo\fR\|(8), \fIvisudo\fR\|(8) +.SH "BUGS" +.IX Header "BUGS" +If you feel you have found a bug in \fBsudo\fR, please submit a bug report +at http://www.sudo.ws/sudo/bugs/ +.SH "SUPPORT" +.IX Header "SUPPORT" +Commercial support is available for \fBsudo\fR, see +http://www.sudo.ws/sudo/support.html for details. +.PP +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +search the archives. +.SH "DISCLAIMER" +.IX Header "DISCLAIMER" +\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, +including, but not limited to, the implied warranties of merchantability +and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 +file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html +for complete details.