| version 1.18, 2010/03/04 12:21:36 |
version 1.19, 2010/04/13 23:22:01 |
|
|
| Copyright (c) 1994-1996, 1998-2005, 2007-2009 |
Copyright (c) 1994-1996, 1998-2005, 2007-2010 |
| Todd C. Miller <Todd.Miller@courtesan.com> |
Todd C. Miller <Todd.Miller@courtesan.com> |
| |
|
| Permission to use, copy, modify, and distribute this software for any |
Permission to use, copy, modify, and distribute this software for any |
|
|
| =item passprompt_override |
=item passprompt_override |
| |
|
| The password prompt specified by I<passprompt> will normally only |
The password prompt specified by I<passprompt> will normally only |
| be used if the passwod prompt provided by systems such as PAM matches |
be used if the password prompt provided by systems such as PAM matches |
| the string "Password:". If I<passprompt_override> is set, I<passprompt> |
the string "Password:". If I<passprompt_override> is set, I<passprompt> |
| will always be used. This flag is I<off> by default. |
will always be used. This flag is I<off> by default. |
| |
|
|
|
| option causes B<sudo> to use the L<fnmatch(3)> function, which does |
option causes B<sudo> to use the L<fnmatch(3)> function, which does |
| not access the file system to do its matching. The disadvantage |
not access the file system to do its matching. The disadvantage |
| of I<fast_glob> is that it is unable to match relative pathnames |
of I<fast_glob> is that it is unable to match relative pathnames |
| such as F<./ls> or F<../bin/ls>. This flag is I<off> by default. |
such as F<./ls> or F<../bin/ls>. This has security implications |
| |
when path names that include globbing characters are used with the |
| |
negation operator, C<'!'>, as such rules can be trivially bypassed. |
| |
As such, this option should not be used when I<sudoers> contains rules |
| |
that contain negated path names which include globbing characters. |
| |
This flag is I<off> by default. |
| |
|
| =item stay_setuid |
=item stay_setuid |
| |
|
|
|
| different name, or use a shell escape from an editor or other |
different name, or use a shell escape from an editor or other |
| program. Therefore, these kind of restrictions should be considered |
program. Therefore, these kind of restrictions should be considered |
| advisory at best (and reinforced by policy). |
advisory at best (and reinforced by policy). |
| |
|
| |
Furthermore, if the I<fast_glob> option is in use, it is not possible |
| |
to reliably negate commands where the path name includes globbing |
| |
(aka wildcard) characters. This is because the C library's |
| |
L<fnmatch(3)> function cannot resolve relative paths. While this |
| |
is typically only an inconvenience for rules that grant privileges, |
| |
it can result in a security issue for rules that subtract or revoke |
| |
privileges. |
| |
|
| |
For example, given the following I<sudoers> entry: |
| |
|
| |
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, |
| |
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root |
| |
|
| |
User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is |
| |
enabled by changing to F</usr/bin> and running C<./passwd root> instead. |
| |
|
| =head1 PREVENTING SHELL ESCAPES |
=head1 PREVENTING SHELL ESCAPES |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to sudoers.pod CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / sudo