distinct ways _\bs_\bu_\bd_\bo_\be_\br_\bs can deal with environment variables.
By default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled. This causes commands to
- be executed with a minimal environment containing the TERM, PATH, HOME,
- MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in addition
- to variables from the invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp options. This is effectively a whitelist for environment
- variables.
+ be executed with a new, minimal environment. On AIX (and Linux systems
+ without PAM), the environment is initialized with the contents of the
+ _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt file. On BSD systems, if the _\bu_\bs_\be_\b__\bl_\bo_\bg_\bi_\bn_\bc_\bl_\ba_\bs_\bs option is
+ enabled, the environment is initialized based on the _\bp_\ba_\bt_\bh and _\bs_\be_\bt_\be_\bn_\bv
+ settings in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The new environment contains the TERM,
+ PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables
+ in addition to variables from the invoking process permitted by the
+ _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp options. This is effectively a whitelist for
+ environment variables.
If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled, any variables not
explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are inherited
_\bs_\bu_\bd_\bo_\be_\br_\bs will initialize the environment regardless of the value of
_\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt. The _\bD_\bI_\bS_\bP_\bL_\bA_\bY, _\bP_\bA_\bT_\bH and _\bT_\bE_\bR_\bM variables remain unchanged;
_\bH_\bO_\bM_\bE, _\bM_\bA_\bI_\bL, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, and _\bL_\bO_\bG_\bN_\bA_\bM_\bE are set based on the target user.
- On Linux and AIX systems the contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt are also
- included. All other environment variables are removed.
+ On AIX (and Linux systems without PAM), the contents of
+ _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt are also included. On BSD systems, if the
+ _\bu_\bs_\be_\b__\bl_\bo_\bg_\bi_\bn_\bc_\bl_\ba_\bs_\bs option is enabled, the _\bp_\ba_\bt_\bh and _\bs_\be_\bt_\be_\bn_\bv variables in
+ _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf are also applied. All other environment variables are
+ removed.
- Lastly, if the _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option is defined, any variables present in
- that file will be set to their specified values.
+ Finally, if the _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option is defined, any variables present in
+ that file will be set to their specified values as long as they would
+ not conflict with an existing environment variable.
S\bSU\bUD\bDO\bOE\bER\bRS\bS F\bFI\bIL\bLE\bE F\bFO\bOR\bRM\bMA\bAT\bT
The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases
below). For instance, the QAS AD plugin supports the following
formats:
- +\bo Group in the same domain: "Group Name"
+ o Group in the same domain: "Group Name"
- +\bo Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
+ o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
- +\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
+ o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
Note that quotes around group names are optional. Unquoted strings
must use a backslash (\) to escape spaces and special characters. See
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- See the "PREVENTING SHELL ESCAPES" section below for more details on
+ See the "Preventing Shell Escapes" section below for more details on
how NOEXEC works and whether or not it will work on your system.
_\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
NOEXEC tag has been set, unless overridden by a EXEC
tag. See the description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
- well as the "PREVENTING SHELL ESCAPES" section at the
+ well as the "Preventing Shell Escapes" section at the
end of this manual. This flag is _\bo_\bf_\bf by default.
path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
with the _\b-_\bV option.
+S\bSU\bUD\bDO\bO.\b.C\bCO\bON\bNF\bF
+ The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file determines which plugins the s\bsu\bud\bdo\bo front end
+ will load. If no _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file is present, or it contains no
+ Plugin lines, s\bsu\bud\bdo\bo will use the _\bs_\bu_\bd_\bo_\be_\br_\bs security policy and I/O
+ logging, which corresponds to the following _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+
+ #
+ # Default /etc/sudo.conf file
+ #
+ # Format:
+ # Plugin plugin_name plugin_path plugin_options ...
+ # Path askpass /path/to/askpass
+ # Path noexec /path/to/sudo_noexec.so
+ # Debug sudo /var/log/sudo_debug all@warn
+ # Set disable_coredump true
+ #
+ # The plugin_path is relative to /usr/local/libexec unless
+ # fully qualified.
+ # The plugin_name corresponds to a global symbol in the plugin
+ # that contains the plugin interface structure.
+ # The plugin_options are optional.
+ #
+ Plugin policy_plugin sudoers.so
+ Plugin io_plugin sudoers.so
+
+ P\bPL\bLU\bUG\bGI\bIN\bN O\bOP\bPT\bTI\bIO\bON\bNS\bS
+ Starting with s\bsu\bud\bdo\bo 1.8.5 it is possible to pass options to the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ plugin. Options may be listed after the path to the plugin (i.e. after
+ _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bs_\bo); multiple options should be space-separated. For example:
+
+ Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
+
+ The following plugin options are supported:
+
+ sudoers_file=pathname
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bf_\bi_\bl_\be option can be used to override the default
+ path to the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+
+ sudoers_uid=uid
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bu_\bi_\bd option can be used to override the default
+ owner of the sudoers file. It should be specified as a
+ numeric user ID.
+
+ sudoers_gid=gid
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bg_\bi_\bd option can be used to override the default
+ group of the sudoers file. It should be specified as a
+ numeric group ID.
+
+ sudoers_mode=mode
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bm_\bo_\bd_\be option can be used to override the default
+ file mode for the sudoers file. It should be specified as an
+ octal value.
+
+ D\bDE\bEB\bBU\bUG\bG F\bFL\bLA\bAG\bGS\bS
+ Versions 1.8.4 and higher of the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin supports a debugging
+ framework that can help track down what the plugin is doing internally
+ if there is a problem. This can be configured in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
+ file as described in _\bs_\bu_\bd_\bo(1m).
+
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs plugin uses the same debug flag format as s\bsu\bud\bdo\bo itself:
+ _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by.
+
+ The priorities used by _\bs_\bu_\bd_\bo_\be_\br_\bs, in order of decreasing severity, are:
+ _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg. Each priority,
+ when specified, also includes all priorities higher than it. For
+ example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages logged at
+ _\bn_\bo_\bt_\bi_\bc_\be and higher.
+
+ The following subsystems are used by _\bs_\bu_\bd_\bo_\be_\br_\bs:
+
+ _\ba_\bl_\bi_\ba_\bs User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
+
+ _\ba_\bl_\bl matches every subsystem
+
+ _\ba_\bu_\bd_\bi_\bt BSM and Linux audit code
+
+ _\ba_\bu_\bt_\bh user authentication
+
+ _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs _\bs_\bu_\bd_\bo_\be_\br_\bs _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs settings
+
+ _\be_\bn_\bv environment handling
+
+ _\bl_\bd_\ba_\bp LDAP-based sudoers
+
+ _\bl_\bo_\bg_\bg_\bi_\bn_\bg logging support
+
+ _\bm_\ba_\bt_\bc_\bh matching of users, groups, hosts and netgroups in _\bs_\bu_\bd_\bo_\be_\br_\bs
+
+ _\bn_\be_\bt_\bi_\bf network interface handling
+
+ _\bn_\bs_\bs network service switch handling in _\bs_\bu_\bd_\bo_\be_\br_\bs
+
+ _\bp_\ba_\br_\bs_\be_\br _\bs_\bu_\bd_\bo_\be_\br_\bs file parsing
+
+ _\bp_\be_\br_\bm_\bs permission setting
+
+ _\bp_\bl_\bu_\bg_\bi_\bn The equivalent of _\bm_\ba_\bi_\bn for the plugin.
+
+ _\bp_\bt_\by pseudo-tty related code
+
+ _\br_\bb_\bt_\br_\be_\be redblack tree internals
+
+ _\bu_\bt_\bi_\bl utility functions
+
F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf Sudo front end configuration
+
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
_\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo Directory containing time stamps for the
_\bs_\bu_\bd_\bo_\be_\br_\bs security policy
- _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on Linux and
- AIX
+ _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on AIX and
+ Linux systems
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
encapsulating in a shell script.
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
+ L\bLi\bim\bmi\bit\bta\bat\bti\bio\bon\bns\bs o\bof\bf t\bth\bhe\be '\b'!\b!'\b' o\bop\bpe\ber\bra\bat\bto\bor\br
It is generally not effective to "subtract" commands from ALL using the
'!' operator. A user can trivially circumvent this by copying the
desired command to a different name and then executing that. For
kind of restrictions should be considered advisory at best (and
reinforced by policy).
- Furthermore, if the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to
- reliably negate commands where the path name includes globbing (aka
- wildcard) characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
- function cannot resolve relative paths. While this is typically only
- an inconvenience for rules that grant privileges, it can result in a
- security issue for rules that subtract or revoke privileges.
+ In general, if a user has sudo ALL there is nothing to prevent them
+ from creating their own program that gives them a root shell (or making
+ their own copy of a shell) regardless of any '!' elements in the user
+ specification.
+
+ S\bSe\bec\bcu\bur\bri\bit\bty\by i\bim\bmp\bpl\bli\bic\bca\bat\bti\bio\bon\bns\bs o\bof\bf _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
+ If the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to reliably
+ negate commands where the path name includes globbing (aka wildcard)
+ characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function cannot
+ resolve relative paths. While this is typically only an inconvenience
+ for rules that grant privileges, it can result in a security issue for
+ rules that subtract or revoke privileges.
For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
-P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
+ P\bPr\bre\bev\bve\ben\bnt\bti\bin\bng\bg S\bSh\bhe\bel\bll\bl E\bEs\bsc\bca\bap\bpe\bes\bs
Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
pleases, including run other programs. This can be a security issue
since it is not uncommon for a program to allow shell escapes, which
privilege escalation. In the specific case of an editor, a safer
approach is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
-D\bDE\bEB\bBU\bUG\bG F\bFL\bLA\bAG\bGS\bS
- Versions 1.8.4 and higher of the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin supports a debugging
- framework that can help track down what the plugin is doing internally
- if there is a problem. This can be configured in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
- file as described in _\bs_\bu_\bd_\bo(1m).
-
- The _\bs_\bu_\bd_\bo_\be_\br_\bs plugin uses the same debug flag format as s\bsu\bud\bdo\bo itself:
- _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by.
-
- The priorities used by _\bs_\bu_\bd_\bo_\be_\br_\bs, in order of decreasing severity, are:
- _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg. Each priority,
- when specified, also includes all priorities higher than it. For
- example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages logged at
- _\bn_\bo_\bt_\bi_\bc_\be and higher.
-
- The following subsystems are used by _\bs_\bu_\bd_\bo_\be_\br_\bs:
-
- _\ba_\bl_\bi_\ba_\bs User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
-
- _\ba_\bl_\bl matches every subsystem
-
- _\ba_\bu_\bd_\bi_\bt BSM and Linux audit code
-
- _\ba_\bu_\bt_\bh user authentication
-
- _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs _\bs_\bu_\bd_\bo_\be_\br_\bs _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs settings
-
- _\be_\bn_\bv environment handling
-
- _\bl_\bd_\ba_\bp LDAP-based sudoers
-
- _\bl_\bo_\bg_\bg_\bi_\bn_\bg logging support
-
- _\bm_\ba_\bt_\bc_\bh matching of users, groups, hosts and netgroups in _\bs_\bu_\bd_\bo_\be_\br_\bs
-
- _\bn_\be_\bt_\bi_\bf network interface handling
-
- _\bn_\bs_\bs network service switch handling in _\bs_\bu_\bd_\bo_\be_\br_\bs
-
- _\bp_\ba_\br_\bs_\be_\br _\bs_\bu_\bd_\bo_\be_\br_\bs file parsing
-
- _\bp_\be_\br_\bm_\bs permission setting
-
- _\bp_\bl_\bu_\bg_\bi_\bn The equivalent of _\bm_\ba_\bi_\bn for the plugin.
-
- _\bp_\bt_\by pseudo-tty related code
-
- _\br_\bb_\bt_\br_\be_\be redblack tree internals
-
- _\bu_\bt_\bi_\bl utility functions
-
-S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
+ T\bTi\bim\bme\be s\bst\bta\bam\bmp\bp f\bfi\bil\ble\be c\bch\bhe\bec\bck\bks\bs
_\bs_\bu_\bd_\bo_\be_\br_\bs will check the ownership of its time stamp directory
(_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
not owned by root or if it is writable by a user other than root. On
Administrators should not rely on this feature as it is not universally
available.
- If users have sudo ALL there is nothing to prevent them from creating
- their own program that gives them a root shell (or making their own
- copy of a shell) regardless of any '!' elements in the user
- specification.
-
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bg_\bl_\bo_\bb(3), _\bm_\bk_\bt_\be_\bm_\bp(3), _\bs_\bt_\br_\bf_\bt_\bi_\bm_\be(3),
_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bd_\ba_\bp(4), _\bs_\bu_\bd_\bo_\b__\bp_\bl_\bu_\bg_\bi_\bn(1m), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(1m)
-1.8.4 February 5, 2012 SUDOERS(4)
+1.8.5 March 28, 2012 SUDOERS(4)