-Copyright (c) 1994-1996, 1998-2005, 2007-2009
+Copyright (c) 1994-1996, 1998-2005, 2007-2010
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
-$Sudo: sudoers.pod,v 1.173 2009/06/30 12:41:09 millert Exp $
=pod
=head1 NAME
Cmnd_Alias ::= NAME '=' Cmnd_List
- NAME ::= [A-Z]([a-z][A-Z][0-9]_)*
+ NAME ::= [A-Z]([A-Z][0-9]_)*
Each I<alias> definition is of the form
=over 16
-=item mail_badpass
+=item always_set_home
If set, B<sudo> will set the C<HOME> environment variable to the home
directory of the target user (which is root unless the B<-u> option is used).
option causes B<sudo> to use the L<fnmatch(3)> function, which does
not access the file system to do its matching. The disadvantage
of I<fast_glob> is that it is unable to match relative pathnames
-such as F<./ls> or F<../bin/ls>. This flag is I<off> by default.
+such as F<./ls> or F<../bin/ls>. This has security implications
+when path names that include globbing characters are used with the
+negation operator, C<'!'>, as such rules can be trivially bypassed.
+As such, this option should not be used when I<sudoers> contains rules
+that contain negated path names which include globbing characters.
+This flag is I<off> by default.
=item stay_setuid
want to use this. Another use is if you want to have the "root path"
be separate from the "user path." Users in the group specified by the
I<exempt_group> option are not affected by I<secure_path>.
-This is not set by default.
+This option is @secure_path@ by default.
=item syslog
=item env_delete
-Not effective due to security issues: only variables listed in
-I<env_keep> or I<env_check> can be passed through B<sudo>!
-
Environment variables to be removed from the user's environment
when the I<env_reset> option is not in effect. The argument may
be a double-quoted, space-separated list or a single value without
=item env_keep
-Environment variables to be preserved in the user's environment.
-This allows fine-grained
+Environment variables to be preserved in the user's environment
+when the I<env_reset> option is in effect. This allows fine-grained
control over the environment B<sudo>-spawned processes will receive.
The argument may be a double-quoted, space-separated list or a
single value without double-quotes. The list can be replaced, added
Below are example I<sudoers> entries. Admittedly, some of
these are a bit contrived. First, we define our I<aliases>:
-Below are example I<sudoers> entries. Admittedly, some of
-these are a bit contrived. First, we allow a few environment
-variables to pass and then define our I<aliases>:
-
- # Run X applications through sudo; HOME is used to find .Xauthority file
- # Note that some programs may use HOME for other purposes too and
- # this may lead to privilege escalation!
- Defaults env_keep = "DISPLAY HOME"
-
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
program. Therefore, these kind of restrictions should be considered
advisory at best (and reinforced by policy).
+Furthermore, if the I<fast_glob> option is in use, it is not possible
+to reliably negate commands where the path name includes globbing
+(aka wildcard) characters. This is because the C library's
+L<fnmatch(3)> function cannot resolve relative paths. While this
+is typically only an inconvenience for rules that grant privileges,
+it can result in a security issue for rules that subtract or revoke
+privileges.
+
+For example, given the following I<sudoers> entry:
+
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+
+User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is
+enabled by changing to F</usr/bin> and running C<./passwd root> instead.
+
=head1 PREVENTING SHELL ESCAPES
Once B<sudo> executes a program, that program is free to do whatever