X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=sudo.cat;h=9f85ccdec747b050ea6f43d6fc900b9f3156a573;hb=4caa124853fc7152ada5797144498078861086c2;hp=fdca4d8aaa074c69969a06cca77fbc17384ab007;hpb=aa246b463dd1185e95c151b6f081e12033f577eb;p=debian%2Fsudo diff --git a/sudo.cat b/sudo.cat index fdca4d8..9f85ccd 100644 --- a/sudo.cat +++ b/sudo.cat @@ -8,60 +8,60 @@ NNAAMMEE sudo, sudoedit - execute a command as another user SSYYNNOOPPSSIISS - ssuuddoo --KK | --LL | --VV | --hh | --kk | --ll | --vv + ssuuddoo --hh | --KK | --kk | --LL | --VV - ssuuddoo [--HHPPSSbb] [--aa _a_u_t_h___t_y_p_e] [--cc _c_l_a_s_s|_-] [--pp _p_r_o_m_p_t] - [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] {--ee file [...] | --ii | --ss | _c_o_m_m_a_n_d} + ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] + [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] - ssuuddooeeddiitt [--SS] [--aa _a_u_t_h___t_y_p_e] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_­ - _n_a_m_e|_#_u_i_d] file [...] + ssuuddoo --ll[[ll]] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] + [--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d] + + ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] + [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] + [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [--ii | --ss] [_c_o_m_m_a_n_d] + + ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] + [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] file ... DDEESSCCRRIIPPTTIIOONN - ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the - superuser or another user, as specified in the _s_u_d_o_e_r_s - file. The real and effective uid and gid are set to match - those of the target user as specified in the passwd file - and the group vector is initialized based on the group - file (unless the --PP option was specified). If the invok­ - ing user is root or if the target user is the same as the - invoking user, no password is required. Otherwise, ssuuddoo - requires that users authenticate themselves with a pass­ - word by default (NOTE: in the default configuration this - is the user's password, not the root password). Once a - user has been authenticated, a timestamp is updated and - the user may then use sudo without a password for a short - period of time (5 minutes unless overridden in _s_u_d_o_e_r_s). + ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or + another user, as specified in the _s_u_d_o_e_r_s file. The real and effective + uid and gid are set to match those of the target user as specified in + the passwd file and the group vector is initialized based on the group + file (unless the --PP option was specified). If the invoking user is + root or if the target user is the same as the invoking user, no + password is required. Otherwise, ssuuddoo requires that users authenticate + themselves with a password by default (NOTE: in the default + configuration this is the user's password, not the root password). + Once a user has been authenticated, a time stamp is updated and the + user may then use sudo without a password for a short period of time (5 + minutes unless overridden in _s_u_d_o_e_r_s). - When invoked as ssuuddooeeddiitt, the --ee option (described below), - is implied. + When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied. - ssuuddoo determines who is an authorized user by consulting - the file _/_e_t_c_/_s_u_d_o_e_r_s. By giving ssuuddoo the --vv flag a user - can update the time stamp without running a _c_o_m_m_a_n_d_. The - password prompt itself will also time out if the user's - password is not entered within 5 minutes (unless overrid­ - den via _s_u_d_o_e_r_s). + ssuuddoo determines who is an authorized user by consulting the file + _/_e_t_c_/_s_u_d_o_e_r_s. By running ssuuddoo with the --vv option, a user can update + the time stamp without running a _c_o_m_m_a_n_d. If a password is required, + ssuuddoo will exit if the user's password is not entered within a + configurable time limit. The default password prompt timeout is 5 + minutes. - If a user who is not listed in the _s_u_d_o_e_r_s file tries to - run a command via ssuuddoo, mail is sent to the proper author­ - ities, as defined at configure time or in the _s_u_d_o_e_r_s file - (defaults to root). Note that the mail will not be sent - if an unauthorized user tries to run sudo with the --ll or - --vv flags. This allows users to determine for themselves - whether or not they are allowed to use ssuuddoo. + If a user who is not listed in the _s_u_d_o_e_r_s file tries to run a command + via ssuuddoo, mail is sent to the proper authorities, as defined at + configure time or in the _s_u_d_o_e_r_s file (defaults to root). Note that + the mail will not be sent if an unauthorized user tries to run sudo + with the --ll or --vv option. This allows users to determine for + themselves whether or not they are allowed to use ssuuddoo. - If ssuuddoo is run by root and the SUDO_USER environment vari­ - able is set, ssuuddoo will use this value to determine who the - actual user is. This can be used by a user to log com­ - mands through sudo even when a root shell has been - invoked. It also allows the --ee flag to remain useful even - when being run via a sudo-run script or program. Note - however, that the sudoers lookup is still done for root, - not the user specified by SUDO_USER. + If ssuuddoo is run by root and the SUDO_USER environment variable is set, + ssuuddoo will use this value to determine who the actual user is. This can + be used by a user to log commands through sudo even when a root shell + has been invoked. It also allows the --ee option to remain useful even + when being run via a sudo-run script or program. Note however, that -1.6.8p9 June, 20 2005 1 +1.7.4 July 19, 2010 1 @@ -70,64 +70,64 @@ DDEESSCCRRIIPPTTIIOONN SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - ssuuddoo can log both successful and unsuccessful attempts (as - well as errors) to _s_y_s_l_o_g(3), a log file, or both. By - default ssuuddoo will log via _s_y_s_l_o_g(3) but this is changeable - at configure time or via the _s_u_d_o_e_r_s file. + the sudoers lookup is still done for root, not the user specified by + SUDO_USER. + + ssuuddoo can log both successful and unsuccessful attempts (as well as + errors) to _s_y_s_l_o_g(3), a log file, or both. By default ssuuddoo will log + via _s_y_s_l_o_g(3) but this is changeable at configure time or via the + _s_u_d_o_e_r_s file. OOPPTTIIOONNSS ssuuddoo accepts the following command line options: - -H The --HH (_H_O_M_E) option sets the HOME environment vari­ - able to the homedir of the target user (root by - default) as specified in passwd(4). By default, ssuuddoo - does not modify HOME (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e - in sudoers(4)). - - -K The --KK (sure _k_i_l_l) option is like --kk except that it - removes the user's timestamp entirely. Like --kk, this - option does not require a password. - - -L The --LL (_l_i_s_t defaults) option will list out the param­ - eters that may be set in a _D_e_f_a_u_l_t_s line along with a - short description for each. This option is useful in - conjunction with _g_r_e_p(1). - - -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to - preserve the invoking user's group vector unaltered. - By default, ssuuddoo will initialize the group vector to - the list of groups the target user is in. The real - and effective group IDs, however, are still set to - match the target user. + -A Normally, if ssuuddoo requires a password, it will read it from + the current terminal. If the --AA (_a_s_k_p_a_s_s) option is + specified, a (possibly graphical) helper program is + executed to read the user's password and output the + password to the standard output. If the SUDO_ASKPASS + environment variable is set, it specifies the path to the + helper program. Otherwise, the value specified by the + _a_s_k_p_a_s_s option in _s_u_d_o_e_r_s(4) is used. - -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password - from the standard input instead of the terminal - device. + -a _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the + specified authentication type when validating the user, as + allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may + specify a list of sudo-specific authentication methods by + adding an "auth-sudo" entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This + option is only available on systems that support BSD + authentication. - -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the ver­ - sion number and exit. If the invoking user is already - root the --VV option will print out a list of the - defaults ssuuddoo was compiled with as well as the - machine's local network addresses. + -b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given + command in the background. Note that if you use the --bb + option you cannot use shell job control to manipulate the + process. - -a The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use - the specified authentication type when validating the - user, as allowed by /etc/login.conf. The system - administrator may specify a list of sudo-specific - authentication methods by adding an "auth-sudo" entry - in /etc/login.conf. This option is only available on - systems that support BSD authentication where ssuuddoo has - been configured with the --with-bsdauth option. + -C _f_d Normally, ssuuddoo will close all open file descriptors other + than standard input, standard output and standard error. + The --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a + starting point above the standard error (file descriptor + three). Values less than three are not permitted. This + option is only available if the administrator has enabled + the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option in _s_u_d_o_e_r_s(4). - -b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given - command in the background. Note that if you use the - --bb option you cannot use shell job control to manipu­ - late the process. + -c _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified + command with resources limited by the specified login + class. The _c_l_a_s_s argument can be either a class name as + defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single '-' character. + Specifying a _c_l_a_s_s of - indicates that the command should + be run restricted by the default login capabilities for the + user the command is run as. If the _c_l_a_s_s argument + specifies an existing user class, the command must be run + as root, or the ssuuddoo command must be run from a shell that + is already root. This option is only available on systems + with BSD login classes. + -E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the -1.6.8p9 June, 20 2005 2 +1.7.4 July 19, 2010 2 @@ -136,130 +136,130 @@ OOPPTTIIOONNSS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - -c The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified - command with resources limited by the specified login - class. The _c_l_a_s_s argument can be either a class name - as defined in /etc/login.conf, or a single '-' charac­ - ter. Specifying a _c_l_a_s_s of - indicates that the com­ - mand should be run restricted by the default login - capabilities for the user the command is run as. If - the _c_l_a_s_s argument specifies an existing user class, - the command must be run as root, or the ssuuddoo command - must be run from a shell that is already root. This - option is only available on systems with BSD login - classes where ssuuddoo has been configured with the - --with-logincap option. + _e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)). It is only available when + either the matching command has the SETENV tag or the + _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(4). - -e The --ee (_e_d_i_t) option indicates that, instead of run­ - ning a command, the user wishes to edit one or more - files. In lieu of a command, the string "sudoedit" is - used when consulting the _s_u_d_o_e_r_s file. If the user is - authorized by _s_u_d_o_e_r_s the following steps are taken: + -e The --ee (_e_d_i_t) option indicates that, instead of running a + command, the user wishes to edit one or more files. In + lieu of a command, the string "sudoedit" is used when + consulting the _s_u_d_o_e_r_s file. If the user is authorized by + _s_u_d_o_e_r_s the following steps are taken: - 1. Temporary copies are made of the files to be - edited with the owner set to the invoking - user. + 1. Temporary copies are made of the files to be edited + with the owner set to the invoking user. - 2. The editor specified by the VISUAL or EDITOR - environment variables is run to edit the tem­ - porary files. If neither VISUAL nor EDITOR - are set, the program listed in the _e_d_i_t_o_r - _s_u_d_o_e_r_s variable is used. + 2. The editor specified by the SUDO_EDITOR, VISUAL or + EDITOR environment variables is run to edit the + temporary files. If none of SUDO_EDITOR, VISUAL or + EDITOR are set, the first program listed in the _e_d_i_t_o_r + _s_u_d_o_e_r_s variable is used. - 3. If they have been modified, the temporary - files are copied back to their original loca­ - tion and the temporary versions are removed. + 3. If they have been modified, the temporary files are + copied back to their original location and the + temporary versions are removed. - If the specified file does not exist, it will be cre­ - ated. Note that unlike most commands run by ssuuddoo, the - editor is run with the invoking user's environment - unmodified. If, for some reason, ssuuddoo is unable to - update a file with its edited version, the user will - receive a warning and the edited copy will remain in a - temporary file. + If the specified file does not exist, it will be created. + Note that unlike most commands run by ssuuddoo, the editor is + run with the invoking user's environment unmodified. If, + for some reason, ssuuddoo is unable to update a file with its + edited version, the user will receive a warning and the + edited copy will remain in a temporary file. - -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage mes­ - sage and exit. + -g _g_r_o_u_p Normally, ssuuddoo sets the primary group to the one specified + by the passwd database for the user the command is being + run as (by default, root). The --gg (_g_r_o_u_p) option causes + ssuuddoo to run the specified command with the primary group + set to _g_r_o_u_p. To specify a _g_i_d instead of a _g_r_o_u_p _n_a_m_e, + use _#_g_i_d. When running commands as a _g_i_d, many shells + require that the '#' be escaped with a backslash ('\'). If + no --uu option is specified, the command will be run as the + invoking user (not root). In either case, the primary + group will be set to _g_r_o_u_p. - -i The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell - specified in the passwd(4) entry of the user that the - command is being run as. The command name argument - given to the shell begins with a - to tell the shell - to run as a login shell. ssuuddoo attempts to change to - that user's home directory before running the shell. - It also initializes the environment, leaving _T_E_R_M - unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and - _P_A_T_H, and unsetting all other environment variables. + -H The --HH (_H_O_M_E) option sets the HOME environment variable to + the homedir of the target user (root by default) as + specified in _p_a_s_s_w_d(4). The default handling of the HOME + environment variable depends on _s_u_d_o_e_r_s(4) settings. By + default, ssuuddoo will set HOME if _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e + are set, or if _s_e_t___h_o_m_e is set and the --ss option is + specified on the command line. + -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage message + and exit. + -i [command] + The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell -1.6.8p9 June, 20 2005 3 +1.7.4 July 19, 2010 3 -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - - Note that because the shell to use is determined - before the _s_u_d_o_e_r_s file is parsed, a _r_u_n_a_s___d_e_f_a_u_l_t - setting in _s_u_d_o_e_r_s will specify the user to run the - shell as but will not affect which shell is actually - run. - -k The --kk (_k_i_l_l) option to ssuuddoo invalidates the user's - timestamp by setting the time on it to the epoch. The - next time ssuuddoo is run a password will be required. - This option does not require a password and was added - to allow a user to revoke ssuuddoo permissions from a - .logout file. - -l The --ll (_l_i_s_t) option will list out the allowed (and - forbidden) commands for the user on the current host. - - -p The --pp (_p_r_o_m_p_t) option allows you to override the - default password prompt and use a custom one. The - following percent (`%') escapes are supported: +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - %u expanded to the invoking user's login name - %U expanded to the login name of the user the - command will be run as (defaults to root) + specified in the _p_a_s_s_w_d(4) entry of the target user as a + login shell. This means that login-specific resource files + such as .profile or .login will be read by the shell. If a + command is specified, it is passed to the shell for + execution. Otherwise, an interactive shell is executed. + ssuuddoo attempts to change to that user's home directory + before running the shell. It also initializes the + environment, leaving _D_I_S_P_L_A_Y and _T_E_R_M unchanged, setting + _H_O_M_E, _M_A_I_L, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and _P_A_T_H, as well as the + contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t on Linux and AIX systems. All + other environment variables are removed. - %h expanded to the local hostname without the - domain name + -K The --KK (sure _k_i_l_l) option is like --kk except that it removes + the user's time stamp entirely and may not be used in + conjunction with a command or other option. This option + does not require a password. - %H expanded to the local hostname including the - domain name (on if the machine's hostname is - fully qualified or the _f_q_d_n sudoers option is - set) + -k When used by itself, the --kk (_k_i_l_l) option to ssuuddoo + invalidates the user's time stamp by setting the time on it + to the Epoch. The next time ssuuddoo is run a password will be + required. This option does not require a password and was + added to allow a user to revoke ssuuddoo permissions from a + .logout file. - %% two consecutive % characters are collapsed - into a single % character + When used in conjunction with a command or an option that + may require a password, the --kk option will cause ssuuddoo to + ignore the user's time stamp file. As a result, ssuuddoo will + prompt for a password (if one is required by _s_u_d_o_e_r_s) and + will not update the user's time stamp file. - -s The --ss (_s_h_e_l_l) option runs the shell specified by the - _S_H_E_L_L environment variable if it is set or the shell - as specified in passwd(4). + -L The --LL (_l_i_s_t defaults) option will list the parameters that + may be set in a _D_e_f_a_u_l_t_s line along with a short + description for each. This option will be removed from a + future version of ssuuddoo. - -u The --uu (_u_s_e_r) option causes ssuuddoo to run the specified - command as a user other than _r_o_o_t. To specify a _u_i_d - instead of a _u_s_e_r_n_a_m_e, use _#_u_i_d. Note that if the - _t_a_r_g_e_t_p_w Defaults option is set (see sudoers(4)) it is - not possible to run commands with a uid not listed in - the password database. + -l[l] [_c_o_m_m_a_n_d] + If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list + the allowed (and forbidden) commands for the invoking user + (or the user specified by the --UU option) on the current + host. If a _c_o_m_m_a_n_d is specified and is permitted by + _s_u_d_o_e_r_s, the fully-qualified path to the command is + displayed along with any command line arguments. If + _c_o_m_m_a_n_d is specified but not allowed, ssuuddoo will exit with a + status value of 1. If the --ll option is specified with an ll + argument (i.e. --llll), or if --ll is specified multiple times, + a longer list format is used. - -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update - the user's timestamp, prompting for the user's pass­ - word if necessary. This extends the ssuuddoo timeout for - another 5 minutes (or whatever the timeout is set to - in _s_u_d_o_e_r_s) but does not run a command. + -n The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from + prompting the user for a password. If a password is + required for the command to run, ssuuddoo will display an error + messages and exit. - -- The ---- flag indicates that ssuuddoo should stop processing + -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to + preserve the invoking user's group vector unaltered. By -1.6.8p9 June, 20 2005 4 +1.7.4 July 19, 2010 4 @@ -268,130 +268,64 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - command line arguments. It is most useful in conjunc­ - tion with the --ss flag. + default, ssuuddoo will initialize the group vector to the list + of groups the target user is in. The real and effective + group IDs, however, are still set to match the target user. -RREETTUURRNN VVAALLUUEESS - Upon successful execution of a program, the return value - from ssuuddoo will simply be the return value of the program - that was executed. - - Otherwise, ssuuddoo quits with an exit value of 1 if there is - a configuration/permission problem or if ssuuddoo cannot exe­ - cute the given command. In the latter case the error - string is printed to stderr. If ssuuddoo cannot _s_t_a_t(2) one - or more entries in the user's PATH an error is printed on - stderr. (If the directory does not exist or if it is not - really a directory, the entry is ignored and no error is - printed.) This should not happen under normal circum­ - stances. The most common reason for _s_t_a_t(2) to return - "permission denied" is if you are running an automounter - and one of the directories in your PATH is on a machine - that is currently unreachable. - -SSEECCUURRIITTYY NNOOTTEESS - ssuuddoo tries to be safe when executing external commands. - Variables that control how dynamic loading and binding is - done can be used to subvert the program that ssuuddoo runs. - To combat this the LD_*, _RLD_*, SHLIB_PATH (HP-UX only), - and LIBPATH (AIX only) environment variables are removed - from the environment passed on to all commands executed. - ssuuddoo will also remove the IFS, CDPATH, ENV, BASH_ENV, - KRB_CONF, KRBCONFDIR, KRBTKFILE, KRB5_CONFIG, LOCALDOMAIN, - RES_OPTIONS, HOSTALIASES, NLSPATH, PATH_LOCALE, TERMINFO, - TERMINFO_DIRS and TERMPATH variables as they too can pose - a threat. If the TERMCAP variable is set and is a path­ - name, it too is ignored. Additionally, if the LC_* or - LANGUAGE variables contain the / or % characters, they are - ignored. Environment variables with a value beginning - with () are also removed as they could be interpreted as - bbaasshh functions. If ssuuddoo has been compiled with SecurID - support, the VAR_ACE, USR_ACE and DLC_ACE variables are - cleared as well. The list of environment variables that - ssuuddoo clears is contained in the output of sudo -V when run - as root. + -p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default + password prompt and use a custom one. The following + percent (`%') escapes are supported: - To prevent command spoofing, ssuuddoo checks "." and "" (both - denoting current directory) last when searching for a com­ - mand in the user's PATH (if one or both are in the PATH). - Note, however, that the actual PATH environment variable - is _n_o_t modified and is passed unchanged to the program - that ssuuddoo executes. + %H expanded to the local host name including the domain + name (on if the machine's host name is fully qualified + or the _f_q_d_n _s_u_d_o_e_r_s option is set) - For security reasons, if your OS supports shared libraries - and does not disable user-defined library search paths for - setuid programs (most do), you should either use a linker - option that disables this behavior or link ssuuddoo + %h expanded to the local host name without the domain name + %p expanded to the user whose password is being asked for + (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w flags in + _s_u_d_o_e_r_s) + %U expanded to the login name of the user the command will + be run as (defaults to root) -1.6.8p9 June, 20 2005 5 + %u expanded to the invoking user's login name + %% two consecutive % characters are collapsed into a + single % character + The prompt specified by the --pp option will override the + system password prompt on systems that support PAM unless + the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. + -r _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security + context to have the role specified by _r_o_l_e. + -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from + the standard input instead of the terminal device. The + password must be followed by a newline character. -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - + -s [command] + The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L + environment variable if it is set or the shell as specified + in _p_a_s_s_w_d(4). If a command is specified, it is passed to + the shell for execution. Otherwise, an interactive shell + is executed. - statically. - - ssuuddoo will check the ownership of its timestamp directory - (_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con­ - tents if it is not owned by root and only writable by - root. On systems that allow non-root users to give away - files via _c_h_o_w_n(2), if the timestamp directory is located - in a directory writable by anyone (e.g.: _/_t_m_p), it is pos­ - sible for a user to create the timestamp directory before - ssuuddoo is run. However, because ssuuddoo checks the ownership - and mode of the directory and its contents, the only dam­ - age that can be done is to "hide" files by putting them in - the timestamp dir. This is unlikely to happen since once - the timestamp dir is owned by root and inaccessible by any - other user the user placing files there would be unable to - get them back out. To get around this issue you can use a - directory that is not world-writable for the timestamps - (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance) or create _/_v_a_r_/_r_u_n_/_s_u_d_o with - the appropriate owner (root) and permissions (0700) in the - system startup files. - - ssuuddoo will not honor timestamps set far in the future. - Timestamps with a date greater than current_time + 2 * - TIMEOUT will be ignored and sudo will log and complain. - This is done to keep a user from creating his/her own - timestamp with a bogus date on systems that allow users to - give away files. + -t _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security + context to have the type specified by _t_y_p_e. If no type is + specified, the default type is derived from the specified + role. - Please note that ssuuddoo will only log the command it explic­ - itly runs. If a user runs a command such as sudo su or - sudo sh, subsequent commands run from that shell will _n_o_t - be logged, nor will ssuuddoo's access control affect them. - The same is true for commands that offer shell escapes - (including most editors). Because of this, care must be - taken when giving users access to commands via ssuuddoo to - verify that the command does not inadvertently give the - user an effective root shell. + -U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the + --ll option to specify the user whose privileges should be + listed. Only root or a user with ssuuddoo ALL on the current + host may use this option. -EENNVVIIRROONNMMEENNTT - ssuuddoo utilizes the following environment variables: - EDITOR Default editor to use in -e (sudoedit) mode if - VISUAL is not set - HOME In -s or -H mode (or if sudo was configured with - the --enable-shell-sets-home option), set to - homedir of the target user - PATH Set to a sane value if sudo was configured with - the --with-secure-path option - - SHELL Used to determine shell to run with -s option - - SUDO_PROMPT Used as the default password prompt - - - -1.6.8p9 June, 20 2005 6 +1.7.4 July 19, 2010 5 @@ -400,64 +334,130 @@ EENNVVIIRROONNMMEENNTT SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - SUDO_COMMAND Set to the command run by sudo - - SUDO_USER Set to the login of the user who invoked sudo - - SUDO_UID Set to the uid of the user who invoked sudo - - SUDO_GID Set to the gid of the user who invoked sudo - - SUDO_PS1 If set, PS1 will be set to its value - - USER Set to the target user (root unless the -u option - is specified) + -u _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified + command as a user other than _r_o_o_t. To specify a _u_i_d + instead of a _u_s_e_r _n_a_m_e, use _#_u_i_d. When running commands as + a _u_i_d, many shells require that the '#' be escaped with a + backslash ('\'). Note that if the _t_a_r_g_e_t_p_w Defaults option + is set (see _s_u_d_o_e_r_s(4)) it is not possible to run commands + with a uid not listed in the password database. + + -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the version + number and exit. If the invoking user is already root the + --VV option will print out a list of the defaults ssuuddoo was + compiled with as well as the machine's local network + addresses. + + -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the + user's time stamp, prompting for the user's password if + necessary. This extends the ssuuddoo timeout for another 5 + minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s) but + does not run a command. + + -- The ---- option indicates that ssuuddoo should stop processing + command line arguments. + + Environment variables to be set for the command may also be passed on + the command line in the form of VVAARR=_v_a_l_u_e, e.g. + LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command + line are subject to the same restrictions as normal environment + variables with one important exception. If the _s_e_t_e_n_v option is set in + _s_u_d_o_e_r_s, the command to be run has the SETENV tag set or the command + matched is ALL, the user may set variables that would overwise be + forbidden. See _s_u_d_o_e_r_s(4) for more information. - VISUAL Default editor to use in -e (sudoedit) mode - -FFIILLEESS - /etc/sudoers List of who can run what - /var/run/sudo Directory containing timestamps +RREETTUURRNN VVAALLUUEESS + Upon successful execution of a program, the exit status from ssuuddoo will + simply be the exit status of the program that was executed. + + Otherwise, ssuuddoo quits with an exit value of 1 if there is a + configuration/permission problem or if ssuuddoo cannot execute the given + command. In the latter case the error string is printed to stderr. If + ssuuddoo cannot _s_t_a_t(2) one or more entries in the user's PATH an error is + printed on stderr. (If the directory does not exist or if it is not + really a directory, the entry is ignored and no error is printed.) + This should not happen under normal circumstances. The most common + reason for _s_t_a_t(2) to return "permission denied" is if you are running + an automounter and one of the directories in your PATH is on a machine + that is currently unreachable. -EEXXAAMMPPLLEESS - Note: the following examples assume suitable sudoers(4) - entries. +SSEECCUURRIITTYY NNOOTTEESS + ssuuddoo tries to be safe when executing external commands. - To get a file listing of an unreadable directory: + There are two distinct ways to deal with environment variables. By + default, the _e_n_v___r_e_s_e_t _s_u_d_o_e_r_s option is enabled. This causes commands + to be executed with a minimal environment containing TERM, PATH, HOME, + SHELL, LOGNAME, USER and USERNAME in addition to variables from the - $ sudo ls /usr/local/protected - To list the home directory of user yazza on a machine - where the file system holding ~yazza is not exported as - root: - $ sudo -u yazza ls ~yazza +1.7.4 July 19, 2010 6 - To edit the _i_n_d_e_x_._h_t_m_l file as user www: - $ sudo -u www vi ~www/htdocs/index.html - To shutdown a machine: - $ sudo shutdown -r +15 "quick reboot" - To make a usage listing of the directories in the /home - partition. Note that this runs the commands in a sub- - shell to make the cd and file redirection work. +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" -SSEEEE AALLSSOO - _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), sudoers(4), - passwd(4), visudo(1m) + invoking process permitted by the _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p _s_u_d_o_e_r_s + options. There is effectively a whitelist for environment variables. + + If, however, the _e_n_v___r_e_s_e_t option is disabled in _s_u_d_o_e_r_s, any variables + not explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are + inherited from the invoking process. In this case, _e_n_v___c_h_e_c_k and + _e_n_v___d_e_l_e_t_e behave like a blacklist. Since it is not possible to + blacklist all potentially dangerous environment variables, use of the + default _e_n_v___r_e_s_e_t behavior is encouraged. + + In all cases, environment variables with a value beginning with () are + removed as they could be interpreted as bbaasshh functions. The list of + environment variables that ssuuddoo allows or denies is contained in the + output of sudo -V when run as root. + + Note that the dynamic linker on most operating systems will remove + variables that can control dynamic linking from the environment of + setuid executables, including ssuuddoo. Depending on the operating system + this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and + others. These type of variables are removed from the environment + before ssuuddoo even begins execution and, as such, it is not possible for + ssuuddoo to preserve them. + + To prevent command spoofing, ssuuddoo checks "." and "" (both denoting + current directory) last when searching for a command in the user's PATH + (if one or both are in the PATH). Note, however, that the actual PATH + environment variable is _n_o_t modified and is passed unchanged to the + program that ssuuddoo executes. + + ssuuddoo will check the ownership of its time stamp directory + (_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is + not owned by root or if it is writable by a user other than root. On + systems that allow non-root users to give away files via _c_h_o_w_n(2), if + the time stamp directory is located in a directory writable by anyone + (e.g., _/_t_m_p), it is possible for a user to create the time stamp + directory before ssuuddoo is run. However, because ssuuddoo checks the + ownership and mode of the directory and its contents, the only damage + that can be done is to "hide" files by putting them in the time stamp + dir. This is unlikely to happen since once the time stamp dir is owned + by root and inaccessible by any other user, the user placing files + there would be unable to get them back out. To get around this issue + you can use a directory that is not world-writable for the time stamps + (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance) or create _/_v_a_r_/_a_d_m_/_s_u_d_o with the + appropriate owner (root) and permissions (0700) in the system startup + files. + + ssuuddoo will not honor time stamps set far in the future. Timestamps with + a date greater than current_time + 2 * TIMEOUT will be ignored and sudo + will log and complain. This is done to keep a user from creating + his/her own time stamp with a bogus date on systems that allow users to + give away files. -AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this ver­ - sion consists of code written primarily by: + On systems where the boot time is available, ssuuddoo will also not honor + time stamps from before the machine booted. -1.6.8p9 June, 20 2005 7 +1.7.4 July 19, 2010 7 @@ -466,64 +466,64 @@ AAUUTTHHOORRSS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - Todd Miller - Chris Jepeway + Since time stamp files live in the file system, they can outlive a + user's login session. As a result, a user may be able to login, run a + command with ssuuddoo after authenticating, logout, login again, and run + ssuuddoo without authenticating so long as the time stamp file's + modification time is within 5 minutes (or whatever the timeout is set + to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s option is enabled in _s_u_d_o_e_r_s, the + time stamp has per-tty granularity but still may outlive the user's + session. On Linux systems where the devpts filesystem is used, Solaris + systems with the devices filesystem, as well as other systems that + utilize a devfs filesystem that monotonically increase the inode number + of devices as they are created (such as Mac OS X), ssuuddoo is able to + determine when a tty-based time stamp file is stale and will ignore it. + Administrators should not rely on this feature as it is not universally + available. + + Please note that ssuuddoo will normally only log the command it explicitly + runs. If a user runs a command such as sudo su or sudo sh, subsequent + commands run from that shell will _n_o_t be logged, nor will ssuuddoo's access + control affect them. The same is true for commands that offer shell + escapes (including most editors). Because of this, care must be taken + when giving users access to commands via ssuuddoo to verify that the + command does not inadvertently give the user an effective root shell. + For more information, please see the PREVENTING SHELL ESCAPES section + in _s_u_d_o_e_r_s(4). - See the HISTORY file in the ssuuddoo distribution or visit - http://www.sudo.ws/sudo/history.html for a short history - of ssuuddoo. +EENNVVIIRROONNMMEENNTT + ssuuddoo utilizes the following environment variables: -CCAAVVEEAATTSS - There is no easy way to prevent a user from gaining a root - shell if that user is allowed to run arbitrary commands - via ssuuddoo. Also, many programs (such as editors) allow the - user to run commands via shell escapes, thus avoiding - ssuuddoo's checks. However, on most systems it is possible to - prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality. - See the sudoers(4) manual for details. + EDITOR Default editor to use in --ee (sudoedit) mode if neither + SUDO_EDITOR nor VISUAL is set - It is not meaningful to run the cd command directly via - sudo, e.g. + MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set + to the mail spool of the target user - $ sudo cd /usr/local/protected + HOME Set to the home directory of the target user if --ii or + --HH are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set + in _s_u_d_o_e_r_s, or when the --ss option is specified and + _s_e_t___h_o_m_e is set in _s_u_d_o_e_r_s - since when whe command exits the parent process (your - shell) will still be the same. Please see the EXAMPLES - section for more information. + PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h sudoers option + is set. - If users have sudo ALL there is nothing to prevent them - from creating their own program that gives them a root - shell regardless of any '!' elements in the user specifi­ - cation. + SHELL Used to determine shell to run with -s option - Running shell scripts via ssuuddoo can expose the same kernel - bugs that make setuid shell scripts unsafe on some operat­ - ing systems (if your OS has a /dev/fd/ directory, setuid - shell scripts are generally safe). + SUDO_ASKPASS Specifies the path to a helper program used to read the + password if no terminal is available or if the -A + option is specified. -BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a - bug report at http://www.sudo.ws/sudo/bugs/ + SUDO_COMMAND Set to the command run by sudo -SSUUPPPPOORRTT - Commercial support is available for ssuuddoo, see - http://www.sudo.ws/sudo/support.html for details. + SUDO_EDITOR Default editor to use in --ee (sudoedit) mode - Limited free support is available via the sudo-users mail­ - ing list, see http://www.sudo.ws/mail­ - man/listinfo/sudo-users to subscribe or search the - archives. + SUDO_GID Set to the group ID of the user who invoked sudo -DDIISSCCLLAAIIMMEERR - SSuuddoo is provided ``AS IS'' and any express or implied war­ - ranties, including, but not limited to, the implied war­ - ranties of merchantability and fitness for a particular - purpose are disclaimed. See the LICENSE file distributed - with ssuuddoo or http://www.sudo.ws/sudo/license.html for -1.6.8p9 June, 20 2005 8 +1.7.4 July 19, 2010 8 @@ -532,63 +532,129 @@ DDIISSCCLLAAIIMMEERR SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - complete details. - - - - - - - + SUDO_PROMPT Used as the default password prompt + SUDO_PS1 If set, PS1 will be set to its value for the program + being run + SUDO_UID Set to the user ID of the user who invoked sudo + SUDO_USER Set to the login of the user who invoked sudo + USER Set to the target user (root unless the --uu option is + specified) + VISUAL Default editor to use in --ee (sudoedit) mode if + SUDO_EDITOR is not set +FFIILLEESS + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps + _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on Linux and + AIX +EEXXAAMMPPLLEESS + Note: the following examples assume suitable _s_u_d_o_e_r_s(4) entries. + To get a file listing of an unreadable directory: + $ sudo ls /usr/local/protected + To list the home directory of user yaz on a machine where the file + system holding ~yaz is not exported as root: + $ sudo -u yaz ls ~yaz + To edit the _i_n_d_e_x_._h_t_m_l file as user www: + $ sudo -u www vi ~www/htdocs/index.html + To view system logs only accessible to root and users in the adm group: + $ sudo -g adm view /var/log/syslog + To run an editor as jim with a different primary group: + $ sudo -u jim -g audio vi ~jim/sound.txt + To shutdown a machine: + $ sudo shutdown -r +15 "quick reboot" + To make a usage listing of the directories in the /home partition. + Note that this runs the commands in a sub-shell to make the cd and file + redirection work. +1.7.4 July 19, 2010 9 +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" +SSEEEE AALLSSOO + _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(5), + _v_i_s_u_d_o(1m) +AAUUTTHHOORRSS + Many people have worked on ssuuddoo over the years; this version consists + of code written primarily by: + Todd C. Miller + See the HISTORY file in the ssuuddoo distribution or visit + http://www.sudo.ws/sudo/history.html for a short history of ssuuddoo. +CCAAVVEEAATTSS + There is no easy way to prevent a user from gaining a root shell if + that user is allowed to run arbitrary commands via ssuuddoo. Also, many + programs (such as editors) allow the user to run commands via shell + escapes, thus avoiding ssuuddoo's checks. However, on most systems it is + possible to prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality. + See the _s_u_d_o_e_r_s(4) manual for details. + It is not meaningful to run the cd command directly via sudo, e.g., + $ sudo cd /usr/local/protected + since when the command exits the parent process (your shell) will still + be the same. Please see the EXAMPLES section for more information. + If users have sudo ALL there is nothing to prevent them from creating + their own program that gives them a root shell regardless of any '!' + elements in the user specification. + Running shell scripts via ssuuddoo can expose the same kernel bugs that + make setuid shell scripts unsafe on some operating systems (if your OS + has a /dev/fd/ directory, setuid shell scripts are generally safe). +BBUUGGSS + If you feel you have found a bug in ssuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ +SSUUPPPPOORRTT + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search + the archives. +DDIISSCCLLAAIIMMEERR + ssuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of + merchantability and fitness for a particular purpose are disclaimed. + See the LICENSE file distributed with ssuuddoo or + http://www.sudo.ws/sudo/license.html for complete details. -1.6.8p9 June, 20 2005 9 +1.7.4 July 19, 2010 10