X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=sudoers.pod;h=798295ce60ae55845828c67ecbeae4d84dd2e18b;hb=d2bea82818b233f7b68ae4263c3c0c5f8abd7ac9;hp=5dda7050d08a04539e9b1a875098c4411226eb50;hpb=a4d16b7546088ef5bdeadb3a6877bcc1d1530a63;p=debian%2Fsudo diff --git a/sudoers.pod b/sudoers.pod index 5dda705..798295c 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -111,20 +111,20 @@ The definitions of what constitutes a valid I member follow. User_List ::= User | User ',' User_List - User ::= '!'* username | + User ::= '!'* user name | '!'* '#'uid | '!'* '%'group | '!'* '+'netgroup | '!'* '%:'nonunix_group | '!'* User_Alias -A C is made up of one or more usernames, uids (prefixed +A C is made up of one or more user names, uids (prefixed with '#'), system groups (prefixed with '%'), netgroups (prefixed with '+') and Ces. Each list item may be prefixed with zero or more '!' operators. An odd number of '!' operators negate the value of the item; an even number just cancel each other out. -A C, C, C and C may +A C, C, C or C may be enclosed in double quotes to avoid the need for escaping special characters. Alternately, special characters may be specified in escaped hex mode, e.g. \x20 for space. @@ -154,7 +154,7 @@ use a backslash (\) to escape spaces and the '@' symbol. Runas_List ::= Runas_Member | Runas_Member ',' Runas_List - Runas_Member ::= '!'* username | + Runas_Member ::= '!'* user name | '!'* '#'uid | '!'* '%'group | '!'* +netgroup | @@ -162,21 +162,21 @@ use a backslash (\) to escape spaces and the '@' symbol. A C is similar to a C except that instead of Ces it can contain Ces. Note that -usernames and groups are matched as strings. In other words, two +user names and groups are matched as strings. In other words, two users (groups) with the same uid (gid) are considered to be distinct. -If you wish to match all usernames with the same uid (e.g.Eroot +If you wish to match all user names with the same uid (e.g.Eroot and toor), you can use a uid instead (#0 in the example given). Host_List ::= Host | Host ',' Host_List - Host ::= '!'* hostname | + Host ::= '!'* host name | '!'* ip_addr | '!'* network(/netmask)? | '!'* '+'netgroup | '!'* Host_Alias -A C is made up of one or more hostnames, IP addresses, +A C is made up of one or more host names, IP addresses, network numbers, netgroups (prefixed with '+') and other aliases. Again, the value of an item may be negated with the '!' operator. If you do not specify a netmask along with the network number, @@ -185,18 +185,22 @@ if the network number corresponds to one of the hosts's network interfaces, the corresponding netmask will be used. The netmask may be specified either in standard IP address notation (e.g.E255.255.255.0 or ffff:ffff:ffff:ffff::), -or CIDR notation (number of bits, e.g.E24 or 64). A hostname may +or CIDR notation (number of bits, e.g.E24 or 64). A host name may include shell-style wildcards (see the L section below), -but unless the C command on your machine returns the fully -qualified hostname, you'll need to use the I option for -wildcards to be useful. +but unless the C command on your machine returns the fully +qualified host name, you'll need to use the I option for +wildcards to be useful. Note B only inspects actual network +interfaces; this means that IP address 127.0.0.1 (localhost) will +never match. Also, the host name "localhost" will only match if +that is the actual host name, which is usually only the case for +non-networked systems. Cmnd_List ::= Cmnd | Cmnd ',' Cmnd_List - commandname ::= filename | - filename args | - filename '""' + commandname ::= file name | + file name args | + file name '""' Cmnd ::= '!'* commandname | '!'* directory | @@ -204,13 +208,13 @@ wildcards to be useful. '!'* Cmnd_Alias A C is a list of one or more commandnames, directories, and other -aliases. A commandname is a fully qualified filename which may include +aliases. A commandname is a fully qualified file name which may include shell-style wildcards (see the L section below). A simple -filename allows the user to run the command with any arguments he/she +file name allows the user to run the command with any arguments he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify C<""> to indicate that the command may only be run B command line arguments. A directory is a -fully qualified pathname ending in a '/'. When you specify a directory +fully qualified path name ending in a '/'. When you specify a directory in a C, the user will be able to run any file within that directory (but not in any subdirectories therein). @@ -275,12 +279,15 @@ See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters. Cmnd_Spec_List ::= Cmnd_Spec | Cmnd_Spec ',' Cmnd_Spec_List - Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd + Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' + SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') + Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | - 'SETENV:' | 'NOSETENV:' ) + 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | + 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') A B determines which commands a user may run (and as what user) on specified hosts. By default, commands are @@ -338,15 +345,23 @@ only the group will be set, the command still runs as user B. tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ /usr/local/bin/minicom +=head2 SELinux_Spec + +On systems with SELinux support, I entries may optionally have +an SELinux role and/or type associated with a command. If a role or +type is specified with the command it will override any default values +specified in I. A role or type specified on the command line, +however, will supercede the values in I. + =head2 Tag_Spec A command may have zero or more tags associated with it. There are -eight possible tag values, C, C, C, C, -C and C. -Once a tag is set on a C, subsequent Cs in the -C, inherit the tag unless it is overridden by the -opposite tag (i.e.: C overrides C and C -overrides C). +eight possible tag values, C, C, C, +C, C, C, C, C, +C and C. Once a tag is set on a C, +subsequent Cs in the C, inherit the tag unless +it is overridden by the opposite tag (i.e.: C overrides +C and C overrides C). =head3 NOPASSWD and PASSWD @@ -399,12 +414,24 @@ to the restrictions imposed by I, I, or I. As such, only trusted users should be allowed to set variables in this manner. If the command matched is B, the C tag is implied for that command; this default may -be overridden by use of the C tag. +be overridden by use of the C tag. + +=head3 LOG_INPUT and NOLOG_INPUT + +These tags override the value of the I option on a +per-command basis. For more information, see the description of +I in the L<"SUDOERS OPTIONS"> section below. + +=head3 LOG_OUTPUT and NOLOG_OUTPUT + +These tags override the value of the I option on a +per-command basis. For more information, see the description of +I in the L<"SUDOERS OPTIONS"> section below. =head2 Wildcards B allows shell-style I (aka meta or glob characters) -to be used in hostnames, pathnames and command line arguments in +to be used in host names, path names and command line arguments in the I file. Wildcard matching is done via the B L and L routines. Note that these are I regular expressions. @@ -441,10 +468,10 @@ escaped. For example: /bin/ls [[\:alpha\:]]* -Would match any filename beginning with a letter. +Would match any file name beginning with a letter. Note that a forward slash ('/') will B be matched by -wildcards used in the pathname. When matching the command +wildcards used in the path name. When matching the command line arguments, however, a slash B get matched by wildcards. This is to make a path like: @@ -492,8 +519,8 @@ F will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops. -The filename may include the C<%h> escape, signifying the short form -of the hostname. I.e., if the machine's hostname is "xerxes", then +The file name may include the C<%h> escape, signifying the short form +of the host name. I.e., if the machine's host name is "xerxes", then C<#include /etc/sudoers.%h> @@ -551,7 +578,7 @@ Whitespace between elements in a list as well as special syntactic characters in a I ('=', ':', '(', ')') is optional. The following characters must be escaped with a backslash ('\') when -used as part of a word (e.g.Ea username or hostname): +used as part of a word (e.g.Ea user name or host name): '@', '!', '=', ':', ',', '(', ')', '\'. =head1 SUDOERS OPTIONS @@ -560,15 +587,18 @@ B's behavior can be modified by C lines, as explained earlier. A list of all supported Defaults parameters, grouped by type, are listed below. -B: +B: =over 16 =item always_set_home -If set, B will set the C environment variable to the home -directory of the target user (which is root unless the B<-u> option is used). -This effectively means that the B<-H> option is always implied. +If enabled, B will set the C environment variable to the +home directory of the target user (which is root unless the B<-u> +option is used). This effectively means that the B<-H> option is +always implied. Note that C is already set when the the +I option is enabled, so I is only +effective for configurations where I is disabled. This flag is I by default. =item authenticate @@ -584,6 +614,12 @@ If set, the user may use B's B<-C> option which overrides the default starting point at which B begins closing open file descriptors. This flag is I by default. +=item compress_io + +If set, and B is configured to log a command's input or output, +the I/O logs will be compressed using B. This flag is I +by default when B is compiled with B support. + =item env_editor If set, B will use the value of the EDITOR or VISUAL @@ -598,7 +634,7 @@ default. =item env_reset If set, B will reset the environment to only contain the -LOGNAME, SHELL, USER, USERNAME and the C variables. Any +LOGNAME, MAIL, SHELL, USER, USERNAME and the C variables. Any variables in the caller's environment that match the C and C lists are then added. The default contents of the C and C lists are displayed when B is @@ -606,9 +642,26 @@ run by root with the I<-V> option. If the I option is set, its value will be used for the C environment variable. This flag is I by default. +=item fast_glob + +Normally, B uses the L function to do shell-style +globbing when matching path names. However, since it accesses the +file system, L can take a long time to complete for some +patterns, especially when the pattern references a network file +system that is mounted on demand (automounted). The I +option causes B to use the L function, which does +not access the file system to do its matching. The disadvantage +of I is that it is unable to match relative path names +such as F<./ls> or F<../bin/ls>. This has security implications +when path names that include globbing characters are used with the +negation operator, C<'!'>, as such rules can be trivially bypassed. +As such, this option should not be used when I contains rules +that contain negated path names which include globbing characters. +This flag is I by default. + =item fqdn -Set this flag if you want to put fully qualified hostnames in the +Set this flag if you want to put fully qualified host names in the I file. I.e., instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). Beware that turning on I requires B to make DNS lookups @@ -617,7 +670,7 @@ if the machine is not plugged into the network). Also note that you must use the host's official name as DNS knows it. That is, you may not use a host alias (C entry) due to performance issues and the fact that there is no way to get all aliases from -DNS. If your machine's hostname (as returned by the C +DNS. If your machine's host name (as returned by the C command) is already fully qualified you shouldn't need to set I. This flag is I<@fqdn@> by default. @@ -645,7 +698,7 @@ password. This flag is I<@insults@> by default. =item log_host -If set, the hostname will be logged in the (non-syslog) B log file. +If set, the host name will be logged in the (non-syslog) B log file. This flag is I by default. =item log_year @@ -711,7 +764,7 @@ by default. =item passprompt_override The password prompt specified by I will normally only -be used if the passwod prompt provided by systems such as PAM matches +be used if the password prompt provided by systems such as PAM matches the string "Password:". If I is set, I will always be used. This flag is I by default. @@ -746,7 +799,7 @@ This flag is I by default. If set, root is allowed to run B too. Disabling this prevents users from "chaining" B commands to get a root shell by doing something like C<"sudo sudo /bin/sh">. Note, however, that turning off I -will also prevent root and from running B. +will also prevent root from running B. Disabling I provides no real additional security; it exists purely for historical reasons. This flag is I<@root_sudo@> by default. @@ -764,10 +817,13 @@ password of the invoking user. This flag is I by default. =item set_home -If set and B is invoked with the B<-s> option the C +If enabled and B is invoked with the B<-s> option the C environment variable will be set to the home directory of the target user (which is root unless the B<-u> option is used). This effectively -makes the B<-s> option imply B<-H>. This flag is I by default. +makes the B<-s> option imply B<-H>. Note that C is already +set when the the I option is enabled, so I is +only effective for configurations where I is disabled. +This flag is I by default. =item set_logname @@ -779,7 +835,7 @@ determine the real identity of the user, it may be desirable to change this behavior. This can be done by negating the set_logname option. Note that if the I option has not been disabled, entries in the I list will override the value of -I. This flag is I by default. +I. This flag is I by default. =item setenv @@ -798,23 +854,6 @@ shell is determined by the C environment variable if it is set, falling back on the shell listed in the invoking user's /etc/passwd entry if not). This flag is I by default. -=item fast_glob - -Normally, B uses the L function to do shell-style -globbing when matching pathnames. However, since it accesses the -file system, L can take a long time to complete for some -patterns, especially when the pattern references a network file -system that is mounted on demand (automounted). The I -option causes B to use the L function, which does -not access the file system to do its matching. The disadvantage -of I is that it is unable to match relative pathnames -such as F<./ls> or F<../bin/ls>. This has security implications -when path names that include globbing characters are used with the -negation operator, C<'!'>, as such rules can be trivially bypassed. -As such, this option should not be used when I contains rules -that contain negated path names which include globbing characters. -This flag is I by default. - =item stay_setuid Normally, when B executes a command the real and effective @@ -828,19 +867,48 @@ function. This flag is I by default. =item targetpw -If set, B will prompt for the password of the user specified by -the B<-u> option (defaults to C) instead of the password of the -invoking user. Note that this precludes the use of a uid not listed -in the passwd database as an argument to the B<-u> option. -This flag is I by default. +If set, B will prompt for the password of the user specified +by the B<-u> option (defaults to C) instead of the password +of the invoking user. In addition, the timestamp file name will +include the target user's name. Note that this flag precludes the +use of a uid not listed in the passwd database as an argument to +the B<-u> option. This flag is I by default. + +=item log_input + +If set, B will run the command in a I and log all +user input. +If the standard input is not connected to the user's tty, due to +I/O redirection or because the command is part of a pipeline, that +input is also captured and stored in a separate log file. + +Input is logged to the F directory using a unique +session ID that is included in the normal B log line, prefixed +with I. + +=item log_output + +If set, B will run the command in a I and log all +output that is sent to the screen, similar to the script(1) command. +If the standard output or standard error is not connected to the +user's tty, due to I/O redirection or because the command is part +of a pipeline, that output is also captured and stored in separate +log files. + +Output is logged to the +F directory using a unique session ID that is +included in the normal B log line, prefixed with I. + +Output logs may be viewed with the L utility, which +can also be used to list or search the available logs. =item tty_tickets -If set, users must authenticate on a per-tty basis. Normally, -B uses a directory in the ticket dir with the same name as -the user running it. With this flag enabled, B will use a -file named for the tty the user is logged in on in that directory. -This flag is I<@tty_tickets@> by default. +If set, users must authenticate on a per-tty basis. With this flag +enabled, B will use a file named for the tty the user is +logged in on in the user's time stamp directory. If disabled, the +time stamp of the directory is used instead. This flag is +I<@tty_tickets@> by default. =item umask_override @@ -857,6 +925,14 @@ If set, B will apply the defaults specified for the target user's login class if one exists. Only available if B is configured with the --with-logincap option. This flag is I by default. +=item use_pty + +If set, B will run the command in a pseudo-pty even if no I/O +logging is being gone. A malicious program run under B could +conceivably fork a background process that retains to the user's +terminal device after the main program has finished executing. Use +of this option will make that impossible. + =item visiblepw By default, B will refuse to run if the user must enter a @@ -900,14 +976,17 @@ C<@loglen@> (use 0 or negate the option to disable word wrap). =item passwd_timeout -Number of minutes before the B password prompt times out. -The default is C<@password_timeout@>; set this to C<0> for no password timeout. +Number of minutes before the B password prompt times out, or +C<0> for no timeout. The timeout may include a fractional component +if minute granularity is insufficient, for example C<2.5>. The +default is C<@password_timeout@>. =item timestamp_timeout Number of minutes that can elapse before B will ask for a -passwd again. The default is C<@timeout@>. Set this to C<0> to always -prompt for a password. +passwd again. The timeout may include a fractional component if +minute granularity is insufficient, for example C<2.5>. The default +is C<@timeout@>. Set this to C<0> to always prompt for a password. If set to a value less than C<0> the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via C and C respectively. @@ -938,13 +1017,12 @@ The default is C<@badpass_message@> unless insults are enabled. A colon (':') separated list of editors allowed to be used with B. B will choose the editor that matches the user's EDITOR environment variable if possible, or the first editor in the -list that exists and is executable. The default is the path to vi -on your system. +list that exists and is executable. The default is C<"@editor@">. =item mailsub Subject of the mail sent to the I user. The escape C<%h> -will expand to the hostname of the machine. +will expand to the host name of the machine. Default is C<@mailsub@>. =item noexec_file @@ -964,13 +1042,13 @@ The following percent (`C<%>') escapes are supported: =item C<%H> -expanded to the local hostname including the domain name -(on if the machine's hostname is fully qualified or the I +expanded to the local host name including the domain name +(on if the machine's host name is fully qualified or the I option is set) =item C<%h> -expanded to the local hostname without the domain name +expanded to the local host name without the domain name =item C<%p> @@ -1279,12 +1357,22 @@ Local groups file List of network groups +=item F + +I/O log files + =back =head1 EXAMPLES Below are example I entries. Admittedly, some of -these are a bit contrived. First, we define our I: +these are a bit contrived. First, we allow a few environment +variables to pass and then define our I: + + # Run X applications through sudo; HOME is used to find the + # .Xauthority file. Note that other programs use HOME to find + # configuration files and this may lead to privilege escalation! + Defaults env_keep += "DISPLAY HOME" # User alias specification User_Alias FULLTIMERS = millert, mikef, dowdy @@ -1396,7 +1484,7 @@ groups). The user B is allowed to change anyone's password except for root on the I machines. Note that this assumes L -does not take multiple usernames on the command line. +does not take multiple user names on the command line. bob SPARC = (OP) ALL : SGI = (OP) ALL @@ -1575,8 +1663,8 @@ imperative that I be free of syntax errors since B will not run with a syntactically incorrect I file. When using netgroups of machines (as opposed to users), if you -store fully qualified hostnames in the netgroup (as is usually the -case), you either need to have the machine's hostname be fully qualified +store fully qualified host name in the netgroup (as is usually the +case), you either need to have the machine's host name be fully qualified as returned by the C command or use the I option in I.