+2010-04-09 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * configure, configure.in: Fix installation of sudoers.ldap
+ in "make install" when --with-ldap was specified without a
+ directory. From Prof. Dr. Andreas Mueller
+
+2010-04-09 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * find_path.c: Qualify the command even if it is in the
+ current working directory, e.g. "./foo" instead of just
+ returning "foo". This removes an ambiguity between real
+ commands and possible pseudo-commands in command matching.
+
+2010-04-07 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * sudoers.cat, sudoers.man.in, sudoers.pod: Add a note about
+ the security implications of the fast_glob option.
+
+ * memrchr.c: Remove duplicate includes
+
+2010-03-10 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * sudo.c: Fix a bug introduced with def_closefrom. The value
+ of def_closefrom already includes the +1.
+
+2010-03-09 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * match.c: When doing a glob match, short circuit if
+ gl.gl_pathc is 0. From Mark Kettenis.
+
2010-02-22 Todd C. Miller <Todd.Miller@courtesan.com>
* match.c: Check for pseudo-command by looking at the first
#
# @configure_input@
#
-# $Sudo: Makefile.in,v 1.340 2009/06/15 21:18:53 millert Exp $
-#
#### Start of system configuration section. ####
@DEV@LICENSE: license.pod
@DEV@ pod2text -l -i0 $> | sed '1,2d' > $@
-ChangeLog:
- cvs2cl --follow-only trunk
-
install: install-dirs install-binaries @INSTALL_NOEXEC@ install-sudoers install-man
install-dirs:
cleandir: realclean
dist:
- rm -f ../sudo-$(VERSION).tar.gz
- ( cd .. ; TF="/tmp/sudo.dist$$$$" ; rm -f $$TF ; for i in $(DISTFILES) ; \
- do echo sudo-$(VERSION)/$$i >> $$TF ; done ; \
- tar Ocf sudo-$(VERSION).tar \
- `cat $$TF` && gzip --best sudo-$(VERSION).tar && rm -f $$TF)
+ pax -w -x ustar -s '/^/sudo-$(VERSION)\//' -f ../sudo-$(VERSION).tar \
+ $(DISTFILES)
+ gzip -9f ../sudo-$(VERSION).tar
ls -l ../sudo-$(VERSION).tar.gz
bindist:
gzip -f --best sudo-$(VERSION).depot; \
rm -rf tmp.depot ; \
)
-
-.PHONY: ChangeLog
#include <compat.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: aix.c,v 1.7 2008/11/06 00:42:37 millert Exp $";
-#endif /* lint */
-
#ifdef HAVE_GETUSERATTR
#ifndef HAVE_SETRLIMIT64
#include "redblack.h"
#include <gram.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: alias.c,v 1.18 2009/05/25 12:02:41 millert Exp $";
-#endif /* lint */
-
/*
* Globals
*/
#include "sudo.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: alloc.c,v 1.33 2008/11/09 14:13:12 millert Exp $";
-#endif /* lint */
-
/*
* If there is no SIZE_MAX or SIZE_T_MAX we have to assume that size_t
* could be signed (as it is on SunOS 4.x). This just means that
#include <afs/stds.h>
#include <afs/kautils.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: afs.c,v 1.15 2008/11/09 14:13:13 millert Exp $";
-#endif /* lint */
-
int
afs_verify(pw, pass, auth)
struct passwd *pw;
#include "sudo.h"
#include "sudo_auth.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: aix_auth.c,v 1.27 2009/05/25 12:02:42 millert Exp $";
-#endif /* lint */
-
/*
* For a description of the AIX authentication API, see
* http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/basetrf1/authenticate.htm
#include "sudo.h"
#include "sudo_auth.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: bsdauth.c,v 1.23 2008/11/09 14:13:13 millert Exp $";
-#endif /* lint */
-
extern char *login_style; /* from sudo.c */
int
#include "sudo.h"
#include "sudo_auth.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: dce.c,v 1.14 2005/02/12 22:56:07 millert Exp $";
-#endif /* lint */
-
static int check_dce_status __P((error_status_t, char *));
int
#include "sudo.h"
#include "sudo_auth.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: fwtk.c,v 1.29 2008/11/09 14:13:13 millert Exp $";
-#endif /* lint */
-
int
fwtk_init(pw, promptp, auth)
struct passwd *pw;
#include "sudo.h"
#include "sudo_auth.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: kerb4.c,v 1.16 2008/11/09 14:13:13 millert Exp $";
-#endif /* lint */
-
int
kerb4_init(pw, promptp, auth)
struct passwd *pw;
#include "sudo.h"
#include "sudo_auth.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.37 2009/11/03 14:51:20 millert Exp $";
-#endif /* lint */
-
#ifdef HAVE_HEIMDAL
# define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1)
# define krb5_free_data_contents(c, d) krb5_data_free(d)
# define PAM_CONST
#endif
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: pam.c,v 1.69 2009/08/07 14:21:51 millert Exp $";
-#endif /* lint */
-
static int sudo_conv __P((int, PAM_CONST struct pam_message **,
struct pam_response **, void *));
static char *def_prompt = "Password:";
#include "sudo.h"
#include "sudo_auth.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: passwd.c,v 1.17 2005/02/12 22:56:07 millert Exp $";
-#endif /* lint */
-
#define DESLEN 13
#define HAS_AGEINFO(p, l) (l == 18 && p[DESLEN] == ',')
#include "sudo.h"
#include "sudo_auth.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: rfc1938.c,v 1.20 2005/02/12 22:56:07 millert Exp $";
-#endif /* lint */
-
int
rfc1938_setup(pw, promptp, auth)
struct passwd *pw;
#include "sudo.h"
#include "sudo_auth.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: secureware.c,v 1.13 2005/02/12 22:56:07 millert Exp $";
-#endif /* lint */
-
int
secureware_init(pw, promptp, auth)
struct passwd *pw;
#include "sudo.h"
#include "sudo_auth.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: securid.c,v 1.18 2008/11/09 14:13:13 millert Exp $";
-#endif /* lint */
-
union config_record configure;
int
#include "sudo.h"
#include "sudo_auth.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: securid5.c,v 1.13 2008/11/09 14:13:13 millert Exp $";
-#endif /* lint */
-
/*
* securid_init - Initialises communications with ACE server
* Arguments in:
#include "sudo.h"
#include "sudo_auth.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: sia.c,v 1.19 2008/11/09 14:13:13 millert Exp $";
-#endif /* lint */
-
static int sudo_collect __P((int, int, uchar_t *, int, prompt_t *));
static char *def_prompt;
#include "sudo_auth.h"
#include "insults.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: sudo_auth.c,v 1.40 2009/05/25 12:02:42 millert Exp $";
-#endif /* lint */
-
sudo_auth auth_switch[] = {
#ifdef AUTH_STANDALONE
AUTH_STANDALONE
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * $Sudo: sudo_auth.h,v 1.29 2009/05/25 12:02:42 millert Exp $
*/
#ifndef SUDO_AUTH_H
#include "sudo.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: check.c,v 1.247 2009/05/25 12:02:41 millert Exp $";
-#endif /* lint */
-
/* Status codes for timestamp_status() */
#define TS_CURRENT 0
#define TS_OLD 1
#include "sudo.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: closefrom.c,v 1.14 2008/11/09 14:13:12 millert Exp $";
-#endif /* lint */
-
#ifndef HAVE_FCNTL_CLOSEM
# ifndef HAVE_DIRFD
# define closefrom_fallback closefrom
* Sponsored in part by the Defense Advanced Research Projects
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
- *
- * $Sudo: compat.h,v 1.90 2008/11/09 14:13:12 millert Exp $
*/
#ifndef _SUDO_COMPAT_H
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for sudo 1.7.2p5.
+# Generated by GNU Autoconf 2.61 for sudo 1.7.2p6.
#
# Report bugs to <http://www.sudo.ws/bugs/>.
#
# Identity of this package.
PACKAGE_NAME='sudo'
PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.7.2p5'
-PACKAGE_STRING='sudo 1.7.2p5'
+PACKAGE_VERSION='1.7.2p6'
+PACKAGE_STRING='sudo 1.7.2p6'
PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/'
# Factoring default headers for most tests.
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures sudo 1.7.2p5 to adapt to many kinds of systems.
+\`configure' configures sudo 1.7.2p6 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of sudo 1.7.2p5:";;
+ short | recursive ) echo "Configuration of sudo 1.7.2p6:";;
esac
cat <<\_ACEOF
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-sudo configure 1.7.2p5
+sudo configure 1.7.2p6
generated by GNU Autoconf 2.61
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by sudo $as_me 1.7.2p5, which was
+It was created by sudo $as_me 1.7.2p6, which was
generated by GNU Autoconf 2.61. Invocation command line was
$ $0 $@
+
for ac_func in strchr strrchr memchr memcpy memset sysconf tzset \
strftime setrlimit initgroups getgroups fstat gettimeofday \
setlocale getaddrinfo setsid setenv setrlimit64
CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
with_ldap=yes
- LDAP=""
fi
SUDO_OBJS="${SUDO_OBJS} ldap.o"
+ LDAP=""
{ echo "$as_me:$LINENO: checking for LDAP libraries" >&5
echo $ECHO_N "checking for LDAP libraries... $ECHO_C" >&6; }
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by sudo $as_me 1.7.2p5, which was
+This file was extended by sudo $as_me 1.7.2p6, which was
generated by GNU Autoconf 2.61. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-sudo config.status 1.7.2p5
+sudo config.status 1.7.2p6
configured by $0, generated by GNU Autoconf 2.61,
with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
dnl
dnl Process this file with GNU autoconf to produce a configure script.
-dnl $Sudo: configure.in,v 1.549 2009/06/13 20:52:50 millert Exp $
dnl
dnl Copyright (c) 1994-1996,1998-2010 Todd C. Miller <Todd.Miller@courtesan.com>
dnl
-AC_INIT([sudo], [1.7.2p5], [http://www.sudo.ws/bugs/], [sudo])
+AC_INIT([sudo], [1.7.2p6], [http://www.sudo.ws/bugs/], [sudo])
AC_CONFIG_HEADER(config.h pathnames.h)
dnl
dnl This won't work before AC_INIT
SUDO_APPEND_LIBPATH(LDFLAGS, [${with_ldap}/lib])
CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
with_ldap=yes
- LDAP=""
fi
SUDO_OBJS="${SUDO_OBJS} ldap.o"
+ LDAP=""
AC_MSG_CHECKING([for LDAP libraries])
LDAP_LIBS=""
#include "parse.h"
#include <gram.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: defaults.c,v 1.73 2008/11/09 14:13:12 millert Exp $";
-#endif /* lint */
-
/*
* For converting between syslog numbers and strings.
*/
* Sponsored in part by the Defense Advanced Research Projects
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
- *
- * $Sudo: defaults.h,v 1.33 2008/11/09 14:13:12 millert Exp $
*/
#ifndef _SUDO_DEFAULTS_H
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * $Sudo: charclass.h,v 1.3 2008/12/09 20:55:50 millert Exp $
*/
/*
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * $Sudo: timespec.h,v 1.1 2005/06/23 03:04:35 millert Exp $
*/
#ifndef _SUDO_TIMESPEC_H
#include "sudo.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: env.c,v 1.106 2009/06/23 18:24:42 millert Exp $";
-#endif /* lint */
-
/*
* Flags used in rebuild_env()
*/
#include <compat.h>
#include "error.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: error.c,v 1.7 2005/11/18 01:39:58 millert Exp $";
-#endif /* lint */
-
static void _warning __P((int, const char *, va_list));
void cleanup __P((int));
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * $Sudo: error.h,v 1.2 2004/11/19 17:32:25 millert Exp $
*/
#ifndef _SUDO_ERROR_H_
# define LINE_MAX 2048
#endif
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: fileops.c,v 1.19 2009/05/25 12:02:41 millert Exp $";
-#endif /* lint */
-
/*
* Update the access and modify times on an fd or file.
*/
#include "sudo.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: find_path.c,v 1.115 2005/03/29 14:29:46 millert Exp $";
-#endif /* lint */
-
/*
* This function finds the full pathname for a command and
* stores it in a statically allocated array, filling in a pointer
* Check current dir if dot was in the PATH
*/
if (!result && checkdot) {
- result = sudo_goodpath(infile, sbp);
+ len = snprintf(command, sizeof(command), "./%s", infile);
+ if (len <= 0 || len >= sizeof(command))
+ errorx(1, "%s: File name too long", infile);
+ result = sudo_goodpath(command, sbp);
if (result && def_ignore_dot)
return(NOT_FOUND_DOT);
}
(dp->d_name[0] == '.' && (dp->d_name[1] == '\0' || \
(dp->d_name[1] == '.' && dp->d_name[2] == '\0')))
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: getcwd.c,v 1.28 2005/02/08 03:55:42 millert Exp $";
-#endif /* lint */
-
char *
getcwd(pt, size)
char *pt;
#include <config.h>
#include <compat.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: getprogname.c,v 1.7 2005/02/12 22:56:06 millert Exp $";
-#endif /* lint */
-
const char *
getprogname()
{
#include "sudo.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: getspwuid.c,v 1.78 2005/02/12 22:56:06 millert Exp $";
-#endif /* lint */
-
/*
* Exported for auth/secureware.c
*/
#include <compat.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: gettime.c,v 1.8 2008/11/09 14:13:12 millert Exp $";
-#endif /* lint */
-
/*
* Get the current time via gettimeofday() for systems with
* timespecs in struct stat or, otherwise, using time().
#include "sudo.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: goodpath.c,v 1.44 2005/02/12 22:56:06 millert Exp $";
-#endif /* lint */
-
/*
* Verify that path is a normal file and executable by root.
*/
#include "sudo.h"
#include "parse.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: gram.c,v 1.35 2009/04/18 23:25:08 millert Exp $";
-#endif /* lint */
-
/*
* We must define SIZE_MAX for yacc's skeleton.c.
* If there is no SIZE_MAX or SIZE_T_MAX we have to assume that size_t
#include "sudo.h"
#include "parse.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: gram.y,v 1.36 2009/05/25 12:02:41 millert Exp $";
-#endif /* lint */
-
/*
* We must define SIZE_MAX for yacc's skeleton.c.
* If there is no SIZE_MAX or SIZE_T_MAX we have to assume that size_t
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * $Sudo: ins_2001.h,v 1.29 2004/02/13 21:36:43 millert Exp $
*/
#ifndef _SUDO_INS_2001_H
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * $Sudo: ins_classic.h,v 1.30 2004/02/13 21:36:43 millert Exp $
*/
#ifndef _SUDO_INS_CLASSIC_H
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * $Sudo: ins_csops.h,v 1.30 2008/11/09 14:13:12 millert Exp $
*/
#ifndef _SUDO_INS_CSOPS_H
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * $Sudo: ins_goons.h,v 1.29 2004/02/13 21:36:43 millert Exp $
*/
#ifndef _SUDO_INS_GOONS_H
#! /bin/sh
## (From INN-1.4, written by Rich Salz)
-## $Revision: 1.10 $
+## $Revision$
## A script to install files and directories.
PROGNAME=`basename $0`
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * $Sudo: insults.h,v 1.47 2008/11/09 14:13:12 millert Exp $
*/
#ifndef _SUDO_INSULTS_H
#include "sudo.h"
#include "interfaces.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: interfaces.c,v 1.87 2009/05/25 12:02:41 millert Exp $";
-#endif /* lint */
-
/* Minix apparently lacks IFF_LOOPBACK */
#ifndef IFF_LOOPBACK
# define IFF_LOOPBACK 0
* Sponsored in part by the Defense Advanced Research Projects
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
- *
- * $Sudo: interfaces.h,v 1.12 2008/11/09 14:13:12 millert Exp $
*/
#ifndef _SUDO_INTERFACES_H
#include <config.h>
#include <compat.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: isblank.c,v 1.1 2008/11/06 00:05:24 millert Exp $";
-#endif /* lint */
-
#undef isblank
int
isblank(ch)
#include "sudo.h"
#include "lbuf.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: lbuf.c,v 1.9 2009/05/25 12:02:41 millert Exp $";
-#endif /* lint */
-
#if !defined(TIOCGSIZE) && defined(TIOCGWINSZ)
# define TIOCGSIZE TIOCGWINSZ
# define ttysize winsize
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * $Sudo: lbuf.h,v 1.2 2007/08/22 22:31:07 millert Exp $"
*/
#ifndef _SUDO_LBUF_H
#include "parse.h"
#include "lbuf.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.108 2009/05/29 13:43:12 millert Exp $";
-#endif /* lint */
-
#ifndef LDAP_OPT_SUCCESS
# define LDAP_OPT_SUCCESS LDAP_SUCCESS
#endif
#include "sudo.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: list.c,v 1.6 2008/11/09 14:13:12 millert Exp $";
-#endif /* lint */
-
struct list_proto {
struct list_proto *prev;
struct list_proto *next;
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * $Sudo: list.h,v 1.3 2007/09/11 19:42:48 millert Exp $
*/
#ifndef _SUDO_LIST_H
#include "sudo.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: logging.c,v 1.205 2009/05/25 12:02:41 millert Exp $";
-#endif /* lint */
-
static void do_syslog __P((int, char *));
static void do_logfile __P((char *));
static void send_mail __P((char *));
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * $Sudo: logging.h,v 1.15 2009/05/25 12:02:41 millert Exp $
*/
#ifndef _LOGGING_H
# include "nonunix.h"
#endif /* USING_NONUNIX_GROUPS */
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: match.c,v 1.48 2009/11/23 15:56:14 millert Exp $";
-#endif /* lint */
-
static struct member_list empty;
static int command_matches_dir __P((char *, size_t));
* else return false.
*/
#define GLOB_FLAGS (GLOB_NOSORT | GLOB_MARK | GLOB_BRACE | GLOB_TILDE)
- if (glob(sudoers_cmnd, GLOB_FLAGS, NULL, &gl) != 0) {
+ if (glob(sudoers_cmnd, GLOB_FLAGS, NULL, &gl) != 0 || gl.gl_pathc == 0) {
globfree(&gl);
return(FALSE);
}
#include <config.h>
#include <compat.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: memrchr.c,v 1.4 2007/11/27 17:13:03 millert Exp $";
-#endif /* lint */
-
-#include <sys/types.h>
-#include <config.h>
-
/*
* Reverse memchr()
* Find the last occurrence of 'c' in the buffer 's' of size 'n'.
# Created: 1993-05-16
# Public domain
-# $Sudo: mkinstalldirs,v 1.5 2003/04/03 15:16:22 millert Exp $
-
umask 022
errstatus=0
dirmode=""
#include "sudo.h"
-#ifndef lint
-static const char rcsid[] = "$Sudo: mkstemp.c,v 1.2 2008/08/20 11:40:15 millert Exp $";
-#endif /* not lint */
-
static unsigned int get_random __P((void));
static void seed_random __P((void));
#include "lbuf.h"
#include <gram.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: parse.c,v 1.242 2009/05/25 12:02:41 millert Exp $";
-#endif /* lint */
-
/* Characters that must be quoted in sudoers */
#define SUDOERS_QUOTED ":\\,=#\""
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * $Sudo: parse.h,v 1.49 2009/05/25 12:02:41 millert Exp $
*/
#ifndef _SUDO_PARSE_H
* Sponsored in part by the Defense Advanced Research Projects
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
- *
- * $Sudo: pathnames.h.in,v 1.65 2009/05/25 12:02:41 millert Exp $
*/
/*
#include "sudo.h"
#include "redblack.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: pwutil.c,v 1.23 2009/05/25 12:02:41 millert Exp $";
-#endif /* lint */
-
#ifdef MYPW
extern void (*my_setgrent) __P((void));
extern void (*my_endgrent) __P((void));
#include "sudo.h"
#include "redblack.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: redblack.c,v 1.12 2009/06/29 13:36:20 millert Exp $";
-#endif /* lint */
-
static void rbrepair __P((struct rbtree *, struct rbnode *));
static void rotate_left __P((struct rbtree *, struct rbnode *));
static void rotate_right __P((struct rbtree *, struct rbnode *));
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * $Sudo: redblack.h,v 1.4 2008/11/09 14:13:12 millert Exp $
*/
#ifndef _SUDO_REDBLACK_H
# There are two basic ways to configure PAM, either via pam_stack
# or by explicitly specifying the various methods to use.
#
-# $Sudo: sample.pam,v 1.3 2004/10/01 14:58:15 millert Exp $
-#
# Here we use pam_stack
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
-#
-# $Sudo: sample.sudoers,v 1.29 2008/10/03 19:55:57 millert Exp $
##
# Override built-in defaults
# Syslogd will not create new log files for you, you must first
# create the file before syslogd will log to it. Eg.
# 'touch /var/log/sudo'
-#
-# $Sudo: sample.syslog.conf,v 1.3 2004/10/01 14:58:15 millert Exp $
# This logs successful and failed sudo attempts to the file /var/log/sudo
local2.debug /var/log/sudo
#include "sudo.h"
#include "pathnames.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: selinux.c,v 1.5 2008/02/22 20:33:00 millert Exp $";
-#endif /* lint */
-
/*
* This function attempts to revert the relabeling done to the tty.
* fd - referencing the opened ttyn
#include "compat.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: sesh.c,v 1.1 2008/02/09 14:30:06 millert Exp $";
-#endif /* lint */
-
int
main (int argc, char **argv)
{
#include "sudo.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: set_perms.c,v 1.49 2009/06/25 12:44:33 millert Exp $";
-#endif /* lint */
-
#ifdef __TANDEM
# define ROOT_UID 65535
#else
#include <compat.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: sigaction.c,v 1.7 2005/02/12 22:56:06 millert Exp $";
-#endif /* lint */
-
int
sigaction(signo, sa, osa)
int signo;
#include <compat.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: snprintf.c,v 1.22 2008/11/09 14:13:12 millert Exp $";
-#endif /* lint */
-
static int xxxprintf __P((char **, size_t, int, const char *, va_list));
/*
#include <config.h>
#include <compat.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: strcasecmp.c,v 1.7 2005/02/12 22:56:06 millert Exp $";
-#endif /* lint */
-
/*
* Case insensitive string compare routines, same semantics as str[n]cmp()
* (assumes ASCII..).
#include <config.h>
#include <compat.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: strerror.c,v 1.11 2005/02/12 22:56:06 millert Exp $";
-#endif /* lint */
-
/*
* Map errno -> error string.
*/
#include <config.h>
#include <compat.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: strlcat.c,v 1.7 2005/02/12 22:56:06 millert Exp $";
-#endif /* lint */
-
/*
* Appends src to string dst of size siz (unlike strncat, siz is the
#include <config.h>
#include <compat.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: strlcpy.c,v 1.7 2005/02/12 22:56:06 millert Exp $";
-#endif /* lint */
-
/*
* Copy src to string dst of size siz. At most siz-1 characters
* will be copied. Always NUL terminates (unless siz == 0).
# include "nonunix.h"
#endif
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: sudo.c,v 1.517 2009/05/27 00:49:07 millert Exp $";
-#endif /* lint */
-
/*
* Prototypes
*/
sudo_endpwent();
sudo_endgrent();
- closefrom(def_closefrom + 1);
+ closefrom(def_closefrom);
#ifndef PROFILING
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) {
-1.7.2p5 February 22, 2010 1
+1.7.2p6 March 3, 2010 1
-1.7.2p5 February 22, 2010 2
+1.7.2p6 March 3, 2010 2
-1.7.2p5 February 22, 2010 3
+1.7.2p6 March 3, 2010 3
-1.7.2p5 February 22, 2010 4
+1.7.2p6 March 3, 2010 4
-1.7.2p5 February 22, 2010 5
+1.7.2p6 March 3, 2010 5
-1.7.2p5 February 22, 2010 6
+1.7.2p6 March 3, 2010 6
-1.7.2p5 February 22, 2010 7
+1.7.2p6 March 3, 2010 7
-1.7.2p5 February 22, 2010 8
+1.7.2p6 March 3, 2010 8
-1.7.2p5 February 22, 2010 9
+1.7.2p6 March 3, 2010 9
-1.7.2p5 February 22, 2010 10
+1.7.2p6 March 3, 2010 10
* Sponsored in part by the Defense Advanced Research Projects
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
- *
- * $Sudo: sudo.h,v 1.273 2009/05/25 12:02:41 millert Exp $
*/
#ifndef _SUDO_SUDO_H
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: sudo.pod,v 1.125 2009/09/25 00:31:35 millert Exp $
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "February 22, 2010" "1.7.2p5" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "March 3, 2010" "1.7.2p6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
-$Sudo: sudo.pod,v 1.125 2009/09/25 00:31:35 millert Exp $
=pod
=head1 NAME
#include "sudo.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: sudo_edit.c,v 1.39 2009/09/30 13:50:58 millert Exp $";
-#endif /* lint */
-
extern sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp;
extern char **environ;
#include <compat.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: sudo_noexec.c,v 1.12 2005/03/12 23:43:40 millert Exp $";
-#endif /* lint */
-
/*
* Dummy versions of the execve() family of syscalls. We don't need
* to stub out all of them, just the ones that correspond to actual
#include "sudo.h"
#include "lbuf.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: sudo_nss.c,v 1.8 2009/05/25 12:02:41 millert Exp $";
-#endif /* lint */
-
extern struct sudo_nss sudo_nss_file;
#ifdef HAVE_LDAP
extern struct sudo_nss sudo_nss_ldap;
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * $Sudo: sudo_nss.h,v 1.7 2009/05/25 12:02:42 millert Exp $
*/
struct lbuf;
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * $Sudo: sudo_usage.h.in,v 1.10 2009/05/25 12:02:42 millert Exp $
*/
#ifndef _SUDO_USAGE_H
-1.7.2p5 February 22, 2010 1
+1.7.2p6 April 7, 2010 1
-1.7.2p5 February 22, 2010 2
+1.7.2p6 April 7, 2010 2
-1.7.2p5 February 22, 2010 3
+1.7.2p6 April 7, 2010 3
-1.7.2p5 February 22, 2010 4
+1.7.2p6 April 7, 2010 4
-1.7.2p5 February 22, 2010 5
+1.7.2p6 April 7, 2010 5
-1.7.2p5 February 22, 2010 6
+1.7.2p6 April 7, 2010 6
-1.7.2p5 February 22, 2010 7
+1.7.2p6 April 7, 2010 7
-1.7.2p5 February 22, 2010 8
+1.7.2p6 April 7, 2010 8
-1.7.2p5 February 22, 2010 9
+1.7.2p6 April 7, 2010 9
-1.7.2p5 February 22, 2010 10
+1.7.2p6 April 7, 2010 10
-1.7.2p5 February 22, 2010 11
+1.7.2p6 April 7, 2010 11
-1.7.2p5 February 22, 2010 12
+1.7.2p6 April 7, 2010 12
causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function, which does
not access the file system to do its matching. The
disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is unable to match
- relative pathnames such as _\b._\b/_\bl_\bs or _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This
- flag is _\bo_\bf_\bf by default.
+ relative pathnames such as _\b._\b/_\bl_\bs or _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This has
+ security implications when path names that include
+ globbing characters are used with the negation
+ operator, '!', as such rules can be trivially bypassed.
+ As such, this option should not be used when _\bs_\bu_\bd_\bo_\be_\br_\bs
+ contains rules that contain negated path names which
+ include globbing characters. This flag is _\bo_\bf_\bf by
+ default.
stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
effective UIDs are set to the target user (root by
targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
specified by the -\b-u\bu option (defaults to root) instead
- of the password of the invoking user. Note that this
- precludes the use of a uid not listed in the passwd
- database as an argument to the -\b-u\bu option. This flag is
- _\bo_\bf_\bf by default.
-
- tty_tickets If set, users must authenticate on a per-tty basis.
-1.7.2p5 February 22, 2010 13
+1.7.2p6 April 7, 2010 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ of the password of the invoking user. Note that this
+ precludes the use of a uid not listed in the passwd
+ database as an argument to the -\b-u\bu option. This flag is
+ _\bo_\bf_\bf by default.
+
+ tty_tickets If set, users must authenticate on a per-tty basis.
Normally, s\bsu\bud\bdo\bo uses a directory in the ticket dir with
the same name as the user running it. With this flag
enabled, s\bsu\bud\bdo\bo will use a file named for the tty the
only the file log. The default is 80 (use 0 or negate
the option to disable word wrap).
- passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
- out. The default is 5; set this to 0 for no password
- timeout.
- timestamp_timeout
- Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
-
-1.7.2p5 February 22, 2010 14
+1.7.2p6 April 7, 2010 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
+ out. The default is 5; set this to 0 for no password
+ timeout.
+
+ timestamp_timeout
+ Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
for a passwd again. The default is 5. Set this to 0
to always prompt for a password. If set to a value
less than 0 the user's timestamp will never expire.
name (on if the machine's hostname is fully
qualified or the _\bf_\bq_\bd_\bn option is set)
- %h expanded to the local hostname without the domain
- name
-
- %p expanded to the user whose password is being asked
- for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
-
-1.7.2p5 February 22, 2010 15
+1.7.2p6 April 7, 2010 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ %h expanded to the local hostname without the domain
+ name
+
+ %p expanded to the user whose password is being asked
+ for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
%U expanded to the login name of the user the command
a file containing variables to be set in the environment of
the program being run. Entries in this file should either
be of the form VARIABLE=value or export VARIABLE=value.
- The value may optionally be surrounded by single or double
- quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
- environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
-
-
-1.7.2p5 February 22, 2010 16
+1.7.2p6 April 7, 2010 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The value may optionally be surrounded by single or double
+ quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
+ environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
+
exempt_group
Users in this group are exempt from password and PATH
requirements. This is not set by default.
mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
- mailerpath Path to mail program used to send warning mail. Defaults
- to the path to sendmail found at configure time.
-
-
-1.7.2p5 February 22, 2010 17
+1.7.2p6 April 7, 2010 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ mailerpath Path to mail program used to send warning mail. Defaults
+ to the path to sendmail found at configure time.
+
mailfrom Address to use for the "from" address when sending warning
and error mail. The address should be enclosed in double
quotes (") to protect against s\bsu\bud\bdo\bo interpreting the @ sign.
programs. The argument may be a double-quoted, space-
separated list or a single value without double-quotes.
The list can be replaced, added to, deleted from, or
- disabled by using the =, +=, -=, and ! operators
- respectively. Regardless of whether the env_reset
- option is enabled or disabled, variables specified by
-1.7.2p5 February 22, 2010 18
+1.7.2p6 April 7, 2010 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ disabled by using the =, +=, -=, and ! operators
+ respectively. Regardless of whether the env_reset
+ option is enabled or disabled, variables specified by
env_check will be preserved in the environment if they
pass the aforementioned check. The default list of
environment variables to check is displayed when s\bsu\bud\bdo\bo
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim
- # Runas alias specification
- Runas_Alias OP = root, operator
- Runas_Alias DB = oracle, sybase
-1.7.2p5 February 22, 2010 19
+1.7.2p6 April 7, 2010 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ # Runas alias specification
+ Runas_Alias OP = root, operator
+ Runas_Alias DB = oracle, sybase
Runas_Alias ADMINGRP = adm, oper
# Host alias specification
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
- We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
- any user.
-
-1.7.2p5 February 22, 2010 20
+1.7.2p6 April 7, 2010 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
+ any user.
+
FULLTIMERS ALL = NOPASSWD: ALL
Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br).
- jim +biglab = ALL
-
-
-1.7.2p5 February 22, 2010 21
+1.7.2p6 April 7, 2010 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ jim +biglab = ALL
+
The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
Any user may mount or unmount a CD-ROM on the machines in the CDROM
Host_Alias (orion, perseus, hercules) without entering a password.
This is a bit tedious for users to type, so it is a prime candidate for
- encapsulating in a shell script.
-
-1.7.2p5 February 22, 2010 22
+1.7.2p6 April 7, 2010 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ encapsulating in a shell script.
+
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
It is generally not effective to "subtract" commands from ALL using the
'!' operator. A user can trivially circumvent this by copying the
kind of restrictions should be considered advisory at best (and
reinforced by policy).
+ Furthermore, if the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to
+ reliably negate commands where the path name includes globbing (aka
+ wildcard) characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
+ function cannot resolve relative paths. While this is typically only
+ an inconvenience for rules that grant privileges, it can result in a
+ security issue for rules that subtract or revoke privileges.
+
+ For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
+
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+
+ User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
+ changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
+
P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
pleases, including run other programs. This can be a security issue
shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality
can be used to prevent a program run by s\bsu\bud\bdo\bo from executing
any other programs. Note, however, that this applies only to
+
+
+
+1.7.2p6 April 7, 2010 23
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
native dynamically-linked executables. Statically-linked
executables and foreign executables running under binary
emulation are not affected.
in the standard library with its own that simply return an
error. Unfortunately, there is no foolproof way to know
whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
-
-
-
-1.7.2p5 February 22, 2010 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected to work on most operating
When using netgroups of machines (as opposed to users), if you store
fully qualified hostnames in the netgroup (as is usually the case), you
+
+
+
+1.7.2p6 April 7, 2010 24
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
either need to have the machine's hostname be fully qualified as
returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
See the LICENSE file distributed with s\bsu\bud\bdo\bo or
-
-
-
-1.7.2p5 February 22, 2010 24
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
http://www.sudo.ws/sudo/license.html for complete details.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7.2p5 February 22, 2010 25
+1.7.2p6 April 7, 2010 25
Cmnd_Alias that is referenced by multiple users, one can create a
sudoRole that contains the commands and assign multiple users to it.
- S\bSU\bUD\bDO\bOe\ber\brs\bs L\bLD\bDA\bAP\bP c\bco\bon\bnt\bta\bai\bin\bne\ber\br
-
+ S\bSU\bUD\bDO\bOe\ber\brs\bs L\bLD\bDA\bAP\bP c\bco\bon\bnt\bta\bai\bin\bne\ber\br
The _\bs_\bu_\bd_\bo_\be_\br_\bs configuration is contained in the ou=SUDOers LDAP
container.
Sudo first looks for the cn=default entry in the SUDOers container. If
+ found, the multi-valued sudoOption attribute is parsed in the same
-1.7.2p5 February 22, 2010 1
+1.7.2p6 March 3, 2010 1
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- found, the multi-valued sudoOption attribute is parsed in the same
manner as a global Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the following
example, the SSH_AUTH_SOCK variable will be preserved in the
environment for all users.
-1.7.2p5 February 22, 2010 2
+
+1.7.2p6 March 3, 2010 2
sudoHost: ALL
sudoCommand: ALL
- A\bAn\bna\bat\bto\bom\bmy\by o\bof\bf L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs l\blo\boo\bok\bku\bup\bp
-
+ A\bAn\bna\bat\bto\bom\bmy\by o\bof\bf L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs l\blo\boo\bok\bku\bup\bp
When looking up a sudoer using LDAP there are only two or three LDAP
queries per invocation. The first query is to parse the global
options. The second is to match against the user's name and the groups
third query returns all entries containing user netgroups and checks to
see if the user belongs to any of them.
- D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
-
+ D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
There are some subtle differences in the way sudoers is handled once in
LDAP. Probably the biggest is that according to the RFC, LDAP ordering
is arbitrary and you cannot expect that Attributes and Entries are
objectClass: top
cn: role2
sudoUser: puddles
+ sudoHost: ALL
+ sudoCommand: !/bin/sh
-1.7.2p5 February 22, 2010 3
+1.7.2p6 March 3, 2010 3
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- sudoHost: ALL
- sudoCommand: !/bin/sh
sudoCommand: ALL
Another difference is that negations on the Host, User or Runas are
sudoHost: ALL
sudoHost: !web01
- S\bSu\bud\bdo\boe\ber\brs\bs S\bSc\bch\bhe\bem\bma\ba
-
+ S\bSu\bud\bdo\boe\ber\brs\bs S\bSc\bch\bhe\bem\bma\ba
In order to use s\bsu\bud\bdo\bo's LDAP support, the s\bsu\bud\bdo\bo schema must be installed
on your LDAP server. In addition, be sure to index the 'sudoUser'
attribute.
The schema for s\bsu\bud\bdo\bo in OpenLDAP form is included in the EXAMPLES
section.
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
-
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
Sudo reads the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo
U\bUR\bRI\bI ldap[s]://[hostname[:port]] ...
Specifies a whitespace-delimited list of one or more URIs
+ describing the LDAP server(s) to connect to. The _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl may be
+ either l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being for servers that support TLS
+ (SSL) encryption. If no _\bp_\bo_\br_\bt is specified, the default is port 389
+ for ldap:// or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is specified,
-1.7.2p5 February 22, 2010 4
+1.7.2p6 March 3, 2010 4
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- describing the LDAP server(s) to connect to. The _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl may be
- either l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being for servers that support TLS
- (SSL) encryption. If no _\bp_\bo_\br_\bt is specified, the default is port 389
- for ldap:// or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is specified,
s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Only systems using the OpenSSL
libraries support the mixing of ldap:// and ldaps:// URIs. The
Netscape-derived libraries used on most commercial versions of Unix
identity. By default, most LDAP servers will allow anonymous
access.
+ B\bBI\bIN\bND\bDP\bPW\bW secret
+ The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
+ LDAP operations. This is typically used in conjunction with the
+ B\bBI\bIN\bND\bDD\bDN\bN parameter.
-1.7.2p5 February 22, 2010 5
+1.7.2p6 March 3, 2010 5
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- B\bBI\bIN\bND\bDP\bPW\bW secret
- The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
- LDAP operations. This is typically used in conjunction with the
- B\bBI\bIN\bND\bDD\bDN\bN parameter.
-
R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN DN
The R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing privileged LDAP
used to authenticate the client to the LDAP server. The
certificate type depends on the LDAP libraries used.
+ OpenLDAP:
+ tls_cert /etc/ssl/client_cert.pem
+ Netscape-derived:
-1.7.2p5 February 22, 2010 6
+1.7.2p6 March 3, 2010 6
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- OpenLDAP:
- tls_cert /etc/ssl/client_cert.pem
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
- Netscape-derived:
tls_cert /var/ldap/cert7.db
When using Netscape-derived libraries, this file may also contain
The path to the Kerberos 5 credential cache to use when
authenticating with the remote server.
+ See the ldap.conf entry in the EXAMPLES section.
-1.7.2p5 February 22, 2010 7
+1.7.2p6 March 3, 2010 7
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- See the ldap.conf entry in the EXAMPLES section.
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
Unless it is disabled at build time, s\bsu\bud\bdo\bo consults the Name Service
Switch file, _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, to specify the _\bs_\bu_\bd_\bo_\be_\br_\bs search order.
Sudo looks for a line beginning with sudoers: and uses this to
Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
operating system does not use an nsswitch.conf file.
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bne\bet\bts\bsv\bvc\bc.\b.c\bco\bon\bnf\bf
-
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bne\bet\bts\bsv\bvc\bc.\b.c\bco\bon\bnf\bf
On AIX systems, the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is consulted instead of
_\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf. s\bsu\bud\bdo\bo simply treats _\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf as a variant of
_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf; information in the previous section unrelated to the
To treat LDAP as authoratative and only use the local sudoers file if
the user is not present in LDAP, use:
+ sudoers = ldap = auth, files
+ Note that in the above example, the auth qualfier only affects user
-1.7.2p5 February 22, 2010 8
+1.7.2p6 March 3, 2010 8
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- sudoers = ldap = auth, files
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
- Note that in the above example, the auth qualfier only affects user
lookups; both LDAP and _\bs_\bu_\bd_\bo_\be_\br_\bs will be queried for Defaults entries.
If the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
_\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf determines sudoers source order on AIX
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- E\bEx\bxa\bam\bmp\bpl\ble\be l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
-
+ E\bEx\bxa\bam\bmp\bpl\ble\be l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
# Either specify one or more URIs or one or more host:port pairs.
# If neither is specified sudo will default to localhost, port 389.
#
#
# LDAP protocol version, defaults to 3
#ldap_version 3
+ #
+ # Define if you want to use an encrypted LDAP connection.
+ # Typically, you must also set the port to 636 (ldaps).
+ #ssl on
-1.7.2p5 February 22, 2010 9
+1.7.2p6 March 3, 2010 9
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- #
- # Define if you want to use an encrypted LDAP connection.
- # Typically, you must also set the port to 636 (ldaps).
- #ssl on
#
# Define if you want to use port 389 and switch to
# encryption before the bind credentials are sent.
# SDK will prevent specific file names from working. For this reason
# it is suggested that tls_cert and tls_key be set to a directory,
# not a file name.
+ #
+ # The certificate database specified by tls_cert may contain CA certs
+ # and/or the client's cert. If the client's cert is included, tls_key
+ # should be specified as well.
-1.7.2p5 February 22, 2010 10
+1.7.2p6 March 3, 2010 10
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- #
- # The certificate database specified by tls_cert may contain CA certs
- # and/or the client's cert. If the client's cert is included, tls_key
- # should be specified as well.
# For backward compatibility, "sslpath" may be used in place of tls_cert.
#tls_cert /var/ldap
#tls_key /var/ldap
# sasl_secprops none
# krb5_ccname /etc/.ldapcache
- S\bSu\bud\bdo\bo s\bsc\bch\bhe\bem\bma\ba f\bfo\bor\br O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP
-
+ S\bSu\bud\bdo\bo s\bsc\bch\bhe\bem\bma\ba f\bfo\bor\br O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP
The following schema is in OpenLDAP format. Simply copy it to the
schema directory (e.g. _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bs_\bc_\bh_\be_\bm_\ba), add the proper include
line in slapd.conf and restart s\bsl\bla\bap\bpd\bd.
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-1.7.2p5 February 22, 2010 11
+1.7.2p6 March 3, 2010 11
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- attributetype ( 1.3.6.1.4.1.15953.9.1.6
- NAME 'sudoRunAsUser'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
-1.7.2p5 February 22, 2010 12
+
+
+
+
+
+1.7.2p6 March 3, 2010 12
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $Sudo: sudoers.ldap.man.in,v 1.13 2009/06/11 20:29:12 millert Exp $
-.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
+.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
-.de Sh \" Subsection heading
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "February 22, 2010" "1.7.2p5" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "March 3, 2010" "1.7.2p6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
a Cmnd_Alias that is referenced by multiple users, one can create
a sudoRole that contains the commands and assign multiple users
to it.
-.Sh "SUDOers \s-1LDAP\s0 container"
+.SS "SUDOers \s-1LDAP\s0 container"
.IX Subsection "SUDOers LDAP container"
The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0
container.
\& sudoHost: ALL
\& sudoCommand: ALL
.Ve
-.Sh "Anatomy of \s-1LDAP\s0 sudoers lookup"
+.SS "Anatomy of \s-1LDAP\s0 sudoers lookup"
.IX Subsection "Anatomy of LDAP sudoers lookup"
When looking up a sudoer using \s-1LDAP\s0 there are only two or three
\&\s-1LDAP\s0 queries per invocation. The first query is to parse the global
in this query too.) If no match is returned for the user's name
and groups, a third query returns all entries containing user
netgroups and checks to see if the user belongs to any of them.
-.Sh "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
+.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
.IX Subsection "Differences between LDAP and non-LDAP sudoers"
There are some subtle differences in the way sudoers is handled
once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0,
\& sudoHost: ALL
\& sudoHost: !web01
.Ve
-.Sh "Sudoers Schema"
+.SS "Sudoers Schema"
.IX Subsection "Sudoers Schema"
In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be
installed on your \s-1LDAP\s0 server. In addition, be sure to index the
.PP
The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0
section.
-.Sh "Configuring ldap.conf"
+.SS "Configuring ldap.conf"
.IX Subsection "Configuring ldap.conf"
Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
with the remote server.
.PP
See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
-.Sh "Configuring nsswitch.conf"
+.SS "Configuring nsswitch.conf"
.IX Subsection "Configuring nsswitch.conf"
Unless it is disabled at build time, \fBsudo\fR consults the Name
Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR
.PP
Note that \fI@nsswitch_conf@\fR is supported even when the underlying
operating system does not use an nsswitch.conf file.
-.Sh "Configuring netsvc.conf"
+.SS "Configuring netsvc.conf"
.IX Subsection "Configuring netsvc.conf"
On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of
\&\fI@nsswitch_conf@\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a
determines sudoers source order on \s-1AIX\s0
.SH "EXAMPLES"
.IX Header "EXAMPLES"
-.Sh "Example ldap.conf"
+.SS "Example ldap.conf"
.IX Subsection "Example ldap.conf"
.Vb 10
\& # Either specify one or more URIs or one or more host:port pairs.
\& # sasl_secprops none
\& # krb5_ccname /etc/.ldapcache
.Ve
-.Sh "Sudo schema for OpenLDAP"
+.SS "Sudo schema for OpenLDAP"
.IX Subsection "Sudo schema for OpenLDAP"
The following schema is in OpenLDAP format. Simply copy it to the
schema directory (e.g. \fI/etc/openldap/schema\fR), add the proper
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-$Sudo: sudoers.ldap.pod,v 1.14 2009/05/29 13:43:12 millert Exp $
=pod
=head1 NAME
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2009
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: sudoers.pod,v 1.173 2009/06/30 12:41:09 millert Exp $
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "February 22, 2010" "1.7.2p5" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "April 7, 2010" "1.7.2p6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
not access the file system to do its matching. The disadvantage
of \fIfast_glob\fR is that it is unable to match relative pathnames
-such as \fI./ls\fR or \fI../bin/ls\fR. This flag is \fIoff\fR by default.
+such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
+when path names that include globbing characters are used with the
+negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
+As such, this option should not be used when \fIsudoers\fR contains rules
+that contain negated path names which include globbing characters.
+This flag is \fIoff\fR by default.
.IP "stay_setuid" 16
.IX Item "stay_setuid"
Normally, when \fBsudo\fR executes a command the real and effective
different name, or use a shell escape from an editor or other
program. Therefore, these kind of restrictions should be considered
advisory at best (and reinforced by policy).
+.PP
+Furthermore, if the \fIfast_glob\fR option is in use, it is not possible
+to reliably negate commands where the path name includes globbing
+(aka wildcard) characters. This is because the C library's
+\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
+is typically only an inconvenience for rules that grant privileges,
+it can result in a security issue for rules that subtract or revoke
+privileges.
+.PP
+For example, given the following \fIsudoers\fR entry:
+.PP
+.Vb 2
+\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
+\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
+.Ve
+.PP
+User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
+enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
.SH "PREVENTING SHELL ESCAPES"
.IX Header "PREVENTING SHELL ESCAPES"
Once \fBsudo\fR executes a program, that program is free to do whatever
-Copyright (c) 1994-1996, 1998-2005, 2007-2009
+Copyright (c) 1994-1996, 1998-2005, 2007-2010
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
-$Sudo: sudoers.pod,v 1.173 2009/06/30 12:41:09 millert Exp $
=pod
=head1 NAME
option causes B<sudo> to use the L<fnmatch(3)> function, which does
not access the file system to do its matching. The disadvantage
of I<fast_glob> is that it is unable to match relative pathnames
-such as F<./ls> or F<../bin/ls>. This flag is I<off> by default.
+such as F<./ls> or F<../bin/ls>. This has security implications
+when path names that include globbing characters are used with the
+negation operator, C<'!'>, as such rules can be trivially bypassed.
+As such, this option should not be used when I<sudoers> contains rules
+that contain negated path names which include globbing characters.
+This flag is I<off> by default.
=item stay_setuid
program. Therefore, these kind of restrictions should be considered
advisory at best (and reinforced by policy).
+Furthermore, if the I<fast_glob> option is in use, it is not possible
+to reliably negate commands where the path name includes globbing
+(aka wildcard) characters. This is because the C library's
+L<fnmatch(3)> function cannot resolve relative paths. While this
+is typically only an inconvenience for rules that grant privileges,
+it can result in a security issue for rules that subtract or revoke
+privileges.
+
+For example, given the following I<sudoers> entry:
+
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+
+User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is
+enabled by changing to F</usr/bin> and running C<./passwd root> instead.
+
=head1 PREVENTING SHELL ESCAPES
Once B<sudo> executes a program, that program is free to do whatever
# Converts a sudoers file to LDIF format in prepration for loading into
# the LDAP server.
#
-# $Sudo: sudoers2ldif,v 1.5 2007/12/08 00:09:28 millert Exp $
-#
# BUGS:
# Does not yet handle multiple lines with : in them
#include "sudo.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: term.c,v 1.4 2009/02/25 10:47:12 millert Exp $";
-#endif /* lint */
-
#ifndef TCSASOFT
# define TCSASOFT 0
#endif
# include "emul/fnmatch.h"
#endif /* HAVE_FNMATCH */
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: testsudoers.c,v 1.131 2009/05/25 12:02:42 millert Exp $";
-#endif /* lint */
-
-
/*
* Globals
*/
#include "sudo.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.131 2009/05/25 12:02:42 millert Exp $";
-#endif /* lint */
-
static volatile sig_atomic_t signo;
static void handler __P((int));
#include <compat.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: utimes.c,v 1.10 2008/11/09 14:13:12 millert Exp $";
-#endif /* lint */
-
#ifndef HAVE_UTIMES
/*
* Emulate utimes() via utime()
#include "redblack.h"
#include <gram.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: visudo.c,v 1.234 2009/05/25 12:02:42 millert Exp $";
-#endif /* lint */
-
struct sudoersfile {
char *path;
char *tpath;
-1.7.2p5 February 22, 2010 1
+1.7.2p6 March 3, 2010 1
-1.7.2p5 February 22, 2010 2
+1.7.2p6 March 3, 2010 2
-1.7.2p5 February 22, 2010 3
+1.7.2p6 March 3, 2010 3
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: visudo.man.in,v 1.34 2009/06/11 20:29:12 millert Exp $
-.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
+.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
-.de Sh \" Subsection heading
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "February 22, 2010" "1.7.2p5" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "March 3, 2010" "1.7.2p6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
-$Sudo: visudo.pod,v 1.55 2008/11/15 18:34:01 millert Exp $
=pod
=head1 NAME
#include <config.h>
#include <compat.h>
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: zero_bytes.c,v 1.7 2008/11/09 14:13:12 millert Exp $";
-#endif /* lint */
-
/*
* Like bzero(3) but with a volatile pointer. The hope is that
* the compiler will not be able to optimize away this function.