This patch will upgrade Sudo version 1.6.9 to version 1.6.9 patchlevel 1. To apply: $ cd sudo-1.6.9 $ patch -p1 < sudo-1.6.9p1.patch diff -ur sudo-1.6.9/CHANGES sudo-1.6.9p1/CHANGES --- sudo-1.6.9/CHANGES Mon Jul 16 22:50:08 2007 +++ sudo-1.6.9p1/CHANGES Thu Jul 26 09:58:48 2007 @@ -1924,3 +1924,12 @@ 608) Better explanation of environment handling in the sudo man page. Sudo 1.6.9 released. + +609) Worked around a bug ins some PAM implementations that caused a crash + when no tty was present. + +610) Fixed a crash on some platforms in the error logging function. + +611) Documentation improvements. + +Sudo 1.6.9p1 released. diff -ur sudo-1.6.9/Makefile.in sudo-1.6.9p1/Makefile.in --- sudo-1.6.9/Makefile.in Mon Jul 16 22:53:18 2007 +++ sudo-1.6.9p1/Makefile.in Thu Jul 26 10:05:55 2007 @@ -20,7 +20,7 @@ # # @configure_input@ # -# $Sudo: Makefile.in,v 1.246.2.9 2007/06/24 00:08:14 millert Exp $ +# $Sudo: Makefile.in,v 1.246.2.10 2007/07/26 14:05:55 millert Exp $ # #### Start of system configuration section. #### @@ -130,7 +130,7 @@ LIBOBJS = @LIBOBJS@ @ALLOCA@ -VERSION = 1.6.9 +VERSION = 1.6.9p1 DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \ LICENSE Makefile.in PORTING README README.LDAP TODO \ diff -ur sudo-1.6.9/auth/pam.c sudo-1.6.9p1/auth/pam.c --- sudo-1.6.9/auth/pam.c Mon Jun 11 21:41:12 2007 +++ sudo-1.6.9p1/auth/pam.c Sun Jul 22 08:14:53 2007 @@ -63,7 +63,7 @@ #endif #ifndef lint -__unused static const char rcsid[] = "$Sudo: pam.c,v 1.43.2.3 2007/06/12 00:56:43 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: pam.c,v 1.43.2.4 2007/07/22 12:14:53 millert Exp $"; #endif /* lint */ static int sudo_conv __P((int, PAM_CONST struct pam_message **, @@ -94,7 +94,14 @@ log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM"); return(AUTH_FATAL); } - if (strcmp(user_tty, "unknown")) + /* + * Some versions of pam_lastlog have a bug that + * will cause a crash if PAM_TTY is not set so if + * there is no tty, set PAM_TTY to the empty string. + */ + if (strcmp(user_tty, "unknown") == 0) + (void) pam_set_item(pamh, PAM_TTY, ""); + else (void) pam_set_item(pamh, PAM_TTY, user_tty); return(AUTH_SUCCESS); @@ -252,7 +259,7 @@ if (pass == NULL) { /* We got ^C instead of a password; abort quickly. */ nil_pw = 1; - return(PAM_CONV_ERR); + goto err; } pr->resp = estrdup(pass); if (*pr->resp == '\0') @@ -271,20 +278,23 @@ } break; default: - /* Zero and free allocated memory and return an error. */ - for (pr = *response, n = num_msg; n--; pr++) { - if (pr->resp != NULL) { - zero_bytes(pr->resp, strlen(pr->resp)); - free(pr->resp); - pr->resp = NULL; - } - } - zero_bytes(*response, num_msg * sizeof(struct pam_response)); - free(*response); - *response = NULL; - return(PAM_CONV_ERR); + goto err; } } return(PAM_SUCCESS); + +err: + /* Zero and free allocated memory and return an error. */ + for (pr = *response, n = num_msg; n--; pr++) { + if (pr->resp != NULL) { + zero_bytes(pr->resp, strlen(pr->resp)); + free(pr->resp); + pr->resp = NULL; + } + } + zero_bytes(*response, num_msg * sizeof(struct pam_response)); + free(*response); + *response = NULL; + return(PAM_CONV_ERR); } diff -ur sudo-1.6.9/configure sudo-1.6.9p1/configure --- sudo-1.6.9/configure Mon Jul 16 22:47:55 2007 +++ sudo-1.6.9p1/configure Sun Jul 22 18:42:50 2007 @@ -458,7 +458,7 @@ # include #endif" -ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS LIBTOOL CFLAGS PROGS CPPFLAGS LDFLAGS SUDO_LDFLAGS SUDO_OBJS SUDO_LIBS NET_LIBS AFS_LIBS OSDEFS AUTH_OBJS MANTYPE MAN_POSTINSTALL SUDOERS_MODE SUDOERS_UID SUDOERS_GID DEV mansectsu mansectform mansrcdir NOEXECDIR noexec_file INSTALL_NOEXEC timedir timeout password_timeout sudo_umask passprompt long_otp_prompt lecture logfac goodpri badpri loglen ignore_dot mail_no_user mail_no_host mail_no_perms mailto mailsub badpass_message fqdn runas_default env_editor passwd_tries tty_tickets insults root_sudo EGREPPROG CC ac_ct_CC EXEEXT OBJEXT CPP build build_cpu build_vendor build_os host host_cpu host_vendor host_os target target_cpu target_vendor target_os SED EGREP FGREP GREP LD NM LN_S AR ac_ct_AR STRIP ac_ct_STRIP RANLIB ac_ct_RANLIB lt_ECHO UNAMEPROG TRPROG NROFFPROG YACC LIBOBJS ALLOCA KRB5CONFIG LTLIBOBJS' +ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS LIBTOOL CFLAGS PROGS CPPFLAGS LDFLAGS SUDO_LDFLAGS SUDO_OBJS SUDO_LIBS NET_LIBS AFS_LIBS OSDEFS AUTH_OBJS MANTYPE MAN_POSTINSTALL SUDOERS_MODE SUDOERS_UID SUDOERS_GID DEV mansectsu mansectform mansrcdir NOEXECDIR noexec_file INSTALL_NOEXEC DONT_LEAK_PATH_INFO timedir timeout password_timeout sudo_umask passprompt long_otp_prompt lecture logfac goodpri badpri loglen ignore_dot mail_no_user mail_no_host mail_no_perms mailto mailsub badpass_message fqdn runas_default env_editor passwd_tries tty_tickets insults root_sudo path_info EGREPPROG CC ac_ct_CC EXEEXT OBJEXT CPP build build_cpu build_vendor build_os host host_cpu host_vendor host_os target target_cpu target_vendor target_os SED EGREP FGREP GREP LD NM LN_S AR ac_ct_AR STRIP ac_ct_STRIP RANLIB ac_ct_RANLIB lt_ECHO UNAMEPROG TRPROG NROFFPROG YACC LIBOBJS ALLOCA KRB5CONFIG LTLIBOBJS' ac_subst_files='' # Initialize some variables set by options. @@ -1590,6 +1590,25 @@ + + + + + + + + + + + + + + + + + + + timeout=5 password_timeout=5 sudo_umask=0022 @@ -1614,6 +1633,7 @@ tty_tickets=off insults=off root_sudo=on +path_info=on INSTALL_NOEXEC= PROGS="sudo visudo" : ${MANTYPE='man'} @@ -3521,6 +3541,7 @@ #define DONT_LEAK_PATH_INFO 1 _ACEOF + path_info=off ;; *) echo "$as_me:$LINENO: result: no" >&5 echo "${ECHO_T}no" >&6 @@ -7066,7 +7087,7 @@ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 7069 "configure" +#line 7090 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -7164,7 +7185,7 @@ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 7167 "configure" +#line 7188 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -7313,7 +7334,7 @@ ;; *-*-irix6*) # Find out which ABI we are using. - $ECHO '#line 7316 "configure"' > conftest.$ac_ext + $ECHO '#line 7337 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -7964,11 +7985,11 @@ -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7967: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7988: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7971: \$? = $ac_status" >&5 + echo "$as_me:7992: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -8239,11 +8260,11 @@ -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8242: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8263: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:8246: \$? = $ac_status" >&5 + echo "$as_me:8267: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -8336,11 +8357,11 @@ -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8339: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8360: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:8343: \$? = $ac_status" >&5 + echo "$as_me:8364: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -8390,11 +8411,11 @@ -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8393: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8414: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:8397: \$? = $ac_status" >&5 + echo "$as_me:8418: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -23268,6 +23289,7 @@ s,@NOEXECDIR@,$NOEXECDIR,;t t s,@noexec_file@,$noexec_file,;t t s,@INSTALL_NOEXEC@,$INSTALL_NOEXEC,;t t +s,@DONT_LEAK_PATH_INFO@,$DONT_LEAK_PATH_INFO,;t t s,@timedir@,$timedir,;t t s,@timeout@,$timeout,;t t s,@password_timeout@,$password_timeout,;t t @@ -23293,6 +23315,7 @@ s,@tty_tickets@,$tty_tickets,;t t s,@insults@,$insults,;t t s,@root_sudo@,$root_sudo,;t t +s,@path_info@,$path_info,;t t s,@EGREPPROG@,$EGREPPROG,;t t s,@CC@,$CC,;t t s,@ac_ct_CC@,$ac_ct_CC,;t t diff -ur sudo-1.6.9/configure.in sudo-1.6.9p1/configure.in --- sudo-1.6.9/configure.in Mon Jul 16 22:51:21 2007 +++ sudo-1.6.9p1/configure.in Sun Jul 22 18:43:50 2007 @@ -1,6 +1,6 @@ dnl dnl Process this file with GNU autoconf to produce a configure script. -dnl $Sudo: configure.in,v 1.413.2.14 2007/07/17 02:51:21 millert Exp $ +dnl $Sudo: configure.in,v 1.413.2.15 2007/07/22 22:43:50 millert Exp $ dnl dnl Copyright (c) 1994-1996,1998-2007 Todd C. Miller dnl @@ -14,23 +14,23 @@ dnl Variables that get substituted in the Makefile and man pages dnl AC_SUBST(LIBTOOL) -AC_SUBST(CFLAGS)dnl -AC_SUBST(PROGS)dnl -AC_SUBST(CPPFLAGS)dnl -AC_SUBST(LDFLAGS)dnl -AC_SUBST(SUDO_LDFLAGS)dnl -AC_SUBST(SUDO_OBJS)dnl -AC_SUBST(LIBS)dnl -AC_SUBST(SUDO_LIBS)dnl -AC_SUBST(NET_LIBS)dnl -AC_SUBST(AFS_LIBS)dnl -AC_SUBST(OSDEFS)dnl -AC_SUBST(AUTH_OBJS)dnl -AC_SUBST(MANTYPE)dnl -AC_SUBST(MAN_POSTINSTALL)dnl -AC_SUBST(SUDOERS_MODE)dnl -AC_SUBST(SUDOERS_UID)dnl -AC_SUBST(SUDOERS_GID)dnl +AC_SUBST(CFLAGS) +AC_SUBST(PROGS) +AC_SUBST(CPPFLAGS) +AC_SUBST(LDFLAGS) +AC_SUBST(SUDO_LDFLAGS) +AC_SUBST(SUDO_OBJS) +AC_SUBST(LIBS) +AC_SUBST(SUDO_LIBS) +AC_SUBST(NET_LIBS) +AC_SUBST(AFS_LIBS) +AC_SUBST(OSDEFS) +AC_SUBST(AUTH_OBJS) +AC_SUBST(MANTYPE) +AC_SUBST(MAN_POSTINSTALL) +AC_SUBST(SUDOERS_MODE) +AC_SUBST(SUDOERS_UID) +AC_SUBST(SUDOERS_GID) AC_SUBST(DEV) AC_SUBST(mansectsu) AC_SUBST(mansectform) @@ -38,6 +38,7 @@ AC_SUBST(NOEXECDIR) AC_SUBST(noexec_file) AC_SUBST(INSTALL_NOEXEC) +AC_SUBST(DONT_LEAK_PATH_INFO) dnl dnl Variables that get substituted in docs (not overridden by environment) dnl @@ -66,6 +67,7 @@ AC_SUBST(tty_tickets) AC_SUBST(insults) AC_SUBST(root_sudo) +AC_SUBST(path_info) dnl dnl Initial values for above dnl @@ -93,6 +95,7 @@ tty_tickets=off insults=off root_sudo=on +path_info=on INSTALL_NOEXEC= dnl dnl Initial values for Makefile variables listed above @@ -1100,6 +1103,7 @@ ;; no) AC_MSG_RESULT(yes) AC_DEFINE(DONT_LEAK_PATH_INFO) + path_info=off ;; *) AC_MSG_RESULT(no) AC_MSG_WARN([Ignoring unknown argument to --enable-path-info: $enableval]) diff -ur sudo-1.6.9/logging.c sudo-1.6.9p1/logging.c --- sudo-1.6.9/logging.c Fri Jul 6 10:14:34 2007 +++ sudo-1.6.9p1/logging.c Tue Jul 24 11:52:37 2007 @@ -60,7 +60,7 @@ #include "sudo.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: logging.c,v 1.168.2.10 2007/07/06 14:14:34 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: logging.c,v 1.168.2.11 2007/07/24 15:52:37 millert Exp $"; #endif /* lint */ static void do_syslog __P((int, char *)); @@ -441,7 +441,8 @@ do_logfile(logline); efree(message); - efree(logline); + if (logline != message) + efree(logline); if (!ISSET(flags, NO_EXIT)) exit(1); diff -ur sudo-1.6.9/sudo.c sudo-1.6.9p1/sudo.c --- sudo-1.6.9/sudo.c Mon Jul 9 17:48:48 2007 +++ sudo-1.6.9p1/sudo.c Sun Jul 22 15:21:01 2007 @@ -102,7 +102,7 @@ #include "version.h" #ifndef lint -__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.25 2007/07/09 19:15:43 millert Exp $"; +__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.26 2007/07/22 19:21:01 millert Exp $"; #endif /* lint */ /* @@ -1236,11 +1236,11 @@ char **p, **uvec[4]; int i, linelen, linemax, ulen; static char *uvec1[] = { - " -K | -L | -V | -h | -k | -l | -v", + " -h | -K | -k | -L | -l | -V | -v", NULL }; static char *uvec2[] = { - " [-EHPSb]", + " [-bEHPS]", #ifdef HAVE_BSD_AUTH_H " [-a auth_type]", #endif @@ -1250,10 +1250,11 @@ " [-p prompt]", " [-u username|#uid]", " [VAR=value]", - " { -e file [...] | -i | -s | }", + " {-i | -s | }", NULL }; static char *uvec3[] = { + " -e", " [-S]", #ifdef HAVE_BSD_AUTH_H " [-a auth_type]", @@ -1263,7 +1264,7 @@ #endif " [-p prompt]", " [-u username|#uid]", - " file [...]", + " file ...", NULL }; @@ -1271,7 +1272,7 @@ * Use usage vectors appropriate to the progname. */ if (strcmp(getprogname(), "sudoedit") == 0) { - uvec[0] = uvec3; + uvec[0] = uvec3 + 1; uvec[1] = NULL; } else { uvec[0] = uvec1; Binary files sudo-1.6.9/sudo.cat and sudo-1.6.9p1/sudo.cat differ diff -ur sudo-1.6.9/sudo.man.in sudo-1.6.9p1/sudo.man.in --- sudo-1.6.9/sudo.man.in Mon Jul 16 22:55:46 2007 +++ sudo-1.6.9p1/sudo.man.in Thu Jul 26 10:05:55 2007 @@ -17,7 +17,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" $Sudo: sudo.man.in,v 1.29.2.5 2007/07/17 02:55:46 millert Exp $ +.\" $Sudo: sudo.man.in,v 1.29.2.6 2007/07/26 14:05:55 millert Exp $ .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: @@ -149,20 +149,20 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "July 16, 2007" "1.6.9" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "July 26, 2007" "1.6.9p1" "MAINTENANCE COMMANDS" .SH "NAME" sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" .IX Header "SYNOPSIS" -\&\fBsudo\fR \fB\-K\fR | \fB\-k\fR | \fB\-h\fR | \fB\-L\fR | \fB\-l\fR | \fB\-V\fR | \fB\-v\fR +\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-l\fR | \fB\-V\fR | \fB\-v\fR .PP \&\fBsudo\fR [\fB\-bEHPS\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] -[\fB\s-1VAR\s0\fR=\fIvalue\fR] {\fB\-e\fR\ file\ [...]\ |\ \fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR} +[\fB\s-1VAR\s0\fR=\fIvalue\fR] {\fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR} .PP -\&\fBsudoedit\fR [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] -[\fB\-p\fR\ \fIprompt\fR] [\fB\-S\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] -file [...] +\&\fBsudoedit\fR [\fB\-S\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] +[\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] +file ... .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the @@ -239,9 +239,9 @@ .IP "\-E" 4 .IX Item "-E" The \fB\-E\fR (\fIpreserve\fR environment) option will override the -\&\fIenv_reset\fR option in sudoers(@mansectform@)). It is only +\&\fIenv_reset\fR option in \fIsudoers\fR\|(@mansectform@)). It is only available when either the matching command has the \f(CW\*(C`SETENV\*(C'\fR tag -or the \fIsetenv\fR option is set in sudoers(@mansectform@). +or the \fIsetenv\fR option is set in \fIsudoers\fR\|(@mansectform@). .IP "\-e" 4 .IX Item "-e" The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running @@ -275,15 +275,15 @@ .IX Item "-H" The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable to the homedir of the target user (root by default) as specified -in passwd(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR -(see \fIset_home\fR and \fIalways_set_home\fR in sudoers(@mansectform@)). +in \fIpasswd\fR\|(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR +(see \fIset_home\fR and \fIalways_set_home\fR in \fIsudoers\fR\|(@mansectform@)). .IP "\-h" 4 .IX Item "-h" The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit. .IP "\-i" 4 .IX Item "-i" The \fB\-i\fR (\fIsimulate initial login\fR) option runs the shell specified -in the passwd(@mansectform@) entry of the user that the command is +in the \fIpasswd\fR\|(@mansectform@) entry of the user that the command is being run as. The command name argument given to the shell begins with a `\f(CW\*(C`\-\*(C'\fR' to tell the shell to run as a login shell. \fBsudo\fR attempts to change to that user's home directory before running the @@ -328,25 +328,25 @@ password prompt and use a custom one. The following percent (`\f(CW\*(C`%\*(C'\fR') escapes are supported: .RS 4 -.ie n .IP "%u" 8 -.el .IP "\f(CW%u\fR" 8 -.IX Item "%u" -expanded to the invoking user's login name -.ie n .IP "%U" 8 -.el .IP "\f(CW%U\fR" 8 -.IX Item "%U" -expanded to the login name of the user the command will -be run as (defaults to root) -.ie n .IP "%h" 8 -.el .IP "\f(CW%h\fR" 8 -.IX Item "%h" -expanded to the local hostname without the domain name .ie n .IP "%H" 8 .el .IP "\f(CW%H\fR" 8 .IX Item "%H" expanded to the local hostname including the domain name (on if the machine's hostname is fully qualified or the \fIfqdn\fR \&\fIsudoers\fR option is set) +.ie n .IP "%h" 8 +.el .IP "\f(CW%h\fR" 8 +.IX Item "%h" +expanded to the local hostname without the domain name +.ie n .IP "%U" 8 +.el .IP "\f(CW%U\fR" 8 +.IX Item "%U" +expanded to the login name of the user the command will +be run as (defaults to root) +.ie n .IP "%u" 8 +.el .IP "\f(CW%u\fR" 8 +.IX Item "%u" +expanded to the invoking user's login name .ie n .IP "\*(C`%%\*(C'" 8 .el .IP "\f(CW\*(C`%%\*(C'\fR" 8 .IX Item "%%" @@ -362,13 +362,13 @@ .IX Item "-s" The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR environment variable if it is set or the shell as specified -in passwd(@mansectform@). +in \fIpasswd\fR\|(@mansectform@). .IP "\-u" 4 .IX Item "-u" The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified command as a user other than \fIroot\fR. To specify a \fIuid\fR instead of a \&\fIusername\fR, use \fI#uid\fR. Note that if the \fItargetpw\fR Defaults -option is set (see sudoers(@mansectform@)) it is not possible +option is set (see \fIsudoers\fR\|(@mansectform@)) it is not possible to run commands with a uid not listed in the password database. .IP "\-V" 4 .IX Item "-V" @@ -394,7 +394,7 @@ variables with one important exception. If the \fIsetenv\fR option is set in \fIsudoers\fR or the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag set the user may set variables that would overwise be forbidden. -See sudoers(@mansectform@) for more information. +See \fIsudoers\fR\|(@mansectform@) for more information. .SH "RETURN VALUES" .IX Header "RETURN VALUES" Upon successful execution of a program, the return value from \fBsudo\fR @@ -481,7 +481,7 @@ access to commands via \fBsudo\fR to verify that the command does not inadvertently give the user an effective root shell. For more information, please see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in -sudoers(@mansectform@). +\&\fIsudoers\fR\|(@mansectform@). .SH "ENVIRONMENT" .IX Header "ENVIRONMENT" \&\fBsudo\fR utilizes the following environment variables: @@ -546,7 +546,7 @@ .Ve .SH "EXAMPLES" .IX Header "EXAMPLES" -Note: the following examples assume suitable sudoers(@mansectform@) entries. +Note: the following examples assume suitable \fIsudoers\fR\|(@mansectform@) entries. .PP To get a file listing of an unreadable directory: .PP @@ -582,8 +582,8 @@ .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), \fIlogin_cap\fR\|(3), sudoers(@mansectform@), -passwd(@mansectform@), visudo(@mansectsu@) +\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), \fIlogin_cap\fR\|(3), \fIpasswd\fR\|(@mansectform@), +\&\fIsudoers\fR\|(@mansectform@), \fIvisudo\fR\|(@mansectsu@) .SH "AUTHORS" .IX Header "AUTHORS" Many people have worked on \fBsudo\fR over the years; this @@ -604,7 +604,7 @@ Also, many programs (such as editors) allow the user to run commands via shell escapes, thus avoiding \fBsudo\fR's checks. However, on most systems it is possible to prevent shell escapes with \fBsudo\fR's -\&\fInoexec\fR functionality. See the sudoers(@mansectform@) manual +\&\fInoexec\fR functionality. See the \fIsudoers\fR\|(@mansectform@) manual for details. .PP It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g., @@ -634,7 +634,7 @@ search the archives. .SH "DISCLAIMER" .IX Header "DISCLAIMER" -\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, +\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html diff -ur sudo-1.6.9/sudo.pod sudo-1.6.9p1/sudo.pod --- sudo-1.6.9/sudo.pod Mon Jul 16 22:53:55 2007 +++ sudo-1.6.9p1/sudo.pod Thu Jul 26 10:04:54 2007 @@ -18,7 +18,7 @@ Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: sudo.pod,v 1.70.2.9 2007/07/09 23:25:51 millert Exp $ +$Sudo: sudo.pod,v 1.70.2.12 2007/07/26 14:04:54 millert Exp $ =pod =head1 NAME @@ -27,15 +27,15 @@ =head1 SYNOPSIS -B B<-K> | B<-k> | B<-h> | B<-L> | B<-l> | B<-V> | B<-v> +B B<-h> | B<-K> | B<-k> | B<-L> | B<-l> | B<-V> | B<-v> B [B<-bEHPS>] S<[B<-a> I]> S<[B<-c> I|I<->]> S<[B<-p> I]> S<[B<-u> I|I<#uid>]> -S<[B=I]> S<{B<-e> file [...] | B<-i> | B<-s> | I}> +S<[B=I]> S<{B<-i> | B<-s> | I}> -B S<[B<-a> I]> S<[B<-c> I|I<->]> -S<[B<-p> I]> [B<-S>] S<[B<-u> I|I<#uid>]> -file [...] +B [B<-S>] S<[B<-a> I]> S<[B<-c> I|I<->]> +S<[B<-p> I]> S<[B<-u> I|I<#uid>]> +file ... =head1 DESCRIPTION @@ -120,9 +120,9 @@ =item -E The B<-E> (I environment) option will override the -I option in L). It is only +I option in L). It is only available when either the matching command has the C tag -or the I option is set in L. +or the I option is set in L. =item -e @@ -164,8 +164,8 @@ The B<-H> (I) option sets the C environment variable to the homedir of the target user (root by default) as specified -in passwd(@mansectform@). By default, B does not modify C -(see I and I in L). +in passwd(5). By default, B does not modify C +(see I and I in L). =item -h @@ -174,7 +174,7 @@ =item -i The B<-i> (I) option runs the shell specified -in the L entry of the user that the command is +in the L entry of the user that the command is being run as. The command name argument given to the shell begins with a `C<->' to tell the shell to run as a login shell. B attempts to change to that user's home directory before running the @@ -227,25 +227,25 @@ =over 8 -=item C<%u> +=item C<%H> -expanded to the invoking user's login name +expanded to the local hostname including the domain name +(on if the machine's hostname is fully qualified or the I +I option is set) +=item C<%h> + +expanded to the local hostname without the domain name + =item C<%U> expanded to the login name of the user the command will be run as (defaults to root) -=item C<%h> +=item C<%u> -expanded to the local hostname without the domain name +expanded to the invoking user's login name -=item C<%H> - -expanded to the local hostname including the domain name -(on if the machine's hostname is fully qualified or the I -I option is set) - =item C<%%> two consecutive C<%> characters are collapsed into a single C<%> character @@ -261,14 +261,14 @@ The B<-s> (I) option runs the shell specified by the I environment variable if it is set or the shell as specified -in L. +in L. =item -u The B<-u> (I) option causes B to run the specified command as a user other than I. To specify a I instead of a I, use I<#uid>. Note that if the I Defaults -option is set (see L) it is not possible +option is set (see L) it is not possible to run commands with a uid not listed in the password database. =item -V @@ -300,7 +300,7 @@ variables with one important exception. If the I option is set in I or the command to be run has the C tag set the user may set variables that would overwise be forbidden. -See L for more information. +See L for more information. =head1 RETURN VALUES @@ -389,7 +389,7 @@ access to commands via B to verify that the command does not inadvertently give the user an effective root shell. For more information, please see the C section in -L. +L. =head1 ENVIRONMENT @@ -431,7 +431,7 @@ =head1 EXAMPLES -Note: the following examples assume suitable L entries. +Note: the following examples assume suitable L entries. To get a file listing of an unreadable directory: @@ -458,8 +458,8 @@ =head1 SEE ALSO -L, L, L, L, L, -L, L +L, L, L, L, L, +L, L =head1 AUTHORS @@ -480,7 +480,7 @@ Also, many programs (such as editors) allow the user to run commands via shell escapes, thus avoiding B's checks. However, on most systems it is possible to prevent shell escapes with B's -I functionality. See the L manual +I functionality. See the L manual for details. It is not meaningful to run the C command directly via sudo, e.g., @@ -511,7 +511,7 @@ =head1 DISCLAIMER -B is provided ``AS IS'' and any express or implied warranties, +B is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with B or http://www.sudo.ws/sudo/license.html Binary files sudo-1.6.9/sudoers.cat and sudo-1.6.9p1/sudoers.cat differ diff -ur sudo-1.6.9/sudoers.man.in sudo-1.6.9p1/sudoers.man.in --- sudo-1.6.9/sudoers.man.in Mon Jul 16 22:55:46 2007 +++ sudo-1.6.9p1/sudoers.man.in Thu Jul 26 10:05:55 2007 @@ -17,7 +17,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" $Sudo: sudoers.man.in,v 1.45.2.7 2007/07/17 02:55:46 millert Exp $ +.\" $Sudo: sudoers.man.in,v 1.45.2.8 2007/07/26 14:05:55 millert Exp $ .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "July 16, 2007" "1.6.9" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "July 26, 2007" "1.6.9p1" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" @@ -602,18 +602,57 @@ \&'@', '!', '=', ':', ',', '(', ')', '\e'. .SH "SUDOERS OPTIONS" .IX Header "SUDOERS OPTIONS" -Sudo's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as +\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as explained earlier. A list of all supported Defaults parameters, grouped by type, are listed below. .PP \&\fBFlags\fR: -.IP "long_otp_prompt" 12 -.IX Item "long_otp_prompt" -When validating with a One Time Password scheme (\fBS/Key\fR or \fB\s-1OPIE\s0\fR), -a two-line prompt is used to make it easier to cut and paste the -challenge to a local window. It's not as pretty as the default but -some people find it more convenient. This flag is \fI@long_otp_prompt@\fR -by default. +.IP "always_set_home" 12 +.IX Item "always_set_home" +If set, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home +directory of the target user (which is root unless the \fB\-u\fR option is used). +This effectively means that the \fB\-H\fR flag is always implied. +This flag is \fIoff\fR by default. +.IP "authenticate" 12 +.IX Item "authenticate" +If set, users must authenticate themselves via a password (or other +means of authentication) before they may run commands. This default +may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags. +This flag is \fIon\fR by default. +.IP "env_editor" 12 +.IX Item "env_editor" +If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0 +environment variables before falling back on the default editor list. +Note that this may create a security hole as it allows the user to +run any arbitrary command as root without logging. A safer alternative +is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR +variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if +they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \fI@env_editor@\fR by +default. +.IP "env_reset" 12 +.IX Item "env_reset" +If set, \fBsudo\fR will reset the environment to only contain the +\&\s-1LOGNAME\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any +variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR +and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the +\&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is +run by root with the \fI\-V\fR option. If \fBsudo\fR was compiled with +the \f(CW\*(C`SECURE_PATH\*(C'\fR option, its value will be used for the \f(CW\*(C`PATH\*(C'\fR +environment variable. This flag is \fIon\fR by default. +.IP "fqdn" 12 +.IX Item "fqdn" +Set this flag if you want to put fully qualified hostnames in the +\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu. +You may still use the short form if you wish (and even mix the two). +Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups +which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example +if the machine is not plugged into the network). Also note that +you must use the host's official name as \s-1DNS\s0 knows it. That is, +you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance +issues and the fact that there is no way to get all aliases from +\&\s-1DNS\s0. If your machine's hostname (as returned by the \f(CW\*(C`hostname\*(C'\fR +command) is already fully qualified you shouldn't need to set +\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default. .IP "ignore_dot" 12 .IX Item "ignore_dot" If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR @@ -622,6 +661,35 @@ to set \fIignore_dot\fR in \fIsudoers\fR, its value is not used. This option should be considered read-only (it will be fixed in a future version of \fBsudo\fR). +.IP "ignore_local_sudoers" 12 +.IX Item "ignore_local_sudoers" +If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped. +This is intended for Enterprises that wish to prevent the usage of local +sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of +rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers. +When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist. +Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0 entries +have been matched, this sudoOption is only meaningful for the cn=defaults +section. This flag is \fIoff\fR by default. +.IP "insults" 12 +.IX Item "insults" +If set, \fBsudo\fR will insult users when they enter an incorrect +password. This flag is \fI@insults@\fR by default. +.IP "log_host" 12 +.IX Item "log_host" +If set, the hostname will be logged in the (non\-syslog) \fBsudo\fR log file. +This flag is \fIoff\fR by default. +.IP "log_year" 12 +.IX Item "log_year" +If set, the four-digit year will be logged in the (non\-syslog) \fBsudo\fR log file. +This flag is \fIoff\fR by default. +.IP "long_otp_prompt" 12 +.IX Item "long_otp_prompt" +When validating with a One Time Password (\s-1OPT\s0) scheme such as +\&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier +to cut and paste the challenge to a local window. It's not as +pretty as the default but some people find it more convenient. This +flag is \fI@long_otp_prompt@\fR by default. .IP "mail_always" 12 .IX Item "mail_always" Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR. @@ -630,11 +698,6 @@ .IX Item "mail_badpass" Send mail to the \fImailto\fR user if the user running \fBsudo\fR does not enter the correct password. This flag is \fIoff\fR by default. -.IP "mail_no_user" 12 -.IX Item "mail_no_user" -If set, mail will be sent to the \fImailto\fR user if the invoking -user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR -by default. .IP "mail_no_host" 12 .IX Item "mail_no_host" If set, mail will be sent to the \fImailto\fR user if the invoking @@ -646,55 +709,16 @@ user is allowed to use \fBsudo\fR but the command they are trying is not listed in their \fIsudoers\fR file entry or is explicitly denied. This flag is \fI@mail_no_perms@\fR by default. -.IP "tty_tickets" 12 -.IX Item "tty_tickets" -If set, users must authenticate on a per-tty basis. Normally, -\&\fBsudo\fR uses a directory in the ticket dir with the same name as -the user running it. With this flag enabled, \fBsudo\fR will use a -file named for the tty the user is logged in on in that directory. -This flag is \fI@tty_tickets@\fR by default. -.IP "authenticate" 12 -.IX Item "authenticate" -If set, users must authenticate themselves via a password (or other -means of authentication) before they may run commands. This default -may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags. -This flag is \fIon\fR by default. -.IP "root_sudo" 12 -.IX Item "root_sudo" -If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users -from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something -like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR -will also prevent root and from running \fBsudoedit\fR. -Disabling \fIroot_sudo\fR provides no real additional security; it -exists purely for historical reasons. -This flag is \fI@root_sudo@\fR by default. -.IP "log_host" 12 -.IX Item "log_host" -If set, the hostname will be logged in the (non\-syslog) \fBsudo\fR log file. -This flag is \fIoff\fR by default. -.IP "log_year" 12 -.IX Item "log_year" -If set, the four-digit year will be logged in the (non\-syslog) \fBsudo\fR log file. -This flag is \fIoff\fR by default. -.IP "shell_noargs" 12 -.IX Item "shell_noargs" -If set and \fBsudo\fR is invoked with no arguments it acts as if the -\&\fB\-s\fR flag had been given. That is, it runs a shell as root (the -shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is -set, falling back on the shell listed in the invoking user's -/etc/passwd entry if not). This flag is \fIoff\fR by default. -.IP "set_home" 12 -.IX Item "set_home" -If set and \fBsudo\fR is invoked with the \fB\-s\fR flag the \f(CW\*(C`HOME\*(C'\fR -environment variable will be set to the home directory of the target -user (which is root unless the \fB\-u\fR option is used). This effectively -makes the \fB\-s\fR flag imply \fB\-H\fR. This flag is \fIoff\fR by default. -.IP "always_set_home" 12 -.IX Item "always_set_home" -If set, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home -directory of the target user (which is root unless the \fB\-u\fR option is used). -This effectively means that the \fB\-H\fR flag is always implied. -This flag is \fIoff\fR by default. +.IP "mail_no_user" 12 +.IX Item "mail_no_user" +If set, mail will be sent to the \fImailto\fR user if the invoking +user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR +by default. +.IP "noexec" 12 +.IX Item "noexec" +If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR +tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the +description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default. .IP "path_info" 12 .IX Item "path_info" Normally, \fBsudo\fR will tell the user when a command could not be @@ -703,8 +727,8 @@ location of executables that the normal user does not have access to. The disadvantage is that if the executable is simply not in the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not -allowed to run it, which can be confusing. This flag is \fIoff\fR by -default. +allowed to run it, which can be confusing. This flag is \fI@path_info@\fR +by default. .IP "preserve_groups" 12 .IX Item "preserve_groups" By default \fBsudo\fR will initialize the group vector to the list of @@ -712,24 +736,6 @@ user's existing group vector is left unaltered. The real and effective group IDs, however, are still set to match the target user. This flag is \fIoff\fR by default. -.IP "fqdn" 12 -.IX Item "fqdn" -Set this flag if you want to put fully qualified hostnames in the -\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu. -You may still use the short form if you wish (and even mix the two). -Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups -which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example -if the machine is not plugged into the network). Also note that -you must use the host's official name as \s-1DNS\s0 knows it. That is, -you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance -issues and the fact that there is no way to get all aliases from -\&\s-1DNS\s0. If your machine's hostname (as returned by the \f(CW\*(C`hostname\*(C'\fR -command) is already fully qualified you shouldn't need to set -\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default. -.IP "insults" 12 -.IX Item "insults" -If set, \fBsudo\fR will insult users when they enter an incorrect -password. This flag is \fI@insults@\fR by default. .IP "requiretty" 12 .IX Item "requiretty" If set, \fBsudo\fR will only run when the user is logged in to a real @@ -738,16 +744,15 @@ off echo when there is no tty present, some sites may wish to set this flag to prevent a user from entering a visible password. This flag is \fIoff\fR by default. -.IP "env_editor" 12 -.IX Item "env_editor" -If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0 -environment variables before falling back on the default editor list. -Note that this may create a security hole as it allows the user to -run any arbitrary command as root without logging. A safer alternative -is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR -variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if -they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \f(CW\*(C`@env_editor@\*(C'\fR by -default. +.IP "root_sudo" 12 +.IX Item "root_sudo" +If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users +from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something +like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR +will also prevent root and from running \fBsudoedit\fR. +Disabling \fIroot_sudo\fR provides no real additional security; it +exists purely for historical reasons. +This flag is \fI@root_sudo@\fR by default. .IP "rootpw" 12 .IX Item "rootpw" If set, \fBsudo\fR will prompt for the root password instead of the password @@ -757,13 +762,12 @@ If set, \fBsudo\fR will prompt for the password of the user defined by the \&\fIrunas_default\fR option (defaults to \f(CW\*(C`@runas_default@\*(C'\fR) instead of the password of the invoking user. This flag is \fIoff\fR by default. -.IP "targetpw" 12 -.IX Item "targetpw" -If set, \fBsudo\fR will prompt for the password of the user specified by -the \fB\-u\fR flag (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the -invoking user. Note that this precludes the use of a uid not listed -in the passwd database as an argument to the \fB\-u\fR flag. -This flag is \fIoff\fR by default. +.IP "set_home" 12 +.IX Item "set_home" +If set and \fBsudo\fR is invoked with the \fB\-s\fR flag the \f(CW\*(C`HOME\*(C'\fR +environment variable will be set to the home directory of the target +user (which is root unless the \fB\-u\fR option is used). This effectively +makes the \fB\-s\fR flag imply \fB\-H\fR. This flag is \fIoff\fR by default. .IP "set_logname" 12 .IX Item "set_logname" Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR @@ -774,7 +778,22 @@ change this behavior. This can be done by negating the set_logname option. Note that if the \fIenv_reset\fR option has not been disabled, entries in the \fIenv_keep\fR list will override the value of -\&\fIset_logname\fR. +\&\fIset_logname\fR. This flag is \fIoff\fR by default. +.IP "setenv" 12 +.IX Item "setenv" +Allow the user to disable the \fIenv_reset\fR option from the command +line. Additionally, environment variables set via the command line +are not subject to the restrictions imposed by \fIenv_check\fR, +\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should +be allowed to set variables in this manner. This flag is \fIoff\fR +by default. +.IP "shell_noargs" 12 +.IX Item "shell_noargs" +If set and \fBsudo\fR is invoked with no arguments it acts as if the +\&\fB\-s\fR flag had been given. That is, it runs a shell as root (the +shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is +set, falling back on the shell listed in the invoking user's +/etc/passwd entry if not). This flag is \fIoff\fR by default. .IP "stay_setuid" 12 .IX Item "stay_setuid" Normally, when \fBsudo\fR executes a command the real and effective @@ -784,37 +803,26 @@ wrapper. This can be useful on systems that disable some potentially dangerous functionality when a program is run setuid. This option is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR -function. -.IP "env_reset" 12 -.IX Item "env_reset" -If set, \fBsudo\fR will reset the environment to only contain the -\&\s-1LOGNAME\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any -variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR -and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the -\&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is -run by root with the \fI\-V\fR option. If \fBsudo\fR was compiled with -the \f(CW\*(C`SECURE_PATH\*(C'\fR option, its value will be used for the \f(CW\*(C`PATH\*(C'\fR -environment variable. This flag is \fIon\fR by default. +function. This flag is \fIoff\fR by default. +.IP "targetpw" 12 +.IX Item "targetpw" +If set, \fBsudo\fR will prompt for the password of the user specified by +the \fB\-u\fR flag (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the +invoking user. Note that this precludes the use of a uid not listed +in the passwd database as an argument to the \fB\-u\fR flag. +This flag is \fIoff\fR by default. +.IP "tty_tickets" 12 +.IX Item "tty_tickets" +If set, users must authenticate on a per-tty basis. Normally, +\&\fBsudo\fR uses a directory in the ticket dir with the same name as +the user running it. With this flag enabled, \fBsudo\fR will use a +file named for the tty the user is logged in on in that directory. +This flag is \fI@tty_tickets@\fR by default. .IP "use_loginclass" 12 .IX Item "use_loginclass" If set, \fBsudo\fR will apply the defaults specified for the target user's login class if one exists. Only available if \fBsudo\fR is configured with the \-\-with\-logincap option. This flag is \fIoff\fR by default. -.IP "noexec" 12 -.IX Item "noexec" -If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR -tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the -description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default. -.IP "ignore_local_sudoers" 12 -.IX Item "ignore_local_sudoers" -If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped. -This is intended for Enterprises that wish to prevent the usage of local -sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of -rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers. -When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist. -Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0 entries -have been matched, this sudoOption is only meaningful for the cn=defaults -section. This flag is \fIoff\fR by default. .PP \&\fBIntegers\fR: .IP "passwd_tries" 12 @@ -829,6 +837,10 @@ to decide when to wrap lines for nicer log files. This has no effect on the syslog log file, only the file log. The default is \&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap). +.IP "passwd_timeout" 12 +.IX Item "passwd_timeout" +Number of minutes before the \fBsudo\fR password prompt times out. +The default is \f(CW\*(C`@password_timeout@\*(C'\fR; set this to \f(CW0\fR for no password timeout. .IP "timestamp_timeout" 12 .IX Item "timestamp_timeout" Number of minutes that can elapse before \fBsudo\fR will ask for a @@ -837,65 +849,59 @@ If set to a value less than \f(CW0\fR the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively. -.IP "passwd_timeout" 12 -.IX Item "passwd_timeout" -Number of minutes before the \fBsudo\fR password prompt times out. -The default is \f(CW\*(C`@password_timeout@\*(C'\fR, set this to \f(CW0\fR for no password timeout. .IP "umask" 12 .IX Item "umask" Umask to use when running the command. Negate this option or set it to 0777 to preserve the user's umask. The default is \f(CW\*(C`@sudo_umask@\*(C'\fR. -.IP "setenv" 12 -.IX Item "setenv" -Allow the user to disable the \fIenv_reset\fR option from the command -line. Additionally, environment variables set via the command line -are not subject to the restrictions imposed by \fIenv_check\fR, -\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should -be allowed to set variables in this manner. .PP \&\fBStrings\fR: +.IP "badpass_message" 12 +.IX Item "badpass_message" +Message that is displayed if a user enters an incorrect password. +The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled. +.IP "editor" 12 +.IX Item "editor" +A colon (':') separated list of editors allowed to be used with +\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's +\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the +list that exists and is executable. The default is the path to vi +on your system. .IP "mailsub" 12 .IX Item "mailsub" Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR will expand to the hostname of the machine. Default is \f(CW\*(C`@mailsub@\*(C'\fR. -.IP "badpass_message" 12 -.IX Item "badpass_message" -Message that is displayed if a user enters an incorrect password. -The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled. -.IP "timestampdir" 12 -.IX Item "timestampdir" -The directory in which \fBsudo\fR stores its timestamp files. -The default is \fI@timedir@\fR. -.IP "timestampowner" 12 -.IX Item "timestampowner" -The owner of the timestamp directory and the timestamps stored therein. -The default is \f(CW\*(C`root\*(C'\fR. +.IP "noexec_file" 12 +.IX Item "noexec_file" +Path to a shared library containing dummy versions of the \fIexecv()\fR, +\&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error. +This is used to implement the \fInoexec\fR functionality on systems that +support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI@noexec_file@\fR. .IP "passprompt" 12 .IX Item "passprompt" The default prompt to use when asking for a password; can be overridden via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable. The following percent (`\f(CW\*(C`%\*(C'\fR') escapes are supported: .RS 12 -.ie n .IP "%u" 8 -.el .IP "\f(CW%u\fR" 8 -.IX Item "%u" -expanded to the invoking user's login name -.ie n .IP "%U" 8 -.el .IP "\f(CW%U\fR" 8 -.IX Item "%U" -expanded to the login name of the user the command will -be run as (defaults to root) -.ie n .IP "%h" 8 -.el .IP "\f(CW%h\fR" 8 -.IX Item "%h" -expanded to the local hostname without the domain name .ie n .IP "%H" 8 .el .IP "\f(CW%H\fR" 8 .IX Item "%H" expanded to the local hostname including the domain name (on if the machine's hostname is fully qualified or the \fIfqdn\fR option is set) +.ie n .IP "%h" 8 +.el .IP "\f(CW%h\fR" 8 +.IX Item "%h" +expanded to the local hostname without the domain name +.ie n .IP "%U" 8 +.el .IP "\f(CW%U\fR" 8 +.IX Item "%U" +expanded to the login name of the user the command will +be run as (defaults to root) +.ie n .IP "%u" 8 +.el .IP "\f(CW%u\fR" 8 +.IX Item "%u" +expanded to the invoking user's login name .ie n .IP "\*(C`%%\*(C'" 8 .el .IP "\f(CW\*(C`%%\*(C'\fR" 8 .IX Item "%%" @@ -911,43 +917,42 @@ on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR. Note that if \fIrunas_default\fR is set it \fBmust\fR occur before any \f(CW\*(C`Runas_Alias\*(C'\fR specifications. -.IP "syslog_goodpri" 12 -.IX Item "syslog_goodpri" -Syslog priority to use when user authenticates successfully. -Defaults to \f(CW\*(C`@goodpri@\*(C'\fR. .IP "syslog_badpri" 12 .IX Item "syslog_badpri" Syslog priority to use when user authenticates unsuccessfully. Defaults to \f(CW\*(C`@badpri@\*(C'\fR. -.IP "editor" 12 -.IX Item "editor" -A colon (':') separated list of editors allowed to be used with -\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's -\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the -list that exists and is executable. The default is the path to vi -on your system. -.IP "noexec_file" 12 -.IX Item "noexec_file" -Path to a shared library containing dummy versions of the \fIexecv()\fR, -\&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error. -This is used to implement the \fInoexec\fR functionality on systems that -support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI@noexec_file@\fR. +.IP "syslog_goodpri" 12 +.IX Item "syslog_goodpri" +Syslog priority to use when user authenticates successfully. +Defaults to \f(CW\*(C`@goodpri@\*(C'\fR. +.IP "timestampdir" 12 +.IX Item "timestampdir" +The directory in which \fBsudo\fR stores its timestamp files. +The default is \fI@timedir@\fR. +.IP "timestampowner" 12 +.IX Item "timestampowner" +The owner of the timestamp directory and the timestamps stored therein. +The default is \f(CW\*(C`root\*(C'\fR. .PP \&\fBStrings that can be used in a boolean context\fR: +.IP "exempt_group" 12 +.IX Item "exempt_group" +Users in this group are exempt from password and \s-1PATH\s0 requirements. +This is not set by default. .IP "lecture" 12 .IX Item "lecture" This option controls when a short lecture will be printed along with the password prompt. It has the following possible values: .RS 12 +.IP "always" 8 +.IX Item "always" +Always lecture the user. .IP "never" 8 .IX Item "never" Never lecture the user. .IP "once" 8 .IX Item "once" Only lecture the user the first time they run \fBsudo\fR. -.IP "always" 8 -.IX Item "always" -Always lecture the user. .RE .RS 12 .Sp @@ -959,30 +964,54 @@ .IX Item "lecture_file" Path to a file containing an alternate \fBsudo\fR lecture that will be used in place of the standard lecture if the named file exists. +By default, \fBsudo\fR uses a built-in lecture. +.IP "listpw" 12 +.IX Item "listpw" +This option controls when a password will be required when a +user runs \fBsudo\fR with the \fB\-l\fR flag. It has the following possible values: +.RS 12 +.IP "all" 8 +.IX Item "all" +All the user's \fIsudoers\fR entries for the current host must have +the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. +.IP "always" 8 +.IX Item "always" +The user must always enter a password to use the \fB\-l\fR flag. +.IP "any" 8 +.IX Item "any" +At least one of the user's \fIsudoers\fR entries for the current host +must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. +.IP "never" 8 +.IX Item "never" +The user need never enter a password to use the \fB\-l\fR flag. +.RE +.RS 12 +.Sp +If no value is specified, a value of \fIany\fR is implied. +Negating the option results in a value of \fInever\fR being used. +The default value is \fIany\fR. +.RE .IP "logfile" 12 .IX Item "logfile" Path to the \fBsudo\fR log file (not the syslog log file). Setting a path turns on logging to a file; negating this option turns it off. -.IP "syslog" 12 -.IX Item "syslog" -Syslog facility if syslog is being used for logging (negate to -disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR. +By default, \fBsudo\fR logs via syslog. +.IP "mailerflags" 12 +.IX Item "mailerflags" +Flags to use when invoking mailer. Defaults to \fB\-t\fR. .IP "mailerpath" 12 .IX Item "mailerpath" Path to mail program used to send warning mail. Defaults to the path to sendmail found at configure time. -.IP "mailerflags" 12 -.IX Item "mailerflags" -Flags to use when invoking mailer. Defaults to \fB\-t\fR. .IP "mailto" 12 .IX Item "mailto" Address to send warning and error mail to. The address should be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR. -.IP "exempt_group" 12 -.IX Item "exempt_group" -Users in this group are exempt from password and \s-1PATH\s0 requirements. -This is not set by default. +.IP "syslog" 12 +.IX Item "syslog" +Syslog facility if syslog is being used for logging (negate to +disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR. .IP "verifypw" 12 .IX Item "verifypw" This option controls when a password will be required when a user runs @@ -992,6 +1021,9 @@ .IX Item "all" All the user's \fIsudoers\fR entries for the current host must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. +.IP "always" 8 +.IX Item "always" +The user must always enter a password to use the \fB\-v\fR flag. .IP "any" 8 .IX Item "any" At least one of the user's \fIsudoers\fR entries for the current host @@ -999,9 +1031,6 @@ .IP "never" 8 .IX Item "never" The user need never enter a password to use the \fB\-v\fR flag. -.IP "always" 8 -.IX Item "always" -The user must always enter a password to use the \fB\-v\fR flag. .RE .RS 12 .Sp @@ -1009,32 +1038,6 @@ Negating the option results in a value of \fInever\fR being used. The default value is \fIall\fR. .RE -.IP "listpw" 12 -.IX Item "listpw" -This option controls when a password will be required when a -user runs \fBsudo\fR with the \fB\-l\fR flag. It has the following possible values: -.RS 12 -.IP "all" 8 -.IX Item "all" -All the user's \fIsudoers\fR entries for the current host must have -the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. -.IP "any" 8 -.IX Item "any" -At least one of the user's \fIsudoers\fR entries for the current host -must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. -.IP "never" 8 -.IX Item "never" -The user need never enter a password to use the \fB\-l\fR flag. -.IP "always" 8 -.IX Item "always" -The user must always enter a password to use the \fB\-l\fR flag. -.RE -.RS 12 -.Sp -If no value is specified, a value of \fIany\fR is implied. -Negating the option results in a value of \fInever\fR being used. -The default value is \fIany\fR. -.RE .PP \&\fBLists that can be used in a boolean context\fR: .IP "env_check" 12 @@ -1239,7 +1242,7 @@ .Ve .PP The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup. -\&\fBSudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix. +\&\fBsudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix. .PP .Vb 1 \& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser @@ -1334,7 +1337,7 @@ Common programs that permit shell escapes include shells (obviously), editors, paginators, mail and terminal programs. .PP -There are three basic approaches to this problem: +There are two basic approaches to this problem: .IP "restrict" 10 .IX Item "restrict" Avoid giving users access to commands that allow the user to run @@ -1370,9 +1373,9 @@ then \fBsudo\fR may be able to replace the exec family of functions in the standard library with its own that simply return an error. Unfortunately, there is no foolproof way to know whether or not -\&\fInoexec\fR will work at compile\-time. \fINoexec\fR should work on +\&\fInoexec\fR will work at compile\-time. \fInoexec\fR should work on SunOS, Solaris, *BSD, Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, and HP-UX -11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fINoexec\fR +11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fInoexec\fR is expected to work on most operating systems that support the \&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, @@ -1399,7 +1402,7 @@ \&\fBsudoedit\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(@mansectsu@), visudo(@mansectsu@) +\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(8) .SH "CAVEATS" .IX Header "CAVEATS" The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR @@ -1423,7 +1426,7 @@ search the archives. .SH "DISCLAIMER" .IX Header "DISCLAIMER" -\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, +\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html diff -ur sudo-1.6.9/sudoers.pod sudo-1.6.9p1/sudoers.pod --- sudo-1.6.9/sudoers.pod Mon Jul 16 22:53:55 2007 +++ sudo-1.6.9p1/sudoers.pod Thu Jul 26 10:04:54 2007 @@ -18,7 +18,7 @@ Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: sudoers.pod,v 1.95.2.9 2007/07/09 19:15:43 millert Exp $ +$Sudo: sudoers.pod,v 1.95.2.14 2007/07/26 14:04:54 millert Exp $ =pod =head1 NAME @@ -426,7 +426,7 @@ =head1 SUDOERS OPTIONS -Sudo's behavior can be modified by C lines, as +B's behavior can be modified by C lines, as explained earlier. A list of all supported Defaults parameters, grouped by type, are listed below. @@ -434,14 +434,57 @@ =over 12 -=item long_otp_prompt +=item always_set_home -When validating with a One Time Password scheme (B or B), -a two-line prompt is used to make it easier to cut and paste the -challenge to a local window. It's not as pretty as the default but -some people find it more convenient. This flag is I<@long_otp_prompt@> -by default. +If set, B will set the C environment variable to the home +directory of the target user (which is root unless the B<-u> option is used). +This effectively means that the B<-H> flag is always implied. +This flag is I by default. +=item authenticate + +If set, users must authenticate themselves via a password (or other +means of authentication) before they may run commands. This default +may be overridden via the C and C tags. +This flag is I by default. + +=item env_editor + +If set, B will use the value of the EDITOR or VISUAL +environment variables before falling back on the default editor list. +Note that this may create a security hole as it allows the user to +run any arbitrary command as root without logging. A safer alternative +is to place a colon-separated list of editors in the C +variable. B will then only use the EDITOR or VISUAL if +they match a value specified in C. This flag is I<@env_editor@> by +default. + +=item env_reset + +If set, B will reset the environment to only contain the +LOGNAME, SHELL, USER, USERNAME and the C variables. Any +variables in the caller's environment that match the C +and C lists are then added. The default contents of the +C and C lists are displayed when B is +run by root with the I<-V> option. If B was compiled with +the C option, its value will be used for the C +environment variable. This flag is I by default. + +=item fqdn + +Set this flag if you want to put fully qualified hostnames in the +I file. I.e., instead of myhost you would use myhost.mydomain.edu. +You may still use the short form if you wish (and even mix the two). +Beware that turning on I requires B to make DNS lookups +which may make B unusable if DNS stops working (for example +if the machine is not plugged into the network). Also note that +you must use the host's official name as DNS knows it. That is, +you may not use a host alias (C entry) due to performance +issues and the fact that there is no way to get all aliases from +DNS. If your machine's hostname (as returned by the C +command) is already fully qualified you shouldn't need to set +I. This flag is I<@fqdn@> by default. + =item ignore_dot If set, B will ignore '.' or '' (current dir) in the C @@ -451,6 +494,40 @@ should be considered read-only (it will be fixed in a future version of B). +=item ignore_local_sudoers + +If set via LDAP, parsing of @sysconfdir@/sudoers will be skipped. +This is intended for Enterprises that wish to prevent the usage of local +sudoers files so that only LDAP is used. This thwarts the efforts of +rogue operators who would attempt to add roles to @sysconfdir@/sudoers. +When this option is present, @sysconfdir@/sudoers does not even need to exist. +Since this option tells B how to behave when no specific LDAP entries +have been matched, this sudoOption is only meaningful for the cn=defaults +section. This flag is I by default. + +=item insults + +If set, B will insult users when they enter an incorrect +password. This flag is I<@insults@> by default. + +=item log_host + +If set, the hostname will be logged in the (non-syslog) B log file. +This flag is I by default. + +=item log_year + +If set, the four-digit year will be logged in the (non-syslog) B log file. +This flag is I by default. + +=item long_otp_prompt + +When validating with a One Time Password (OPT) scheme such as +B or B, a two-line prompt is used to make it easier +to cut and paste the challenge to a local window. It's not as +pretty as the default but some people find it more convenient. This +flag is I<@long_otp_prompt@> by default. + =item mail_always Send mail to the I user every time a users runs B. @@ -461,12 +538,6 @@ Send mail to the I user if the user running B does not enter the correct password. This flag is I by default. -=item mail_no_user - -If set, mail will be sent to the I user if the invoking -user is not in the I file. This flag is I<@mail_no_user@> -by default. - =item mail_no_host If set, mail will be sent to the I user if the invoking @@ -480,63 +551,19 @@ listed in their I file entry or is explicitly denied. This flag is I<@mail_no_perms@> by default. -=item tty_tickets +=item mail_no_user -If set, users must authenticate on a per-tty basis. Normally, -B uses a directory in the ticket dir with the same name as -the user running it. With this flag enabled, B will use a -file named for the tty the user is logged in on in that directory. -This flag is I<@tty_tickets@> by default. +If set, mail will be sent to the I user if the invoking +user is not in the I file. This flag is I<@mail_no_user@> +by default. -=item authenticate +=item noexec -If set, users must authenticate themselves via a password (or other -means of authentication) before they may run commands. This default -may be overridden via the C and C tags. -This flag is I by default. +If set, all commands run via B will behave as if the C +tag has been set, unless overridden by a C tag. See the +description of I below as well as the L section at the end of this manual. This flag is I by default. -=item root_sudo - -If set, root is allowed to run B too. Disabling this prevents users -from "chaining" B commands to get a root shell by doing something -like C<"sudo sudo /bin/sh">. Note, however, that turning off I -will also prevent root and from running B. -Disabling I provides no real additional security; it -exists purely for historical reasons. -This flag is I<@root_sudo@> by default. - -=item log_host - -If set, the hostname will be logged in the (non-syslog) B log file. -This flag is I by default. - -=item log_year - -If set, the four-digit year will be logged in the (non-syslog) B log file. -This flag is I by default. - -=item shell_noargs - -If set and B is invoked with no arguments it acts as if the -B<-s> flag had been given. That is, it runs a shell as root (the -shell is determined by the C environment variable if it is -set, falling back on the shell listed in the invoking user's -/etc/passwd entry if not). This flag is I by default. - -=item set_home - -If set and B is invoked with the B<-s> flag the C -environment variable will be set to the home directory of the target -user (which is root unless the B<-u> option is used). This effectively -makes the B<-s> flag imply B<-H>. This flag is I by default. - -=item always_set_home - -If set, B will set the C environment variable to the home -directory of the target user (which is root unless the B<-u> option is used). -This effectively means that the B<-H> flag is always implied. -This flag is I by default. - =item path_info Normally, B will tell the user when a command could not be @@ -545,8 +572,8 @@ location of executables that the normal user does not have access to. The disadvantage is that if the executable is simply not in the user's C, B will tell the user that they are not -allowed to run it, which can be confusing. This flag is I by -default. +allowed to run it, which can be confusing. This flag is I<@path_info@> +by default. =item preserve_groups @@ -556,26 +583,6 @@ effective group IDs, however, are still set to match the target user. This flag is I by default. -=item fqdn - -Set this flag if you want to put fully qualified hostnames in the -I file. I.e., instead of myhost you would use myhost.mydomain.edu. -You may still use the short form if you wish (and even mix the two). -Beware that turning on I requires B to make DNS lookups -which may make B unusable if DNS stops working (for example -if the machine is not plugged into the network). Also note that -you must use the host's official name as DNS knows it. That is, -you may not use a host alias (C entry) due to performance -issues and the fact that there is no way to get all aliases from -DNS. If your machine's hostname (as returned by the C -command) is already fully qualified you shouldn't need to set -I. This flag is I<@fqdn@> by default. - -=item insults - -If set, B will insult users when they enter an incorrect -password. This flag is I<@insults@> by default. - =item requiretty If set, B will only run when the user is logged in to a real @@ -585,16 +592,15 @@ this flag to prevent a user from entering a visible password. This flag is I by default. -=item env_editor +=item root_sudo -If set, B will use the value of the EDITOR or VISUAL -environment variables before falling back on the default editor list. -Note that this may create a security hole as it allows the user to -run any arbitrary command as root without logging. A safer alternative -is to place a colon-separated list of editors in the C -variable. B will then only use the EDITOR or VISUAL if -they match a value specified in C. This flag is C<@env_editor@> by -default. +If set, root is allowed to run B too. Disabling this prevents users +from "chaining" B commands to get a root shell by doing something +like C<"sudo sudo /bin/sh">. Note, however, that turning off I +will also prevent root and from running B. +Disabling I provides no real additional security; it +exists purely for historical reasons. +This flag is I<@root_sudo@> by default. =item rootpw @@ -607,13 +613,12 @@ I option (defaults to C<@runas_default@>) instead of the password of the invoking user. This flag is I by default. -=item targetpw +=item set_home -If set, B will prompt for the password of the user specified by -the B<-u> flag (defaults to C) instead of the password of the -invoking user. Note that this precludes the use of a uid not listed -in the passwd database as an argument to the B<-u> flag. -This flag is I by default. +If set and B is invoked with the B<-s> flag the C +environment variable will be set to the home directory of the target +user (which is root unless the B<-u> option is used). This effectively +makes the B<-s> flag imply B<-H>. This flag is I by default. =item set_logname @@ -625,8 +630,25 @@ change this behavior. This can be done by negating the set_logname option. Note that if the I option has not been disabled, entries in the I list will override the value of -I. +I. This flag is I by default. +=item setenv + +Allow the user to disable the I option from the command +line. Additionally, environment variables set via the command line +are not subject to the restrictions imposed by I, +I, or I. As such, only trusted users should +be allowed to set variables in this manner. This flag is I +by default. + +=item shell_noargs + +If set and B is invoked with no arguments it acts as if the +B<-s> flag had been given. That is, it runs a shell as root (the +shell is determined by the C environment variable if it is +set, falling back on the shell listed in the invoking user's +/etc/passwd entry if not). This flag is I by default. + =item stay_setuid Normally, when B executes a command the real and effective @@ -636,43 +658,30 @@ wrapper. This can be useful on systems that disable some potentially dangerous functionality when a program is run setuid. This option is only effective on systems with either the setreuid() or setresuid() -function. +function. This flag is I by default. -=item env_reset +=item targetpw -If set, B will reset the environment to only contain the -LOGNAME, SHELL, USER, USERNAME and the C variables. Any -variables in the caller's environment that match the C -and C lists are then added. The default contents of the -C and C lists are displayed when B is -run by root with the I<-V> option. If B was compiled with -the C option, its value will be used for the C -environment variable. This flag is I by default. +If set, B will prompt for the password of the user specified by +the B<-u> flag (defaults to C) instead of the password of the +invoking user. Note that this precludes the use of a uid not listed +in the passwd database as an argument to the B<-u> flag. +This flag is I by default. +=item tty_tickets + +If set, users must authenticate on a per-tty basis. Normally, +B uses a directory in the ticket dir with the same name as +the user running it. With this flag enabled, B will use a +file named for the tty the user is logged in on in that directory. +This flag is I<@tty_tickets@> by default. + =item use_loginclass If set, B will apply the defaults specified for the target user's login class if one exists. Only available if B is configured with the --with-logincap option. This flag is I by default. -=item noexec - -If set, all commands run via B will behave as if the C -tag has been set, unless overridden by a C tag. See the -description of I below as well as the L section at the end of this manual. This flag is I by default. - -=item ignore_local_sudoers - -If set via LDAP, parsing of @sysconfdir@/sudoers will be skipped. -This is intended for Enterprises that wish to prevent the usage of local -sudoers files so that only LDAP is used. This thwarts the efforts of -rogue operators who would attempt to add roles to @sysconfdir@/sudoers. -When this option is present, @sysconfdir@/sudoers does not even need to exist. -Since this option tells B how to behave when no specific LDAP entries -have been matched, this sudoOption is only meaningful for the cn=defaults -section. This flag is I by default. - =back B: @@ -697,6 +706,11 @@ effect on the syslog log file, only the file log. The default is C<@loglen@> (use 0 or negate the option to disable word wrap). +=item passwd_timeout + +Number of minutes before the B password prompt times out. +The default is C<@password_timeout@>; set this to C<0> for no password timeout. + =item timestamp_timeout Number of minutes that can elapse before B will ask for a @@ -706,51 +720,43 @@ expire. This can be used to allow users to create or delete their own timestamps via C and C respectively. -=item passwd_timeout - -Number of minutes before the B password prompt times out. -The default is C<@password_timeout@>, set this to C<0> for no password timeout. - =item umask Umask to use when running the command. Negate this option or set it to 0777 to preserve the user's umask. The default is C<@sudo_umask@>. -=item setenv - -Allow the user to disable the I option from the command -line. Additionally, environment variables set via the command line -are not subject to the restrictions imposed by I, -I, or I. As such, only trusted users should -be allowed to set variables in this manner. - =back B: =over 12 -=item mailsub - -Subject of the mail sent to the I user. The escape C<%h> -will expand to the hostname of the machine. -Default is C<@mailsub@>. - =item badpass_message Message that is displayed if a user enters an incorrect password. The default is C<@badpass_message@> unless insults are enabled. -=item timestampdir +=item editor -The directory in which B stores its timestamp files. -The default is F<@timedir@>. +A colon (':') separated list of editors allowed to be used with +B. B will choose the editor that matches the user's +EDITOR environment variable if possible, or the first editor in the +list that exists and is executable. The default is the path to vi +on your system. -=item timestampowner +=item mailsub -The owner of the timestamp directory and the timestamps stored therein. -The default is C. +Subject of the mail sent to the I user. The escape C<%h> +will expand to the hostname of the machine. +Default is C<@mailsub@>. +=item noexec_file + +Path to a shared library containing dummy versions of the execv(), +execve() and fexecve() library functions that just return an error. +This is used to implement the I functionality on systems that +support C or its equivalent. Defaults to F<@noexec_file@>. + =item passprompt The default prompt to use when asking for a password; can be overridden @@ -759,25 +765,25 @@ =over 8 -=item C<%u> +=item C<%H> -expanded to the invoking user's login name +expanded to the local hostname including the domain name +(on if the machine's hostname is fully qualified or the I +option is set) +=item C<%h> + +expanded to the local hostname without the domain name + =item C<%U> expanded to the login name of the user the command will be run as (defaults to root) -=item C<%h> +=item C<%u> -expanded to the local hostname without the domain name +expanded to the invoking user's login name -=item C<%H> - -expanded to the local hostname including the domain name -(on if the machine's hostname is fully qualified or the I -option is set) - =item C<%%> two consecutive C<%> characters are collapsed into a single C<%> character @@ -793,37 +799,37 @@ Note that if I is set it B occur before any C specifications. -=item syslog_goodpri - -Syslog priority to use when user authenticates successfully. -Defaults to C<@goodpri@>. - =item syslog_badpri Syslog priority to use when user authenticates unsuccessfully. Defaults to C<@badpri@>. -=item editor +=item syslog_goodpri -A colon (':') separated list of editors allowed to be used with -B. B will choose the editor that matches the user's -EDITOR environment variable if possible, or the first editor in the -list that exists and is executable. The default is the path to vi -on your system. +Syslog priority to use when user authenticates successfully. +Defaults to C<@goodpri@>. -=item noexec_file +=item timestampdir -Path to a shared library containing dummy versions of the execv(), -execve() and fexecve() library functions that just return an error. -This is used to implement the I functionality on systems that -support C or its equivalent. Defaults to F<@noexec_file@>. +The directory in which B stores its timestamp files. +The default is F<@timedir@>. +=item timestampowner + +The owner of the timestamp directory and the timestamps stored therein. +The default is C. + =back B: =over 12 +=item exempt_group + +Users in this group are exempt from password and PATH requirements. +This is not set by default. + =item lecture This option controls when a short lecture will be printed along with @@ -831,6 +837,10 @@ =over 8 +=item always + +Always lecture the user. + =item never Never lecture the user. @@ -839,10 +849,6 @@ Only lecture the user the first time they run B. -=item always - -Always lecture the user. - =back If no value is specified, a value of I is implied. @@ -853,36 +859,64 @@ Path to a file containing an alternate B lecture that will be used in place of the standard lecture if the named file exists. +By default, B uses a built-in lecture. +=item listpw + +This option controls when a password will be required when a +user runs B with the B<-l> flag. It has the following possible values: + +=over 8 + +=item all + +All the user's I entries for the current host must have +the C flag set to avoid entering a password. + +=item always + +The user must always enter a password to use the B<-l> flag. + +=item any + +At least one of the user's I entries for the current host +must have the C flag set to avoid entering a password. + +=item never + +The user need never enter a password to use the B<-l> flag. + +=back + +If no value is specified, a value of I is implied. +Negating the option results in a value of I being used. +The default value is I. + =item logfile Path to the B log file (not the syslog log file). Setting a path turns on logging to a file; negating this option turns it off. +By default, B logs via syslog. -=item syslog +=item mailerflags -Syslog facility if syslog is being used for logging (negate to -disable syslog logging). Defaults to C<@logfac@>. +Flags to use when invoking mailer. Defaults to B<-t>. =item mailerpath Path to mail program used to send warning mail. Defaults to the path to sendmail found at configure time. -=item mailerflags - -Flags to use when invoking mailer. Defaults to B<-t>. - =item mailto Address to send warning and error mail to. The address should be enclosed in double quotes (C<">) to protect against B interpreting the C<@> sign. Defaults to C<@mailto@>. -=item exempt_group +=item syslog -Users in this group are exempt from password and PATH requirements. -This is not set by default. +Syslog facility if syslog is being used for logging (negate to +disable syslog logging). Defaults to C<@logfac@>. =item verifypw @@ -896,37 +930,10 @@ All the user's I entries for the current host must have the C flag set to avoid entering a password. -=item any - -At least one of the user's I entries for the current host -must have the C flag set to avoid entering a password. - -=item never - -The user need never enter a password to use the B<-v> flag. - =item always The user must always enter a password to use the B<-v> flag. -=back - -If no value is specified, a value of I is implied. -Negating the option results in a value of I being used. -The default value is I. - -=item listpw - -This option controls when a password will be required when a -user runs B with the B<-l> flag. It has the following possible values: - -=over 8 - -=item all - -All the user's I entries for the current host must have -the C flag set to avoid entering a password. - =item any At least one of the user's I entries for the current host @@ -934,17 +941,13 @@ =item never -The user need never enter a password to use the B<-l> flag. +The user need never enter a password to use the B<-v> flag. -=item always - -The user must always enter a password to use the B<-l> flag. - =back -If no value is specified, a value of I is implied. +If no value is specified, a value of I is implied. Negating the option results in a value of I being used. -The default value is I. +The default value is I. =back @@ -1128,7 +1131,7 @@ jim +biglab = ALL The user B may run any command on machines in the I netgroup. -B knows that "biglab" is a netgroup due to the '+' prefix. +B knows that "biglab" is a netgroup due to the '+' prefix. +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser @@ -1205,7 +1208,7 @@ Common programs that permit shell escapes include shells (obviously), editors, paginators, mail and terminal programs. -There are three basic approaches to this problem: +There are two basic approaches to this problem: =over 10 @@ -1241,9 +1244,9 @@ then B may be able to replace the exec family of functions in the standard library with its own that simply return an error. Unfortunately, there is no foolproof way to know whether or not -I will work at compile-time. I should work on +I will work at compile-time. I should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX -11.x. It is known B to work on AIX and UnixWare. I +11.x. It is known B to work on AIX and UnixWare. I is expected to work on most operating systems that support the C environment variable. Check your operating system's manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, @@ -1271,7 +1274,7 @@ =head1 SEE ALSO -L, L, L, L, L +L, L, L, L, L =head1 CAVEATS @@ -1299,7 +1302,7 @@ =head1 DISCLAIMER -B is provided ``AS IS'' and any express or implied warranties, +B is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with B or http://www.sudo.ws/sudo/license.html diff -ur sudo-1.6.9/version.h sudo-1.6.9p1/version.h --- sudo-1.6.9/version.h Mon Jul 16 22:53:14 2007 +++ sudo-1.6.9p1/version.h Thu Jul 26 10:05:55 2007 @@ -17,12 +17,12 @@ * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. * - * $Sudo: version.h,v 1.66.2.3 2007/06/12 01:28:42 millert Exp $ + * $Sudo: version.h,v 1.66.2.4 2007/07/26 14:05:55 millert Exp $ */ #ifndef _SUDO_VERSION_H #define _SUDO_VERSION_H -static const char version[] = "1.6.9"; +static const char version[] = "1.6.9p1"; #endif /* _SUDO_VERSION_H */ diff -ur sudo-1.6.9/visudo.c sudo-1.6.9p1/visudo.c --- sudo-1.6.9/visudo.c Tue Jul 17 09:19:59 2007 +++ sudo-1.6.9p1/visudo.c Sun Jul 22 15:21:01 2007 @@ -78,7 +78,7 @@ #include "version.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: visudo.c,v 1.166.2.8 2007/07/17 13:19:59 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: visudo.c,v 1.166.2.9 2007/07/22 19:21:01 millert Exp $"; #endif /* lint */ struct sudoersfile { @@ -842,7 +842,7 @@ static void usage() { - (void) fprintf(stderr, "usage: %s [-c] [-f sudoers] [-q] [-s] [-V]\n", + (void) fprintf(stderr, "usage: %s [-c] [-q] [-s] [-V] [-f sudoers]\n", getprogname()); exit(1); } Binary files sudo-1.6.9/visudo.cat and sudo-1.6.9p1/visudo.cat differ diff -ur sudo-1.6.9/visudo.man.in sudo-1.6.9p1/visudo.man.in --- sudo-1.6.9/visudo.man.in Mon Jul 16 22:55:46 2007 +++ sudo-1.6.9p1/visudo.man.in Thu Jul 26 10:05:55 2007 @@ -17,7 +17,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" $Sudo: visudo.man.in,v 1.20.2.4 2007/07/17 02:55:46 millert Exp $ +.\" $Sudo: visudo.man.in,v 1.20.2.5 2007/07/26 14:05:55 millert Exp $ .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: @@ -149,16 +149,16 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "July 16, 2007" "1.6.9" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "July 26, 2007" "1.6.9p1" "MAINTENANCE COMMANDS" .SH "NAME" visudo \- edit the sudoers file .SH "SYNOPSIS" .IX Header "SYNOPSIS" -\&\fBvisudo\fR [ \fB\-c\fR ] [ \fB\-f\fR \fIsudoers\fR ] [ \fB\-q\fR ] [ \fB\-s\fR ] [ \fB\-V\fR ] +\&\fBvisudo\fR [\fB\-c\fR] [\fB\-q\fR] [\fB\-s\fR] [\fB\-V\fR] [\fB\-f\fR \fIsudoers\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fBvisudo\fR edits the \fIsudoers\fR file in a safe fashion, analogous to -vipw(@mansectsu@). \fBvisudo\fR locks the \fIsudoers\fR file against multiple +\&\fIvipw\fR\|(@mansectsu@). \fBvisudo\fR locks the \fIsudoers\fR file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the \fIsudoers\fR file is currently being edited you will receive a message to try again later. @@ -268,7 +268,7 @@ not a warning. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIvi\fR\|(1), sudoers(@mansectform@), sudo(@mansectsu@), vipw(@mansectsu@) +\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(8) .SH "AUTHOR" .IX Header "AUTHOR" Many people have worked on \fIsudo\fR over the years; this version of @@ -295,7 +295,7 @@ search the archives. .SH "DISCLAIMER" .IX Header "DISCLAIMER" -\&\fBVisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, +\&\fBvisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html diff -ur sudo-1.6.9/visudo.pod sudo-1.6.9p1/visudo.pod --- sudo-1.6.9/visudo.pod Mon Jul 16 22:53:55 2007 +++ sudo-1.6.9p1/visudo.pod Thu Jul 26 10:04:54 2007 @@ -18,7 +18,7 @@ Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: visudo.pod,v 1.38.2.3 2007/06/25 20:01:11 millert Exp $ +$Sudo: visudo.pod,v 1.38.2.6 2007/07/26 14:04:54 millert Exp $ =pod =head1 NAME @@ -27,12 +27,12 @@ =head1 SYNOPSIS -B [ B<-c> ] [ B<-f> I ] [ B<-q> ] [ B<-s> ] [ B<-V> ] +B [B<-c>] [B<-q>] [B<-s>] [B<-V>] [B<-f> I] =head1 DESCRIPTION B edits the I file in a safe fashion, analogous to -L. B locks the I file against multiple +L. B locks the I file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the I file is currently being edited you will receive a message to try again later. @@ -160,7 +160,7 @@ =head1 SEE ALSO -L, L, L, L +L, L, L, L =head1 AUTHOR @@ -190,7 +190,7 @@ =head1 DISCLAIMER -B is provided ``AS IS'' and any express or implied warranties, +B is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with B or http://www.sudo.ws/sudo/license.html