mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 09:57:41 +00:00
Code Issues Releases Wiki Activity

Visudo now checks for the existence of an editor and gives a sensible

Browse Source 
error if it does not exist.

The path to the editor for visudo is now a colon-separated list of
allowable editors.  If the user has $EDITOR set and it matches
one of the allowed editors that editor will be used.  If not,
the first editor in the list that actually exists is used.
This commit is contained in:
Todd C. Miller 2000-04-01 21:23:28 +00:00
parent 2588aeaa5c
commit 6dd2d9592e
7 changed files with 358 additions and 164 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
CHANGES
View File

@ -1297,3 +1297,11 @@ Sudo 1.6.2 released.
not being used correctly and the entry was being applied globally. not being used correctly and the entry was being applied globally.
Sudo 1.6.3 released. Sudo 1.6.3 released.
409) Visudo now checks for the existence of an editor and gives a sensible
error if it does not exist.
410) The path to the editor for visudo is now a colon-separated list of
allowable editors. If the user has $EDITOR set and it matches
one of the allowed editors that editor will be used. If not,
the first editor that actually exists is used.

17
INSTALL
View File

@ -413,15 +413,20 @@ The following options are also configurable at runtime:
Don't print the lecture the first time a user runs sudo. Don't print the lecture the first time a user runs sudo.
--with-editor=path --with-editor=path
Specify the default editor used by visudo (and the only editor used Specify the default editor path for use by visudo. This may be
unless --with-env-editor is specified). The default is the path a single pathname or a colon-separated list of editors. In
to vi on your system. the latter case, visudo will choose the editor that matches
the user's USER environment variable or the first editor in
the list that exists. The default is the path to vi on your system.
--with-env-editor --with-env-editor
Makes visudo consult the EDITOR and VISUAL environment variables before Makes visudo consult the EDITOR and VISUAL environment variables before
falling back on the default editor. Note that this may create a falling back on the default editor list (as specified by --with-editor).
security hole as most editors allow a user to get a shell (which would Note that this may create a security hole as it allows the user to
be a root shell and hence, no logging). run any arbitrary command as root without logging. A safer alternative
is to use a colon-separated list of editors with the --with-env-editor
option. visudo will then only use the EDITOR or VISUAL if they match
a value specified via --with-editor.
--disable-authentication --disable-authentication
By default, sudo requires the user to authenticate via a By default, sudo requires the user to authenticate via a

8
Makefile.in
View File

@ -131,7 +131,7 @@ SUDOBJS = check.o getspwuid.o goodpath.o fileops.o find_path.o interfaces.o \
logging.o parse.o sudo.o sudo_setenv.o tgetpass.o \ logging.o parse.o sudo.o sudo_setenv.o tgetpass.o \
$(AUTH_OBJS) $(PARSEOBJS) $(AUTH_OBJS) $(PARSEOBJS)
VISUDOBJS = visudo.o fileops.o $(PARSEOBJS) VISUDOBJS = visudo.o fileops.o goodpath.o find_path.o $(PARSEOBJS)
TESTOBJS = interfaces.o testsudoers.o $(PARSEOBJS) TESTOBJS = interfaces.o testsudoers.o $(PARSEOBJS)
@ -253,7 +253,7 @@ sia.o: $(authdir)/sia.c $(AUTHDEP)
sudo.man.in: $(srcdir)/sudo.pod sudo.man.in: $(srcdir)/sudo.pod
@rm -f $(srcdir)/$@ @rm -f $(srcdir)/$@
(cd $(srcdir); pod2man --section=`echo @MANSECTSU@|tr A-Z a-z` --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod > $(srcdir)/$@) ( cd $(srcdir); pod2man --section=`echo @MANSECTSU@|tr A-Z a-z` --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod > $@ )
sudo.man: sudo.man.in sudo.man: sudo.man.in
CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status
@ -262,7 +262,7 @@ sudo.cat: sudo.man
visudo.man.in: $(srcdir)/visudo.pod visudo.man.in: $(srcdir)/visudo.pod
@rm -f $(srcdir)/$@ @rm -f $(srcdir)/$@
(cd $(srcdir); pod2man --section=`echo @MANSECTSU@|tr A-Z a-z` --release=$(VERSION) --center="MAINTENANCE COMMANDS" visudo.pod > $(srcdir)/$@) ( cd $(srcdir); pod2man --section=`echo @MANSECTSU@|tr A-Z a-z` --release=$(VERSION) --center="MAINTENANCE COMMANDS" visudo.pod > $@ )
visudo.man: visudo.man.in visudo.man: visudo.man.in
CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status
@ -271,7 +271,7 @@ visudo.cat: visudo.man
sudoers.man.in: $(srcdir)/sudoers.pod sudoers.man.in: $(srcdir)/sudoers.pod
@rm -f $(srcdir)/$@ @rm -f $(srcdir)/$@
(cd $(srcdir); pod2man --section=`echo @MANSECTFORM@|tr A-Z a-z` --release=$(VERSION) --center="FILE FORMATS" sudoers.pod | sed 's/"\\f(CW""\\fR"/\\f(CW""\\fR/' > $(srcdir)/$@) ( cd $(srcdir); pod2man --section=`echo @MANSECTFORM@|tr A-Z a-z` --release=$(VERSION) --center="FILE FORMATS" sudoers.pod | sed 's/"\\f(CW""\\fR"/\\f(CW""\\fR/' > $@ )
sudoers.man:: sudoers.man.in sudoers.man:: sudoers.man.in
CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status

318
sudoers.cat
View File

@ -61,7 +61,7 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN
26/Mar/2000 1.6.3 1 1/Apr/2000 1.6.3 1
@ -127,7 +127,7 @@ sudoers(4) FILE FORMATS sudoers(4)
26/Mar/2000 1.6.3 2 1/Apr/2000 1.6.3 2
@ -193,7 +193,7 @@ sudoers(4) FILE FORMATS sudoers(4)
26/Mar/2000 1.6.3 3 1/Apr/2000 1.6.3 3
@ -259,7 +259,7 @@ sudoers(4) FILE FORMATS sudoers(4)
26/Mar/2000 1.6.3 4 1/Apr/2000 1.6.3 4
@ -325,7 +325,7 @@ sudoers(4) FILE FORMATS sudoers(4)
26/Mar/2000 1.6.3 5 1/Apr/2000 1.6.3 5
@ -382,16 +382,16 @@ sudoers(4) FILE FORMATS sudoers(4)
password. This flag is off by default. password. This flag is off by default.
env_editor If set, vvvviiiissssuuuuddddoooo will use the value of the env_editor If set, vvvviiiissssuuuuddddoooo will use the value of the
EDITOR or VISUAL environment falling back on EDITOR or VISUAL environment variables before
the default editor. Note that this may create falling back on the default editor list. Note
a security hole as most editors allow a user that this may create a security hole as it
to get a shell (which would be a root shell allows the user to run any arbitrary command
and not be logged). as root without logging. A safer alternative
is to place a colon-separated list of editors
1/Apr/2000 1.6.3 6
26/Mar/2000 1.6.3 6
@ -400,18 +400,25 @@ sudoers(4) FILE FORMATS sudoers(4)
sudoers(4) FILE FORMATS sudoers(4) sudoers(4) FILE FORMATS sudoers(4)
in the editor variable. vvvviiiissssuuuuddddoooo will then only
use the EDITOR or VISUAL if they match a value
specified in editor. This flag is off by
default.
rootpw If set, ssssuuuuddddoooo will prompt for the root password rootpw If set, ssssuuuuddddoooo will prompt for the root password
instead of the password of the invoking user. instead of the password of the invoking user.
This flag is off by default.
runaspw If set, ssssuuuuddddoooo will prompt for the password of runaspw If set, ssssuuuuddddoooo will prompt for the password of
the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t option the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t option
(defaults to root) instead of the password of (defaults to root) instead of the password of
the invoking user. the invoking user. This flag is off by
default.
targetpw If set, ssssuuuuddddoooo will prompt for the password of targetpw If set, ssssuuuuddddoooo will prompt for the password of
the user specified by the -u flag (defaults to the user specified by the -u flag (defaults to
root) instead of the password of the invoking root) instead of the password of the invoking
user. user. This flag is off by default.
set_logname Normally, ssssuuuuddddoooo will set the LOGNAME and USER set_logname Normally, ssssuuuuddddoooo will set the LOGNAME and USER
environment variables to the name of the environment variables to the name of the
@ -427,7 +434,8 @@ sudoers(4) FILE FORMATS sudoers(4)
If set, ssssuuuuddddoooo will apply the defaults specified If set, ssssuuuuddddoooo will apply the defaults specified
for the target user's login class if one for the target user's login class if one
exists. Only available if ssssuuuuddddoooo is configured exists. Only available if ssssuuuuddddoooo is configured
with the --with-logincap option. with the --with-logincap option. This flag is
off by default.
IIIInnnntttteeeeggggeeeerrrrssss: IIIInnnntttteeeeggggeeeerrrrssss:
@ -445,6 +453,19 @@ sudoers(4) FILE FORMATS sudoers(4)
log. The default is 80 (use 0 or negate to log. The default is 80 (use 0 or negate to
disable word wrap). disable word wrap).
1/Apr/2000 1.6.3 7
sudoers(4) FILE FORMATS sudoers(4)
timestamp_timeout timestamp_timeout
Number of minutes that can elapse before ssssuuuuddddoooo Number of minutes that can elapse before ssssuuuuddddoooo
will ask for a passwd again. The default is will ask for a passwd again. The default is
@ -454,18 +475,6 @@ sudoers(4) FILE FORMATS sudoers(4)
passwd_timeout passwd_timeout
Number of minutes before the ssssuuuuddddoooo password Number of minutes before the ssssuuuuddddoooo password
prompt times out. The default is 5, set this prompt times out. The default is 5, set this
26/Mar/2000 1.6.3 7
sudoers(4) FILE FORMATS sudoers(4)
to 0 for no password timeout. to 0 for no password timeout.
umask Umask to use when running the root command. umask Umask to use when running the root command.
@ -509,8 +518,25 @@ sudoers(4) FILE FORMATS sudoers(4)
Syslog priority to use when user authenticates Syslog priority to use when user authenticates
unsuccessfully. Defaults to "alert". unsuccessfully. Defaults to "alert".
editor Path to the editor to be used by vvvviiiissssuuuuddddoooo. The editor A colon (':') separated list of editors
default is the path to vi on your system. allowed to be used with vvvviiiissssuuuuddddoooo. vvvviiiissssuuuuddddoooo will
1/Apr/2000 1.6.3 8
sudoers(4) FILE FORMATS sudoers(4)
choose the editor that matches the user's USER
environment variable if possible, or the first
editor in the list that exists and is
executable. The default is the path to vi on
your system.
SSSSttttrrrriiiinnnnggggssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt: SSSSttttrrrriiiinnnnggggssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt:
@ -520,18 +546,6 @@ sudoers(4) FILE FORMATS sudoers(4)
syslog Syslog facility if syslog is being used for syslog Syslog facility if syslog is being used for
logging (negate to disable syslog logging). logging (negate to disable syslog logging).
26/Mar/2000 1.6.3 8
sudoers(4) FILE FORMATS sudoers(4)
Defaults to "local2". Defaults to "local2".
mailerpath Path to mail program used to send warning mailerpath Path to mail program used to send warning
@ -572,6 +586,18 @@ sudoers(4) FILE FORMATS sudoers(4)
never The user need never enter a password to use never The user need never enter a password to use
the B<-v> flag. the B<-v> flag.
1/Apr/2000 1.6.3 9
sudoers(4) FILE FORMATS sudoers(4)
always The user must always enter a password to use always The user must always enter a password to use
the B<-v> flag. the B<-v> flag.
@ -585,19 +611,6 @@ sudoers(4) FILE FORMATS sudoers(4)
current host must have the C<NOPASSWD> current host must have the C<NOPASSWD>
flag set to avoid entering a password. flag set to avoid entering a password.
26/Mar/2000 1.6.3 9
sudoers(4) FILE FORMATS sudoers(4)
any At least one of the user's I<sudoers> entries any At least one of the user's I<sudoers> entries
for the current host must have the for the current host must have the
C<NOPASSWD> flag set to avoid entering a C<NOPASSWD> flag set to avoid entering a
@ -639,6 +652,18 @@ sudoers(4) FILE FORMATS sudoers(4)
Let's break that down into its constituent parts: Let's break that down into its constituent parts:
1/Apr/2000 1.6.3 10
sudoers(4) FILE FORMATS sudoers(4)
RRRRuuuunnnnaaaassss____SSSSppppeeeecccc RRRRuuuunnnnaaaassss____SSSSppppeeeecccc
A Runas_Spec is simply a Runas_List (as defined above) A Runas_Spec is simply a Runas_List (as defined above)
@ -653,17 +678,6 @@ sudoers(4) FILE FORMATS sudoers(4)
The user ddddggggbbbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m The user ddddggggbbbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m
-- but only as ooooppppeeeerrrraaaattttoooorrrr. Eg. -- but only as ooooppppeeeerrrraaaattttoooorrrr. Eg.
26/Mar/2000 1.6.3 10
sudoers(4) FILE FORMATS sudoers(4)
sudo -u operator /bin/ls. sudo -u operator /bin/ls.
It is also possible to override a Runas_Spec later on in It is also possible to override a Runas_Spec later on in
@ -704,6 +718,18 @@ sudoers(4) FILE FORMATS sudoers(4)
pertain to the current host. This behavior may be pertain to the current host. This behavior may be
overridden via the verifypw and listpw options. overridden via the verifypw and listpw options.
1/Apr/2000 1.6.3 11
sudoers(4) FILE FORMATS sudoers(4)
WWWWiiiillllddddccccaaaarrrrddddssss ((((aaaakkkkaaaa mmmmeeeettttaaaa cccchhhhaaaarrrraaaacccctttteeeerrrrssss)))):::: WWWWiiiillllddddccccaaaarrrrddddssss ((((aaaakkkkaaaa mmmmeeeettttaaaa cccchhhhaaaarrrraaaacccctttteeeerrrrssss))))::::
ssssuuuuddddoooo allows shell-style _w_i_l_d_c_a_r_d_s to be used in pathnames ssssuuuuddddoooo allows shell-style _w_i_l_d_c_a_r_d_s to be used in pathnames
@ -717,19 +743,6 @@ sudoers(4) FILE FORMATS sudoers(4)
[...] Matches any character in the specified range. [...] Matches any character in the specified range.
26/Mar/2000 1.6.3 11
sudoers(4) FILE FORMATS sudoers(4)
[!...] Matches any character nnnnooootttt in the specified range. [!...] Matches any character nnnnooootttt in the specified range.
\x For any character "x", evaluates to "x". This is \x For any character "x", evaluates to "x". This is
@ -771,6 +784,18 @@ sudoers(4) FILE FORMATS sudoers(4)
dangerous since in a command context, it allows the user dangerous since in a command context, it allows the user
to run aaaannnnyyyy command on the system. to run aaaannnnyyyy command on the system.
1/Apr/2000 1.6.3 12
sudoers(4) FILE FORMATS sudoers(4)
An exclamation point ('!') can be used as a logical _n_o_t An exclamation point ('!') can be used as a logical _n_o_t
operator both in an _a_l_i_a_s and in front of a Cmnd. This operator both in an _a_l_i_a_s and in front of a Cmnd. This
allows one to exclude certain values. Note, however, that allows one to exclude certain values. Note, however, that
@ -785,17 +810,6 @@ sudoers(4) FILE FORMATS sudoers(4)
syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':',
'(', ')') is optional. '(', ')') is optional.
26/Mar/2000 1.6.3 12
sudoers(4) FILE FORMATS sudoers(4)
The following characters must be escaped with a backslash The following characters must be escaped with a backslash
('\') when used as part of a word (eg. a username or ('\') when used as part of a word (eg. a username or
hostname): '@', '!', '=', ':', ',', '(', ')', '\'. hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
@ -836,6 +850,18 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
/usr/local/bin/zsh /usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su Cmnd_Alias SU = /usr/bin/su
1/Apr/2000 1.6.3 13
sudoers(4) FILE FORMATS sudoers(4)
Here we override some of the compiled in default values. Here we override some of the compiled in default values.
We want ssssuuuuddddoooo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility We want ssssuuuuddddoooo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility
in all cases. We don't want to subject the full time in all cases. We don't want to subject the full time
@ -851,17 +877,6 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
Defaults:millert !authenticate Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=/var/log/sudo.log Defaults@SERVERS log_year, logfile=/var/log/sudo.log
26/Mar/2000 1.6.3 13
sudoers(4) FILE FORMATS sudoers(4)
The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually
determines who may run what. determines who may run what.
@ -901,6 +916,18 @@ sudoers(4) FILE FORMATS sudoers(4)
/usr/oper/bin/ /usr/oper/bin/
The ooooppppeeeerrrraaaattttoooorrrr user may run commands limited to simple The ooooppppeeeerrrraaaattttoooorrrr user may run commands limited to simple
1/Apr/2000 1.6.3 14
sudoers(4) FILE FORMATS sudoers(4)
maintenance. Here, those are commands related to backups, maintenance. Here, those are commands related to backups,
killing processes, the printing system, shutting down the killing processes, the printing system, shutting down the
system, and any commands in the directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/. system, and any commands in the directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/.
@ -916,18 +943,6 @@ sudoers(4) FILE FORMATS sudoers(4)
assumes _p_a_s_s_w_d(1) does not take multiple usernames on the assumes _p_a_s_s_w_d(1) does not take multiple usernames on the
command line. command line.
26/Mar/2000 1.6.3 14
sudoers(4) FILE FORMATS sudoers(4)
bob SPARC = (OP) ALL : SGI = (OP) ALL bob SPARC = (OP) ALL : SGI = (OP) ALL
The user bbbboooobbbb may run anything on the _S_P_A_R_C and _S_G_I The user bbbboooobbbb may run anything on the _S_P_A_R_C and _S_G_I
@ -968,6 +983,17 @@ sudoers(4) FILE FORMATS sudoers(4)
any commands in the directory /usr/bin/ except for those any commands in the directory /usr/bin/ except for those
commands belonging to the _S_U and _S_H_E_L_L_S Cmnd_Aliases. commands belonging to the _S_U and _S_H_E_L_L_S Cmnd_Aliases.
1/Apr/2000 1.6.3 15
sudoers(4) FILE FORMATS sudoers(4)
steve CSNETS = (operator) /usr/local/op_commands/ steve CSNETS = (operator) /usr/local/op_commands/
The user sssstttteeeevvvveeee may run any command in the directory The user sssstttteeeevvvveeee may run any command in the directory
@ -982,18 +1008,6 @@ sudoers(4) FILE FORMATS sudoers(4)
On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias
(will, wendy, and wim), may run any command as user www (will, wendy, and wim), may run any command as user www
26/Mar/2000 1.6.3 15
sudoers(4) FILE FORMATS sudoers(4)
(which owns the web pages) or simply _s_u(1) to www. (which owns the web pages) or simply _s_u(1) to www.
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
@ -1033,6 +1047,19 @@ CCCCAAAAVVVVEEEEAAAATTTTSSSS
hostname be fully qualified as returned by the hostname hostname be fully qualified as returned by the hostname
command or use the _f_q_d_n option in _s_u_d_o_e_r_s. command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
1/Apr/2000 1.6.3 16
sudoers(4) FILE FORMATS sudoers(4)
FFFFIIIILLLLEEEESSSS FFFFIIIILLLLEEEESSSS
/etc/sudoers List of who can run what /etc/sudoers List of who can run what
/etc/group Local groups file /etc/group Local groups file
@ -1051,7 +1078,46 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO
26/Mar/2000 1.6.3 16
1/Apr/2000 1.6.3 17
@ -1117,6 +1183,6 @@ sudoers(4) FILE FORMATS sudoers(4)
26/Mar/2000 1.6.3 17 1/Apr/2000 1.6.3 18

39
sudoers.man.in
View File

@ -2,8 +2,14 @@
''' $RCSfile$$Revision$$Date$ ''' $RCSfile$$Revision$$Date$
''' '''
''' $Log$ ''' $Log$
''' Revision 1.5 2000/03/27 03:26:23 millert ''' Revision 1.6 2000/04/01 21:23:28 millert
''' Use @mansectsu@ and @mansectform@ in the man page bodies as well. ''' Visudo now checks for the existence of an editor and gives a sensible
''' error if it does not exist.
'''
''' The path to the editor for visudo is now a colon-separated list of
''' allowable editors. If the user has $EDITOR set and it matches
''' one of the allowed editors that editor will be used. If not,
''' the first editor in the list that actually exists is used.
''' '''
''' '''
.de Sh .de Sh
@ -96,7 +102,7 @@
.nr % 0 .nr % 0
.rr F .rr F
.\} .\}
.TH sudoers @mansectform@ "1.6.3" "26/Mar/2000" "FILE FORMATS" .TH sudoers @mansectform@ "1.6.3" "1/Apr/2000" "FILE FORMATS"
.UC .UC
.if n .hy 0 .if n .hy 0
.if n .na .if n .na
@ -469,21 +475,25 @@ of echo when there is no tty present, some sites may with to set
this flag to prevent a user from entering a visible password. This this flag to prevent a user from entering a visible password. This
flag is off by default. flag is off by default.
.Ip "env_editor" 12 .Ip "env_editor" 12
If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0 environment If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
falling back on the default editor. Note that this may create a environment variables before falling back on the default editor list.
security hole as most editors allow a user to get a shell (which Note that this may create a security hole as it allows the user to
would be a root shell and not be logged). run any arbitrary command as root without logging. A safer alternative
is to place a colon-separated list of editors in the \f(CWeditor\fR
variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if
they match a value specified in \f(CWeditor\fR. This flag is off by
default.
.Ip "rootpw" 12 .Ip "rootpw" 12
If set, \fBsudo\fR will prompt for the root password instead of the password If set, \fBsudo\fR will prompt for the root password instead of the password
of the invoking user. of the invoking user. This flag is off by default.
.Ip "runaspw" 12 .Ip "runaspw" 12
If set, \fBsudo\fR will prompt for the password of the user defined by the If set, \fBsudo\fR will prompt for the password of the user defined by the
\fIrunas_default\fR option (defaults to root) instead of the password \fIrunas_default\fR option (defaults to root) instead of the password
of the invoking user. of the invoking user. This flag is off by default.
.Ip "targetpw" 12 .Ip "targetpw" 12
If set, \fBsudo\fR will prompt for the password of the user specified by If set, \fBsudo\fR will prompt for the password of the user specified by
the \f(CW-u\fR flag (defaults to root) instead of the password of the the \f(CW-u\fR flag (defaults to root) instead of the password of the
invoking user. invoking user. This flag is off by default.
.Ip "set_logname" 12 .Ip "set_logname" 12
Normally, \fBsudo\fR will set the \f(CWLOGNAME\fR and \f(CWUSER\fR environment variables Normally, \fBsudo\fR will set the \f(CWLOGNAME\fR and \f(CWUSER\fR environment variables
to the name of the target user (usually root unless the \f(CW-u\fR flag is given). to the name of the target user (usually root unless the \f(CW-u\fR flag is given).
@ -493,7 +503,7 @@ to change this behavior. This can be done by negating the set_logname option.
.Ip "use_loginclass" 12 .Ip "use_loginclass" 12
If set, \fBsudo\fR will apply the defaults specified for the target user's If set, \fBsudo\fR will apply the defaults specified for the target user's
login class if one exists. Only available if \fBsudo\fR is configured with login class if one exists. Only available if \fBsudo\fR is configured with
the --with-logincap option. the --with-logincap option. This flag is off by default.
.PP .PP
\fBIntegers\fR: \fBIntegers\fR:
.Ip "passwd_tries" 12 .Ip "passwd_tries" 12
@ -542,8 +552,11 @@ Defaults to \*(L"notice\*(R".
Syslog priority to use when user authenticates unsuccessfully. Syslog priority to use when user authenticates unsuccessfully.
Defaults to \*(L"alert\*(R". Defaults to \*(L"alert\*(R".
.Ip "editor" 12 .Ip "editor" 12
Path to the editor to be used by \fBvisudo\fR. The default is the path A colon (':') separated list of editors allowed to be used with
to vi on your system. \fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
\s-1USER\s0 environment variable if possible, or the first editor in the
list that exists and is executable. The default is the path to vi
on your system.
.PP .PP
\fBStrings that can be used in a boolean context\fR: \fBStrings that can be used in a boolean context\fR:
.Ip "logfile" 12 .Ip "logfile" 12

27
sudoers.pod
View File

@ -352,27 +352,31 @@ flag is off by default.
=item env_editor =item env_editor
If set, B<visudo> will use the value of the EDITOR or VISUAL environment If set, B<visudo> will use the value of the EDITOR or VISUAL
falling back on the default editor. Note that this may create a environment variables before falling back on the default editor list.
security hole as most editors allow a user to get a shell (which Note that this may create a security hole as it allows the user to
would be a root shell and not be logged). run any arbitrary command as root without logging. A safer alternative
is to place a colon-separated list of editors in the C<editor>
variable. B<visudo> will then only use the EDITOR or VISUAL if
they match a value specified in C<editor>. This flag is off by
default.
=item rootpw =item rootpw
If set, B<sudo> will prompt for the root password instead of the password If set, B<sudo> will prompt for the root password instead of the password
of the invoking user. of the invoking user. This flag is off by default.
=item runaspw =item runaspw
If set, B<sudo> will prompt for the password of the user defined by the If set, B<sudo> will prompt for the password of the user defined by the
I<runas_default> option (defaults to root) instead of the password I<runas_default> option (defaults to root) instead of the password
of the invoking user. of the invoking user. This flag is off by default.
=item targetpw =item targetpw
If set, B<sudo> will prompt for the password of the user specified by If set, B<sudo> will prompt for the password of the user specified by
the C<-u> flag (defaults to root) instead of the password of the the C<-u> flag (defaults to root) instead of the password of the
invoking user. invoking user. This flag is off by default.
=item set_logname =item set_logname
@ -386,7 +390,7 @@ to change this behavior. This can be done by negating the set_logname option.
If set, B<sudo> will apply the defaults specified for the target user's If set, B<sudo> will apply the defaults specified for the target user's
login class if one exists. Only available if B<sudo> is configured with login class if one exists. Only available if B<sudo> is configured with
the --with-logincap option. the --with-logincap option. This flag is off by default.
=back =back
@ -473,8 +477,11 @@ Defaults to "alert".
=item editor =item editor
Path to the editor to be used by B<visudo>. The default is the path A colon (':') separated list of editors allowed to be used with
to vi on your system. B<visudo>. B<visudo> will choose the editor that matches the user's
USER environment variable if possible, or the first editor in the
list that exists and is executable. The default is the path to vi
on your system.
=back 12 =back 12

105
visudo.c
View File

@ -123,6 +123,8 @@ main(argc, argv)
{ {
char buf[MAXPATHLEN*2]; /* buffer used for copying files */ char buf[MAXPATHLEN*2]; /* buffer used for copying files */
char *Editor; /* editor to use */ char *Editor; /* editor to use */
char *UserEditor; /* editor user wants to use */
char *EditorPath; /* colon-separated list of editors */
int sudoers_fd; /* sudoers file descriptor */ int sudoers_fd; /* sudoers file descriptor */
int stmp_fd; /* stmp file descriptor */ int stmp_fd; /* stmp file descriptor */
int n; /* length parameter */ int n; /* length parameter */
@ -225,12 +227,99 @@ main(argc, argv)
(void) close(stmp_fd); (void) close(stmp_fd);
/* /*
* If we are allowing EDITOR and VISUAL envariables set Editor * Check EDITOR and VISUAL environment variables to see which editor
* base on whichever exists... * the user wants to use (we may not end up using it though).
* If the path is not fully-qualified, make it so and check that
* the specified executable actually exists.
*/ */
if (!def_flag(I_ENV_EDITOR) || if ((UserEditor = getenv("EDITOR")) == NULL || *UserEditor == '\0')
(!(Editor = getenv("EDITOR")) && !(Editor = getenv("VISUAL")))) UserEditor = getenv("VISUAL");
Editor = def_str(I_EDITOR); if (*UserEditor == '\0')
UserEditor = NULL;
else if (UserEditor) {
if (find_path(UserEditor, &Editor) == FOUND) {
UserEditor = Editor;
} else {
if (def_flag(I_ENV_EDITOR)) {
/* If we are honoring $EDITOR this is a fatal error. */
(void) fprintf(stderr,
"%s: specified editor (%s) doesn't exist!\n",
Argv[0], UserEditor);
Exit(-1);
} else {
/* Otherwise, just ignore $EDITOR. */
UserEditor = NULL;
}
}
}
/*
* See if we can use the user's choice of editors either because
* we allow any $EDITOR or because $EDITOR is in the allowable list.
*/
Editor = NULL;
if (def_flag(I_ENV_EDITOR) && UserEditor)
Editor = UserEditor;
else if (UserEditor) {
struct stat editor_sb;
struct stat user_editor_sb;
char *base, *userbase;
if (stat(UserEditor, &user_editor_sb) != 0) {
/* Should never happen since we already checked above. */
(void) fprintf(stderr, "%s: unable to stat editor (%s): %s\n",
Argv[0], UserEditor, strerror(errno));
Exit(-1);
}
EditorPath = estrdup(def_str(I_EDITOR));
Editor = strtok(EditorPath, ":");
do {
/*
* Both Editor and UserEditor should be fully qualified but
* check anyway...
*/
if ((base = strrchr(Editor, '/')) == NULL)
continue;
if ((userbase = strrchr(UserEditor, '/')) == NULL) {
Editor = NULL;
break;
}
base++, userbase++;
/*
* We compare the basenames first and then use stat to match
* for sure.
*/
if (strcmp(base, userbase) == 0) {
if (stat(Editor, &editor_sb) == 0 && S_ISREG(editor_sb.st_mode)
&& (editor_sb.st_mode & 0000111) &&
editor_sb.st_dev == user_editor_sb.st_dev &&
editor_sb.st_ino == user_editor_sb.st_ino)
break;
}
} while ((Editor = strtok(NULL, ":")));
free(EditorPath);
}
/*
* Can't use $EDITOR, try each element of I_EDITOR until we
* find one that exists, is regular, and is executable.
*/
if (Editor == NULL || *Editor == '\0') {
EditorPath = estrdup(def_str(I_EDITOR));
Editor = strtok(EditorPath, ":");
do {
if (sudo_goodpath(Editor))
break;
} while ((Editor = strtok(NULL, ":")));
/* Bleah, none of the editors existed! */
if (Editor == NULL || *Editor == '\0') {
(void) fprintf(stderr, "%s: no editor found (editor path = %s)\n",
Argv[0], def_str(I_EDITOR));
Exit(-1);
}
}
/* /*
* Edit the temp file and parse it (for sanity checking) * Edit the temp file and parse it (for sanity checking)
@ -433,6 +522,12 @@ set_fqdn()
return; return;
} }
int
user_is_exempt()
{
return(TRUE);
}
/* /*
* Assuming a parse error occurred, prompt the user for what they want * Assuming a parse error occurred, prompt the user for what they want
* to do now. Returns the first letter of their choice. * to do now. Returns the first letter of their choice.