mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 18:08:23 +00:00
Code Issues Releases Wiki Activity

Document reserved words that cannot be used as alias names.

Browse Source 
Bug #941
This commit is contained in:
Todd C. Miller 2020-09-25 13:50:32 -06:00
parent 70ada21c5b
commit b1a59accf7
5 changed files with 105 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
NEWS
View File

@ -67,9 +67,10 @@ What's new in Sudo 1.9.3
* It is now possible to set the working directory or change the * It is now possible to set the working directory or change the
root directory on a per-command basis using the CWD and CHROOT root directory on a per-command basis using the CWD and CHROOT
options. There are also new Defaults settings, runchroot and options. CWD and CHROOT are now reserved words in sudoers--they
runcwd, that can be used to set the working directory or root can no longer be used as alias names. There are also new Defaults
directory on a more global basis. settings, runchroot and runcwd, that can be used to set the
working directory or root directory on a more global basis.
* New -D (--chdir) and -R (--chroot) command line options can be * New -D (--chdir) and -R (--chroot) command line options can be
used to set the working directory or root directory if the sudoers used to set the working directory or root directory if the sudoers

13
doc/UPGRADE
View File

@ -3,6 +3,12 @@ Notes on upgrading from an older release
o Upgrading from a version prior to 1.9.3: o Upgrading from a version prior to 1.9.3:
Due to the addition of the CHROOT and CWD options, it is no
longer possible to declare an alias with one of those names.
If a sudoers file has an alias with one of those names, sudo
and visudo will report a syntax error with a message like
"syntax error: unexpected CHROOT, expecting ALIAS".
Starting with version 1.9.3, sudoers rules must end in either Starting with version 1.9.3, sudoers rules must end in either
a newline or the end-of-file. This makes it possible to provide a newline or the end-of-file. This makes it possible to provide
better error messages. Previously, it was possible to include better error messages. Previously, it was possible to include
@ -97,6 +103,13 @@ o Upgrading from a version prior to 1.8.23:
o Upgrading from a version prior to 1.8.20: o Upgrading from a version prior to 1.8.20:
Due to the addition of the TIMEOUT, NOTBEFORE and NOTAFTTER
options, it is no longer possible to declare an alias with one
of those names. If a sudoers file has an alias with one of
those names, sudo and visudo will report a syntax error with a
message like "syntax error: unexpected TIMEOUT, expecting ALIAS".
Starting with version 1.9.3, sudoers rules must end in either
Prior to version 1.8.20, when log_input, log_output or use_pty Prior to version 1.8.20, when log_input, log_output or use_pty
were enabled, if any of the standard input, output or error were enabled, if any of the standard input, output or error
were not connected to a terminal, sudo would use a pipe. The were not connected to a terminal, sudo would use a pipe. The

37
doc/sudoers.man.in
View File

@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "September 9, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "@mansectform@" "September 25, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -1380,6 +1380,10 @@ subsequent
in the in the
\fRCmnd_Spec_List\fR, \fRCmnd_Spec_List\fR,
inherit that option unless it is overridden by another option. inherit that option unless it is overridden by another option.
Note that the option names are reserved words in
\fIsudoers\fR.
This means that none of the valid option names (see below) can be used
when declaring an alias.
.if \n(SL \{\ .if \n(SL \{\
.SS "SELinux_Spec" .SS "SELinux_Spec"
On systems with SELinux support, On systems with SELinux support,
@ -2128,17 +2132,42 @@ It can be used wherever one might otherwise use a
\fRRunas_Alias\fR, \fRRunas_Alias\fR,
or or
\fRHost_Alias\fR. \fRHost_Alias\fR.
You should not try to define your own Attempting to define an
\fIalias\fR \fIalias\fR
called named
\fBALL\fR \fBALL\fR
as the built-in alias will be used in preference to your own. will result in a syntax error.
Please note that using Please note that using
\fBALL\fR \fBALL\fR
can be dangerous since in a command context, it allows the user to run can be dangerous since in a command context, it allows the user to run
\fIany\fR \fIany\fR
command on the system. command on the system.
.PP .PP
The following option names permitted in an
\fROption_Spec\fR
are also considered reserved words:
\fRCHROOT\fR,
.if \n(PS \{\
\fRPRIVS\fR,
.\}
.if \n(PS \{\
\fRLIMITPRIVS\fR,
.\}
.if \n(SL \{\
\fRROLE\fR,
.\}
.if \n(SL \{\
\fRTYPE\fR,
.\}
\fRCMND_TIMEOUT\fR,
\fRCWD\fR,
\fRNOTBEFORE\fR
and
\fRNOTAFTER\fR.
Attempting to define an
\fIalias\fR
with the same name as one of the options will result in a syntax error.
.PP
An exclamation point An exclamation point
(\(oq\&!\(cq) (\(oq\&!\(cq)
can be used as a logical can be used as a logical

26
doc/sudoers.man.in.sed
View File

@ -114,3 +114,29 @@ s/^\(.TH .*\)/.nr SL @SEMAN@\
} }
} }
} }
/^\\fRPRIVS\\fR,/ {
i\
.if \\n(PS \\{\\
a\
.\\}
}
/^\\fRLIMITPRIVS\\fR,/ {
i\
.if \\n(PS \\{\\
a\
.\\}
}
/^\\fRROLE\\fR,/ {
i\
.if \\n(SL \\{\\
a\
.\\}
}
/^\\fRTYPE\\fR,/ {
i\
.if \\n(SL \\{\\
a\
.\\}
}

33
doc/sudoers.mdoc.in
View File

@ -24,7 +24,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.Dd September 9, 2020 .Dd September 25, 2020
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -1308,6 +1308,10 @@ subsequent
in the in the
.Li Cmnd_Spec_List , .Li Cmnd_Spec_List ,
inherit that option unless it is overridden by another option. inherit that option unless it is overridden by another option.
Note that the option names are reserved words in
.Em sudoers .
This means that none of the valid option names (see below) can be used
when declaring an alias.
.if \n(SL \{\ .if \n(SL \{\
.Ss SELinux_Spec .Ss SELinux_Spec
On systems with SELinux support, On systems with SELinux support,
@ -2004,17 +2008,38 @@ It can be used wherever one might otherwise use a
.Li Runas_Alias , .Li Runas_Alias ,
or or
.Li Host_Alias . .Li Host_Alias .
You should not try to define your own Attempting to define an
.Em alias .Em alias
called named
.Sy ALL .Sy ALL
as the built-in alias will be used in preference to your own. will result in a syntax error.
Please note that using Please note that using
.Sy ALL .Sy ALL
can be dangerous since in a command context, it allows the user to run can be dangerous since in a command context, it allows the user to run
.Em any .Em any
command on the system. command on the system.
.Pp .Pp
The following option names permitted in an
.Li Option_Spec
are also considered reserved words:
.Li CHROOT ,
.if \n(PS \{\
.Li PRIVS ,
.Li LIMITPRIVS ,
.\}
.if \n(SL \{\
.Li ROLE ,
.Li TYPE ,
.\}
.Li CMND_TIMEOUT ,
.Li CWD ,
.Li NOTBEFORE
and
.Li NOTAFTER .
Attempting to define an
.Em alias
with the same name as one of the options will result in a syntax error.
.Pp
An exclamation point An exclamation point
.Pq Ql \&! .Pq Ql \&!
can be used as a logical can be used as a logical