mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 09:57:41 +00:00
Code Issues Releases Wiki Activity

Add warning about writable directories and sudo/sudoedit.

Browse Source
This commit is contained in:
Todd C. Miller 2015-08-07 17:00:42 -06:00
parent 796911b3fa
commit c12dd68d1e
3 changed files with 53 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
doc/sudo.cat
View File

@ -433,6 +433,18 @@ SSEECCUURRIITTYY NNOOTTEESS
environment variable is _n_o_t modified and is passed unchanged to the environment variable is _n_o_t modified and is passed unchanged to the
program that ssuuddoo executes. program that ssuuddoo executes.
Users should not be granted ssuuddoo privileges to execute files that are
writable by the user or that reside in a directory that is writable by
the user. If the user can modify or replace the command there is no way
to limit what additional commands they can run. Likewise, users should
not be granted ssuuddooeeddiitt permission to edit a file that resides in a
directory the user has write access to. A user with directory write
access could replace the legitimate file with a link to some other,
arbitrary, file. Starting with version 1.8.15, ssuuddooeeddiitt will refuse to
open a symbolic link unless the security policy explicitly permits it.
However, it is still possible to create a hard link if the directory is
writable and the link target resides on the same file system.
Please note that ssuuddoo will normally only log the command it explicitly Please note that ssuuddoo will normally only log the command it explicitly
runs. If a user runs a command such as sudo su or sudo sh, subsequent runs. If a user runs a command such as sudo su or sudo sh, subsequent
commands run from that shell are not subject to ssuuddoo's security policy. commands run from that shell are not subject to ssuuddoo's security policy.
@ -592,4 +604,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/license.html for file distributed with ssuuddoo or http://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.15 August 6, 2015 Sudo 1.8.15 Sudo 1.8.15 August 7, 2015 Sudo 1.8.15

21
doc/sudo.man.in
View File

@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.TH "SUDO" "8" "August 6, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .TH "SUDO" "8" "August 7, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -869,6 +869,25 @@ modified and is passed unchanged to the program that
\fBsudo\fR \fBsudo\fR
executes. executes.
.PP .PP
Users should not be granted
\fBsudo\fR
privileges to execute files that are writable by the user or
that reside in a directory that is writable by the user.
If the user can modify or replace the command there is no way
to limit what additional commands they can run.
Likewise, users should not be granted
\fBsudoedit\fR
permission to edit a file that resides in a directory the user has
write access to.
A user with directory write access could replace the legitimate
file with a link to some other, arbitrary, file.
Starting with version 1.8.15,
\fBsudoedit\fR
will refuse to open a symbolic link unless the security policy
explicitly permits it.
However, it is still possible to create a hard link if the directory
is writable and the link target resides on the same file system.
.PP
Please note that Please note that
\fBsudo\fR \fBsudo\fR
will normally only log the command it explicitly runs. will normally only log the command it explicitly runs.

21
doc/sudo.mdoc.in
View File

@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd August 6, 2015 .Dd August 7, 2015
.Dt SUDO @mansectsu@ .Dt SUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -804,6 +804,25 @@ modified and is passed unchanged to the program that
.Nm .Nm
executes. executes.
.Pp .Pp
Users should not be granted
.Nm
privileges to execute files that are writable by the user or
that reside in a directory that is writable by the user.
If the user can modify or replace the command there is no way
to limit what additional commands they can run.
Likewise, users should not be granted
.Nm sudoedit
permission to edit a file that resides in a directory the user has
write access to.
A user with directory write access could replace the legitimate
file with a link to some other, arbitrary, file.
Starting with version 1.8.15,
.Nm sudoedit
will refuse to open a symbolic link unless the security policy
explicitly permits it.
However, it is still possible to create a hard link if the directory
is writable and the link target resides on the same file system.
.Pp
Please note that Please note that
.Nm .Nm
will normally only log the command it explicitly runs. will normally only log the command it explicitly runs.