From e455f848a929180bb88415b922ce3fc3a5ee90f1 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 13 Oct 2004 16:52:51 +0000 Subject: [PATCH] stay_setuid now requires set_reuid() or setresuid() --- sudoers.cat | 282 ++++++++++++++++++++++++------------------------- sudoers.man.in | 10 +- sudoers.pod | 8 +- 3 files changed, 148 insertions(+), 152 deletions(-) diff --git a/sudoers.cat b/sudoers.cat index c1eaedd79..321f3051e 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.6.9 October 7, 2004 1 +1.6.9 October 13, 2004 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 7, 2004 2 +1.6.9 October 13, 2004 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 7, 2004 3 +1.6.9 October 13, 2004 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 7, 2004 4 +1.6.9 October 13, 2004 4 @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 7, 2004 5 +1.6.9 October 13, 2004 5 @@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 7, 2004 6 +1.6.9 October 13, 2004 6 @@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 October 7, 2004 7 +1.6.9 October 13, 2004 7 @@ -502,12 +502,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) this makes ssuuddoo act as a setuid wrapper. This can be useful on systems that disable some potentially dangerous functionality when a - program is run setuid. Note, however, that - this means that ssuuddoo will run with the real - uid of the invoking user which may allow that - user to kill ssuuddoo before it can log a failure, - depending on how your OS defines the interac­ - tion between signals and setuid processes. + program is run setuid. This option is only + effective on systems with either the + _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. env_reset If set, ssuuddoo will reset the environment to only contain the following variables: HOME, @@ -520,10 +517,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) with the SECURE_PATH option, its value will be used for the PATH environment variable. Other variables may be preserved with the _e_n_v___k_e_e_p + option. -1.6.9 October 7, 2004 8 + + +1.6.9 October 13, 2004 8 @@ -532,8 +532,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - option. - use_loginclass If set, ssuuddoo will apply the defaults specified for the target user's login class if one @@ -586,10 +584,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) loglinelen Number of characters per line for the file log. This value is used to decide when to wrap lines for nicer log files. This has no + effect on the syslog log file, only the file + log. The default is 80 (use 0 or negate the -1.6.9 October 7, 2004 9 +1.6.9 October 13, 2004 9 @@ -598,8 +598,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - effect on the syslog log file, only the file - log. The default is 80 (use 0 or negate the option to disable word wrap). timestamp_timeout @@ -652,10 +650,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) %U expanded to the login name of the user the command will be run as (defaults + to root) -1.6.9 October 7, 2004 10 + +1.6.9 October 13, 2004 10 @@ -664,8 +664,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - to root) - %h expanded to the local hostname without the domain name @@ -718,10 +716,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) never Never lecture the user. + once Only lecture the user the first time + they run ssuuddoo. -1.6.9 October 7, 2004 11 +1.6.9 October 13, 2004 11 @@ -730,9 +730,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - once Only lecture the user the first time - they run ssuuddoo. - always Always lecture the user. The default value is _o_n_c_e. @@ -784,10 +781,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) to use the --vv flag. always The user must always enter a password + to use the --vv flag. + + The default value is `all'. -1.6.9 October 7, 2004 12 +1.6.9 October 13, 2004 12 @@ -796,10 +796,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - to use the --vv flag. - - The default value is `all'. - listpw This option controls when a password will be required when a user runs ssuuddoo with the --ll flag. It has the following possible values: @@ -850,10 +846,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) dangerous variables from the environment of any setuid process (such as ssuuddoo). + env_keep Environment variables to be preserved in the + user's environment when the _e_n_v___r_e_s_e_t option + is in effect. This allows fine-grained con­ + trol over the environment ssuuddoo-spawned -1.6.9 October 7, 2004 13 +1.6.9 October 13, 2004 13 @@ -862,11 +862,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - env_keep Environment variables to be preserved in the - user's environment when the _e_n_v___r_e_s_e_t option - is in effect. This allows fine-grained con­ - trol over the environment ssuuddoo-spawned pro­ - cesses will receive. The argument may be a + processes will receive. The argument may be a double-quoted, space-separated list or a sin­ gle value without double-quotes. The list can be replaced, added to, deleted from, or dis­ @@ -916,10 +912,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m + -- but only as ooppeerraattoorr. E.g., + + $ sudo -u operator /bin/ls. -1.6.9 October 7, 2004 14 + +1.6.9 October 13, 2004 14 @@ -928,10 +928,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - -- but only as ooppeerraattoorr. E.g., - - $ sudo -u operator /bin/ls. - It is also possible to override a Runas_Spec later on in an entry. If we modify the entry like so: @@ -982,10 +978,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) _N_O_E_X_E_C _a_n_d _E_X_E_C + If ssuuddoo has been compiled with _n_o_e_x_e_c support and the + underlying operating system supports it, the NOEXEC tag + can be used to prevent a dynamically-linked executable + from running further commands itself. -1.6.9 October 7, 2004 15 +1.6.9 October 13, 2004 15 @@ -994,11 +994,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - If ssuuddoo has been compiled with _n_o_e_x_e_c support and the - underlying operating system supports it, the NOEXEC tag - can be used to prevent a dynamically-linked executable - from running further commands itself. - In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. @@ -1048,10 +1043,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) "?", "[", and "}". Note that a forward slash ('/') will nnoott be matched by + wildcards used in the pathname. When matching the command + line arguments, however, a slash ddooeess get matched by wild­ + cards. This is to make a path like: + + /usr/bin/* -1.6.9 October 7, 2004 16 +1.6.9 October 13, 2004 16 @@ -1060,12 +1060,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - wildcards used in the pathname. When matching the command - line arguments, however, a slash ddooeess get matched by wild­ - cards. This is to make a path like: - - /usr/bin/* - match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess @@ -1114,10 +1108,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) _a_l_i_a_s called AALLLL as the built-in alias will be used in preference to your own. Please note that using AALLLL can be dangerous since in a command context, it allows the user + to run aannyy command on the system. + + An exclamation point ('!') can be used as a logical _n_o_t + operator both in an _a_l_i_a_s and in front of a Cmnd. This + allows one to exclude certain values. Note, however, that + using a ! in conjunction with the built-in ALL alias to -1.6.9 October 7, 2004 17 +1.6.9 October 13, 2004 17 @@ -1126,12 +1126,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - to run aannyy command on the system. - - An exclamation point ('!') can be used as a logical _n_o_t - operator both in an _a_l_i_a_s and in front of a Cmnd. This - allows one to exclude certain values. Note, however, that - using a ! in conjunction with the built-in ALL alias to allow a user to run "all but a few" commands rarely works as intended (see SECURITY NOTES below). @@ -1172,26 +1166,6 @@ EEXXAAMMPPLLEESS Runas_Alias OP = root, operator Runas_Alias DB = oracle, sybase - - - - - - - - - - - -1.6.9 October 7, 2004 18 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - # Host alias specification Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ SGI = grolsch, dandelion, black :\ @@ -1202,6 +1176,22 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Host_Alias SERVERS = master, mail, www, ns Host_Alias CDROM = orion, perseus, hercules + + + + + + + +1.6.9 October 13, 2004 18 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore @@ -1247,17 +1237,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on any host without authenticating themselves. - - -1.6.9 October 7, 2004 19 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - PARTTIMERS ALL = ALL Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run @@ -1267,6 +1246,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) jack CSNETS = ALL The user jjaacckk may run any command on the machines in the + + + +1.6.9 October 13, 2004 19 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + _C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those networks, only 128.138.204.0 has an explicit netmask (in CIDR notation) indicating it @@ -1312,18 +1303,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser Users in the sseeccrreettaarriieess netgroup need to help manage the - - - -1.6.9 October 7, 2004 20 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - printers as well as add and remove users, so they are allowed to run those commands on all machines. @@ -1334,6 +1313,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* + + +1.6.9 October 13, 2004 20 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is not allowed to give _s_u(1) any flags. @@ -1378,18 +1368,6 @@ SSEECCUURRIITTYY NNOOTTEESS It is generally not effective to "subtract" commands from ALL using the '!' operator. A user can trivially circum­ vent this by copying the desired command to a different - - - -1.6.9 October 7, 2004 21 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - name and then executing that. For example: bill ALL = ALL, !SU, !SHELLS @@ -1401,6 +1379,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) restrictions should be considered advisory at best (and reinforced by policy). + + +1.6.9 October 13, 2004 21 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS Once ssuuddoo executes a program, that program is free to do whatever it pleases, including run other programs. This @@ -1444,18 +1433,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS File containing dummy exec functions: then ssuuddoo may be able to replace the exec family - - - -1.6.9 October 7, 2004 22 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - of functions in the standard library with its own that simply return an error. Unfortunately, there is no foolproof way to know whether or not @@ -1467,6 +1444,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the LD_PRELOAD environment variable. Check your operating system's manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, dld.sl, + + + +1.6.9 October 13, 2004 22 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + rld, or loader) to see if LD_PRELOAD is sup­ ported. @@ -1511,17 +1500,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) and Linux. See for more information. - - -1.6.9 October 7, 2004 23 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - Note that restricting shell escapes is not a panacea. Programs running as root are still capable of many poten­ tially hazardous operations (such as changing or overwrit­ @@ -1532,6 +1510,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SSEEEE AALLSSOO _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), sudo(1m), visudo(1m) + + + +1.6.9 October 13, 2004 23 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + CCAAVVEEAATTSS The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which locks the file and does grammatical check­ @@ -1579,6 +1569,16 @@ DDIISSCCLLAAIIMMEERR -1.6.9 October 7, 2004 24 + + + + + + + + + + +1.6.9 October 13, 2004 24 diff --git a/sudoers.man.in b/sudoers.man.in index d0f7d6373..3f96a660f 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "October 7, 2004" "1.6.9" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "October 13, 2004" "1.6.9" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" @@ -563,11 +563,9 @@ UIDs are set to the target user (root by default). This option changes that behavior such that the real \s-1UID\s0 is left as the invoking user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid wrapper. This can be useful on systems that disable some potentially -dangerous functionality when a program is run setuid. Note, however, -that this means that \fBsudo\fR will run with the real uid of the invoking -user which may allow that user to kill \fBsudo\fR before it can log a -failure, depending on how your \s-1OS\s0 defines the interaction between -signals and setuid processes. +dangerous functionality when a program is run setuid. This option +is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR +function. .IP "env_reset" 12 .IX Item "env_reset" If set, \fBsudo\fR will reset the environment to only contain the diff --git a/sudoers.pod b/sudoers.pod index eebc72849..3698ce5f2 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -427,11 +427,9 @@ UIDs are set to the target user (root by default). This option changes that behavior such that the real UID is left as the invoking user's UID. In other words, this makes B act as a setuid wrapper. This can be useful on systems that disable some potentially -dangerous functionality when a program is run setuid. Note, however, -that this means that B will run with the real uid of the invoking -user which may allow that user to kill B before it can log a -failure, depending on how your OS defines the interaction between -signals and setuid processes. +dangerous functionality when a program is run setuid. This option +is only effective on systems with either the setreuid() or setresuid() +function. =item env_reset