Document digest support.

NEWS

@@ -85,9 +85,14 @@ What's new in Sudo 1.8.7?
    HP-UX where libibmldap has a hidden dependency on libCsup.
 
  * The sudoers plugin will now ignore invalid domain names when
-   checking netgroup membership.  Some Linux systems use the string
+   checking netgroup membership.  Most Linux systems use the string
    "(none)" for the NIS-style domain name instead of an empty string.
 
+ * New support for specifying a SHA-2 digest along with the command
+   in the sudoers file.  Supported hash types are sha224, sha256,
+   sha384 and sha512.  See the description of Digest_Spec in the
+   sudoers manual for details.
+
 What's new in Sudo 1.8.6p8?
 
  * Terminal detection now works properly on 64-bit AIX kernels.

doc/sample.sudoers

@@ -44,7 +44,9 @@ Host_Alias	CDROM = orion, perseus, hercules
 # Cmnd alias specification
 ##
 Cmnd_Alias	DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
-			/usr/sbin/rrestore, /usr/bin/mt
+			/usr/sbin/rrestore, /usr/bin/mt, \
+			sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
+			/home/operator/bin/start_backups
 Cmnd_Alias	KILL = /usr/bin/kill
 Cmnd_Alias	PRINTING = /usr/sbin/lpc, /usr/bin/lprm
 Cmnd_Alias	SHUTDOWN = /usr/sbin/shutdown

doc/sudoers.cat

@@ -304,6 +304,14 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
      ``localhost'' will only match if that is the actual host name, which is
      usually only the case for non-networked systems.
 
+     digest ::= [A-Fa-f0-9]+ |
+                [[A-Za-z0-9+/=]+
+
+     Digest_Spec ::= "sha224" ':' digest |
+                     "sha256" ':' digest |
+                     "sha384" ':' digest |
+                     "sha512" ':' digest
+
      Cmnd_List ::= Cmnd |
                    Cmnd ',' Cmnd_List
 
@@ -311,7 +319,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
                       file name args |
                       file name '""'
 
-     Cmnd ::= '!'* command name |
+     Cmnd ::= Digest_Spec? '!'* command name |
               '!'* directory |
               '!'* "sudoedit" |
               '!'* Cmnd_Alias
@@ -337,6 +345,27 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
      ``sudoedit'' is a command built into ssuuddoo itself and must be specified in
      _s_u_d_o_e_r_s without a leading path.
 
+     If a command name is prefixed with a Digest_Spec, the command will only
+     match successfully if it can be verified using the specified SHA-2
+     digest.  This may be useful in situations where the user invoking ssuuddoo
+     has write access to the command or its parent directory.  The digest
+     string may be specified in either hex or base64 format (base64 is more
+     compact).  There are many utilities capable of generating SHA-2 digests
+     in hex format such as openssl, shasum, sha224sum, sha256sum, sha384sum,
+     sha512sum.
+
+     For example, using openssl:
+
+     $ openssl dgst -sha224 /bin/ls
+     SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+
+     It is also possible to use openssl to generate base64 output:
+
+     $ openssl dgst -binary -sha224 /bin/ls | openssl base64
+     EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+
+     Command digests are only supported by version 1.8.7 or higher.
+
    DDeeffaauullttss
      Certain configuration options may be changed from their default values at
      run-time via one or more Default_Entry lines.  These may affect all users
@@ -1817,7 +1846,9 @@ EEXXAAMMPPLLEESS
 
      # Cmnd alias specification
      Cmnd_Alias      DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
-                             /usr/sbin/restore, /usr/sbin/rrestore
+                             /usr/sbin/restore, /usr/sbin/rrestore,\
+                             sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
+                             /home/operator/bin/start_backups
      Cmnd_Alias      KILL = /usr/bin/kill
      Cmnd_Alias      PRINTING = /usr/sbin/lpc, /usr/bin/lprm
      Cmnd_Alias      SHUTDOWN = /usr/sbin/shutdown
@@ -1887,7 +1918,11 @@ EEXXAAMMPPLLEESS
      The ooppeerraattoorr user may run commands limited to simple maintenance.  Here,
      those are commands related to backups, killing processes, the printing
      system, shutting down the system, and any commands in the directory
-     _/_u_s_r_/_o_p_e_r_/_b_i_n_/.
+     _/_u_s_r_/_o_p_e_r_/_b_i_n_/.  Note that one command in the DUMPS Cmnd_Alias includes a
+     sha224 digest, _/_h_o_m_e_/_o_p_e_r_a_t_o_r_/_b_i_n_/_s_t_a_r_t___b_a_c_k_u_p_s.  This is because the
+     directory containing the script is writable by the operator user.  If the
+     script is modified (resulting in a digest mismatch) it will no longer be
+     possible to run it via ssuuddoo.
 
      joe             ALL = /usr/bin/su operator
 
@@ -2183,4 +2218,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
      complete details.
 
-Sudo 1.8.7                       March 5, 2013                      Sudo 1.8.7
+Sudo 1.8.7                      April 17, 2013                      Sudo 1.8.7

doc/sudoers.ldap.cat

@@ -79,11 +79,33 @@ DDEESSCCRRIIPPTTIIOONN
            with a `+').  The special value ALL will match any host.
 
      ssuuddooCCoommmmaanndd
-           A Unix command with optional command line arguments, potentially
+           A fully-qualified Unix command name with optional command line
-           including globbing characters (aka wild cards).  The special value
+           arguments, potentially including globbing characters (aka wild
-           ALL will match any command.  If a command is prefixed with an
+           cards).  If a command name is preceded by an exclamation point,
-           exclamation point `!', the user will be prohibited from running
+           `!', the user will be prohibited from running that command.
-           that command.
+
+           The built-in command ``sudoedit'' is used to permit a user to run
+           ssuuddoo with the --ee option (or as ssuuddooeeddiitt).  It may take command line
+           arguments just as a normal command does.  Note that ``sudoedit'' is
+           a command built into ssuuddoo itself and must be specified in without a
+           leading path.
+
+           The special value ALL will match any command.
+
+           If a command name is prefixed with a SHA-2 digest, it will only be
+           allowed if the digest matches.  This may be useful in situations
+           where the user invoking ssuuddoo has write access to the command or its
+           parent directory.  The following digest formats are supported:
+           sha224, sha256, sha384 and sha512.  The digest name must be
+           followed by a colon (`:') and then the actual digest, in either hex
+           or base64 format.  For example, given the following value for
+           sudoCommand:
+
+               sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
+
+           The user may only run _/_b_i_n_/_l_s if its sha224 digest matches the
+           specified value.  Command digests are only supported by version
+           1.8.7 or higher.
 
      ssuuddooOOppttiioonn
            Identical in function to the global options described above, but
@@ -769,4 +791,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
      complete details.
 
-Sudo 1.8.7                     February 7, 2013                     Sudo 1.8.7
+Sudo 1.8.7                      April 17, 2013                      Sudo 1.8.7

doc/sudoers.ldap.man.in

@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "SUDOERS.LDAP" "8" "February 7, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
+.TH "SUDOERS.LDAP" "8" "April 17, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -165,20 +165,63 @@ The special value
 will match any host.
 .TP 6n
 \fBsudoCommand\fR
-A Unix command with optional command line arguments, potentially
+A fully-qualified Unix command name with optional command line arguments,
-including globbing characters (aka wild cards).
+potentially including globbing characters (aka wild cards).
+If a command name is preceded by an exclamation point,
+`\&!',
+the user will be prohibited from running that command.
+.sp
+The built-in command
+``\fRsudoedit\fR''
+is used to permit a user to run
+\fBsudo\fR
+with the
+\fB\-e\fR
+option (or as
+\fBsudoedit\fR).
+It may take command line arguments just as a normal command does.
+Note that
+``\fRsudoedit\fR''
+is a command built into
+\fBsudo\fR
+itself and must be specified in without a leading path.
+.sp
 The special value
 \fRALL\fR
 will match any command.
-If a command is prefixed with an exclamation point
+.sp
-`\&!',
+If a command name is prefixed with a SHA-2 digest, it will
-the user will be prohibited from running that command.
+only be allowed if the digest matches.
+This may be useful in situations where the user invoking
+\fBsudo\fR
+has write access to the command or its parent directory.
+The following digest formats are supported: sha224, sha256, sha384 and sha512.
+The digest name must be followed by a colon
+(`:\&')
+and then the actual digest, in either hex or base64 format.
+For example, given the following value for sudoCommand:
+.RS
+.nf
+.sp
+.RS 4n
+sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
+.RE
+.fi
+.sp
+The user may only run
+\fI/bin/ls\fR
+if its sha224 digest matches the specified value.
+Command digests are only supported by version 1.8.7 or higher.
+.PP
+.RE
+.PD 0
 .TP 6n
 \fBsudoOption\fR
 Identical in function to the global options described above, but
 specific to the
 \fRsudoRole\fR
 in which it resides.
+.PD
 .TP 6n
 \fBsudoRunAsUser\fR
 A user name or uid (prefixed with

doc/sudoers.ldap.mdoc.in

@@ -14,7 +14,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd February 7, 2013
+.Dd April 17, 2013
 .Dt SUDOERS.LDAP @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -156,14 +156,49 @@ The special value
 .Li ALL
 will match any host.
 .It Sy sudoCommand
-A Unix command with optional command line arguments, potentially
+A fully-qualified Unix command name with optional command line arguments,
-including globbing characters (aka wild cards).
+potentially including globbing characters (aka wild cards).
+If a command name is preceded by an exclamation point,
+.Ql \&! ,
+the user will be prohibited from running that command.
+.Pp
+The built-in command
+.Dq Li sudoedit
+is used to permit a user to run
+.Nm sudo
+with the
+.Fl e
+option (or as
+.Nm sudoedit ) .
+It may take command line arguments just as a normal command does.
+Note that
+.Dq Li sudoedit
+is a command built into
+.Nm sudo
+itself and must be specified in without a leading path.
+.Pp
 The special value
 .Li ALL
 will match any command.
-If a command is prefixed with an exclamation point
+.Pp
-.Ql \&! ,
+If a command name is prefixed with a SHA-2 digest, it will
-the user will be prohibited from running that command.
+only be allowed if the digest matches.
+This may be useful in situations where the user invoking
+.Nm sudo
+has write access to the command or its parent directory.
+The following digest formats are supported: sha224, sha256, sha384 and sha512.
+The digest name must be followed by a colon
+.Pq Ql :\&
+and then the actual digest, in either hex or base64 format.
+For example, given the following value for sudoCommand:
+.Bd -literal -offset 4n
+sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
+.Ed
+.Pp
+The user may only run
+.Pa /bin/ls
+if its sha224 digest matches the specified value.
+Command digests are only supported by version 1.8.7 or higher.
 .It Sy sudoOption
 Identical in function to the global options described above, but
 specific to the

doc/sudoers.man.in

@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "@mansectsu@" "March 5, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
+.TH "SUDOERS" "@mansectsu@" "April 17, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -679,6 +679,14 @@ only the case for non-networked systems.
 .nf
 .sp
 .RS 0n
+digest ::= [A-Fa-f0-9]+ |
+	   [[A-Za-z0-9\+/=]+
+
+Digest_Spec ::= "sha224" ':' digest |
+		"sha256" ':' digest |
+		"sha384" ':' digest |
+		"sha512" ':' digest
+
 Cmnd_List ::= Cmnd |
               Cmnd ',' Cmnd_List
 
@@ -686,7 +694,7 @@ command name ::= file name |
                  file name args |
                  file name '""'
 
-Cmnd ::= '!'* command name |
+Cmnd ::= Digest_Spec? '!'* command name |
          '!'* directory |
          '!'* "sudoedit" |
          '!'* Cmnd_Alias
@@ -748,6 +756,40 @@ is a command built into
 itself and must be specified in
 \fIsudoers\fR
 without a leading path.
+.PP
+If a
+\fRcommand name\fR
+is prefixed with a
+\fRDigest_Spec\fR,
+the command will only match successfully if it can be verified
+using the specified SHA-2 digest.
+This may be useful in situations where the user invoking
+\fBsudo\fR
+has write access to the command or its parent directory.
+The digest string may be specified in either hex or base64 format
+(base64 is more compact).
+There are many utilities capable of generating SHA-2 digests in hex
+format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
+.PP
+For example, using openssl:
+.nf
+.sp
+.RS 0n
+$ openssl dgst -sha224 /bin/ls
+SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+.RE
+.fi
+.PP
+It is also possible to use openssl to generate base64 output:
+.nf
+.sp
+.RS 0n
+$ openssl dgst -binary -sha224 /bin/ls | openssl base64
+EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+.RE
+.fi
+.PP
+Command digests are only supported by version 1.8.7 or higher.
 .SS "Defaults"
 Certain configuration options may be changed from their default
 values at run-time via one or more
@@ -3706,7 +3748,9 @@ Host_Alias	CDROM = orion, perseus, hercules
 
 # Cmnd alias specification
 Cmnd_Alias	DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
-			/usr/sbin/restore, /usr/sbin/rrestore
+			/usr/sbin/restore, /usr/sbin/rrestore,\e
+			sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
+			/home/operator/bin/start_backups
 Cmnd_Alias	KILL = /usr/bin/kill
 Cmnd_Alias	PRINTING = /usr/sbin/lpc, /usr/bin/lprm
 Cmnd_Alias	SHUTDOWN = /usr/sbin/shutdown
@@ -3858,6 +3902,15 @@ Here, those are commands related to backups, killing processes, the
 printing system, shutting down the system, and any commands in the
 directory
 \fI/usr/oper/bin/\fR.
+Note that one command in the
+\fRDUMPS\fR
+Cmnd_Alias includes a sha224 digest,
+\fI/home/operator/bin/start_backups\fR.
+This is because the directory containing the script is writable by the
+operator user.
+If the script is modified (resulting in a digest mismatch) it will no longer
+be possible to run it via
+\fBsudo\fR.
 .nf
 .sp
 .RS 0n

doc/sudoers.mdoc.in

@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd March 5, 2013
+.Dd April 17, 2013
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -648,6 +648,14 @@ Also, the host name
 will only match if that is the actual host name, which is usually
 only the case for non-networked systems.
 .Bd -literal
+digest ::= [A-Fa-f0-9]+ |
+	   [[A-Za-z0-9\+/=]+
+
+Digest_Spec ::= "sha224" ':' digest |
+		"sha256" ':' digest |
+		"sha384" ':' digest |
+		"sha512" ':' digest
+
 Cmnd_List ::= Cmnd |
               Cmnd ',' Cmnd_List
 
@@ -655,7 +663,7 @@ command name ::= file name |
                  file name args |
                  file name '""'
 
-Cmnd ::= '!'* command name |
+Cmnd ::= Digest_Spec? '!'* command name |
          '!'* directory |
          '!'* "sudoedit" |
          '!'* Cmnd_Alias
@@ -716,6 +724,34 @@ is a command built into
 itself and must be specified in
 .Em sudoers
 without a leading path.
+.Pp
+If a
+.Li command name
+is prefixed with a
+.Li Digest_Spec ,
+the command will only match successfully if it can be verified
+using the specified SHA-2 digest.
+This may be useful in situations where the user invoking
+.Nm sudo
+has write access to the command or its parent directory.
+The digest string may be specified in either hex or base64 format
+(base64 is more compact).
+There are many utilities capable of generating SHA-2 digests in hex
+format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
+.Pp
+For example, using openssl:
+.Bd -literal
+$ openssl dgst -sha224 /bin/ls
+SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+.Ed
+.Pp
+It is also possible to use openssl to generate base64 output:
+.Bd -literal
+$ openssl dgst -binary -sha224 /bin/ls | openssl base64
+EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+.Ed
+.Pp
+Command digests are only supported by version 1.8.7 or higher.
 .Ss Defaults
 Certain configuration options may be changed from their default
 values at run-time via one or more
@@ -3430,7 +3466,9 @@ Host_Alias	CDROM = orion, perseus, hercules
 
 # Cmnd alias specification
 Cmnd_Alias	DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
-			/usr/sbin/restore, /usr/sbin/rrestore
+			/usr/sbin/restore, /usr/sbin/rrestore,\e
+			sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
+			/home/operator/bin/start_backups
 Cmnd_Alias	KILL = /usr/bin/kill
 Cmnd_Alias	PRINTING = /usr/sbin/lpc, /usr/bin/lprm
 Cmnd_Alias	SHUTDOWN = /usr/sbin/shutdown
@@ -3563,6 +3601,15 @@ Here, those are commands related to backups, killing processes, the
 printing system, shutting down the system, and any commands in the
 directory
 .Pa /usr/oper/bin/ .
+Note that one command in the
+.Li DUMPS
+Cmnd_Alias includes a sha224 digest,
+.Pa /home/operator/bin/start_backups .
+This is because the directory containing the script is writable by the
+operator user.
+If the script is modified (resulting in a digest mismatch) it will no longer
+be possible to run it via
+.Nm sudo .
 .Bd -literal
 joe		ALL = /usr/bin/su operator
 .Ed