mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-28 12:57:50 +00:00
Code Issues Releases Wiki Activity

Reset HOME when env_reset is enabled unless it is in env_keep

Browse Source
This commit is contained in:
Todd C. Miller 2010-07-19 15:35:47 -04:00
parent c31e1227f1
commit ee7221f1fe
9 changed files with 156 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
WHATSNEW
View File

@ -42,9 +42,14 @@ What's new in Sudo 1.7.4?
more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX) more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX)
will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1). will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1).
* If env_reset is enabled in sudoers (the default), sudo will now set * The HOME and MAIL environment variables are now reset based on the
the MAIL environment variable based on the target user unless MAIL is target user's password database entry when the env_reset sudoers option
explicitly preserved in sudoers. Previously MAIL was passed unchanged. is enabled (which is the case in the default configuration). Users
wishing to preserve the original values should use a sudoers entry like:
Defaults env_keep += HOME
to preserve the old value of HOME and
Defaults env_keep += MAIL
to preserve the old value of MAIL.
What's new in Sudo 1.7.3? What's new in Sudo 1.7.3?

9
doc/UPGRADE
View File

@ -10,6 +10,15 @@ o Upgrading from a version prior to 1.7.4:
system reboots. Time stamp files older than the boot time are system reboots. Time stamp files older than the boot time are
ignored on systems where it is possible to determine this. ignored on systems where it is possible to determine this.
The HOME and MAIL environment variables are now reset based on the
target user's password database entry when the env_reset sudoers option
is enabled (which is the case in the default configuration). Users
wishing to preserve the original values should use a sudoers entry like:
Defaults env_keep += HOME
to preserve the old value of HOME and
Defaults env_keep += MAIL
to preserve the old value of MAIL.
o Upgrading from a version prior to 1.7.0: o Upgrading from a version prior to 1.7.0:
Starting with sudo 1.7.0, comments in the sudoers file must not Starting with sudo 1.7.0, comments in the sudoers file must not

24
doc/sudo.cat
View File

@ -186,10 +186,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-H The --HH (_H_O_M_E) option requests that the security policy set -H The --HH (_H_O_M_E) option requests that the security policy set
the HOME environment variable to the home directory of the the HOME environment variable to the home directory of the
target user (root by default) as specified by the password target user (root by default) as specified by the password
database. database. Depending on the policy, this may be the default
behavior.
-h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage message -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage message
and exit.
@ -202,6 +202,8 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
and exit.
-i [command] -i [command]
The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell
specified by the password database entry of the target user specified by the password database entry of the target user
@ -254,8 +256,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
messages and exit. messages and exit.
-P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to
preserve the invoking user's group vector unaltered. By
default, the _s_u_d_o_e_r_s policy will initialize the group
@ -268,6 +268,8 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
preserve the invoking user's group vector unaltered. By
default, the _s_u_d_o_e_r_s policy will initialize the group
vector to the list of groups the target user is in. The vector to the list of groups the target user is in. The
real and effective group IDs, however, are still set to real and effective group IDs, however, are still set to
match the target user. match the target user.
@ -320,8 +322,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
role. role.
-U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the -U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the
--ll option to specify the user whose privileges should be
listed. The security policy may restrict listing other
@ -334,6 +334,8 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
--ll option to specify the user whose privileges should be
listed. The security policy may restrict listing other
users' privileges. The _s_u_d_o_e_r_s policy only allows root or users' privileges. The _s_u_d_o_e_r_s policy only allows root or
a user with the ALL privilege on the current host to use a user with the ALL privilege on the current host to use
this option. this option.
@ -389,8 +391,6 @@ PPLLUUGGIINNSS
1.8.0b1 July 19, 2010 6 1.8.0b1 July 19, 2010 6
@ -484,9 +484,10 @@ EENNVVIIRROONNMMEENNTT
MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set
to the mail spool of the target user to the mail spool of the target user
HOME In --ii, --ss or --HH mode (or if sudo was configured with HOME Set to the home directory of the target user if --ii or
the --enable-shell-sets-home option), set to homedir of --HH are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set
the target user in _s_u_d_o_e_r_s, or when the --ss option is specified and
_s_e_t___h_o_m_e is set in _s_u_d_o_e_r_s
PATH May be overridden by the security policy. PATH May be overridden by the security policy.
@ -522,7 +523,6 @@ FFIILLEESS
1.8.0b1 July 19, 2010 8 1.8.0b1 July 19, 2010 8

7
doc/sudo.man.in
View File

@ -345,6 +345,7 @@ root). In either case, the primary group will be set to \fIgroup\fR.
The \fB\-H\fR (\fI\s-1HOME\s0\fR) option requests that the security policy set The \fB\-H\fR (\fI\s-1HOME\s0\fR) option requests that the security policy set
the \f(CW\*(C`HOME\*(C'\fR environment variable to the home directory of the target the \f(CW\*(C`HOME\*(C'\fR environment variable to the home directory of the target
user (root by default) as specified by the password database. user (root by default) as specified by the password database.
Depending on the policy, this may be the default behavior.
.IP "\-h" 12 .IP "\-h" 12
.IX Item "-h" .IX Item "-h"
The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit. The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit.
@ -605,8 +606,10 @@ to the mail spool of the target user
.ie n .IP "\*(C`HOME\*(C'" 16 .ie n .IP "\*(C`HOME\*(C'" 16
.el .IP "\f(CW\*(C`HOME\*(C'\fR" 16 .el .IP "\f(CW\*(C`HOME\*(C'\fR" 16
.IX Item "HOME" .IX Item "HOME"
In \fB\-i\fR, \fB\-s\fR or \fB\-H\fR mode (or if sudo was configured with the Set to the home directory of the target user if \fB\-i\fR or \fB\-H\fR are
\&\-\-enable\-shell\-sets\-home option), set to homedir of the target user specified, \fIenv_reset\fR or \fIalways_set_home\fR are set in \fIsudoers\fR,
or when the \fB\-s\fR option is specified and \fIset_home\fR is set in
\&\fIsudoers\fR
.ie n .IP "\*(C`PATH\*(C'" 16 .ie n .IP "\*(C`PATH\*(C'" 16
.el .IP "\f(CW\*(C`PATH\*(C'\fR" 16 .el .IP "\f(CW\*(C`PATH\*(C'\fR" 16
.IX Item "PATH" .IX Item "PATH"

7
doc/sudo.pod
View File

@ -225,6 +225,7 @@ root). In either case, the primary group will be set to I<group>.
The B<-H> (I<HOME>) option requests that the security policy set The B<-H> (I<HOME>) option requests that the security policy set
the C<HOME> environment variable to the home directory of the target the C<HOME> environment variable to the home directory of the target
user (root by default) as specified by the password database. user (root by default) as specified by the password database.
Depending on the policy, this may be the default behavior.
=item -h =item -h
@ -505,8 +506,10 @@ to the mail spool of the target user
=item C<HOME> =item C<HOME>
In B<-i>, B<-s> or B<-H> mode (or if sudo was configured with the Set to the home directory of the target user if B<-i> or B<-H> are
--enable-shell-sets-home option), set to homedir of the target user specified, I<env_reset> or I<always_set_home> are set in I<sudoers>,
or when the B<-s> option is specified and I<set_home> is set in
I<sudoers>
=item C<PATH> =item C<PATH>

160
doc/sudoers.cat
View File

@ -706,18 +706,18 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
BBoooolleeaann FFllaaggss: BBoooolleeaann FFllaaggss:
always_set_home If set, ssuuddoo will set the HOME environment variable to always_set_home If enabled, ssuuddoo will set the HOME environment variable
the home directory of the target user (which is root to the home directory of the target user (which is root
unless the --uu option is used). This effectively means unless the --uu option is used). This effectively means
that the --HH option is always implied. This flag is _o_f_f that the --HH option is always implied. Note that HOME
by default. is already set when the the _e_n_v___r_e_s_e_t option is
enabled, so _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for
configurations where _e_n_v___r_e_s_e_t is disabled. This flag
is _o_f_f by default.
authenticate If set, users must authenticate themselves via a authenticate If set, users must authenticate themselves via a
password (or other means of authentication) before they password (or other means of authentication) before they
may run commands. This default may be overridden via may run commands. This default may be overridden via
the PASSWD and NOPASSWD tags. This flag is _o_n by
default.
@ -730,6 +730,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
the PASSWD and NOPASSWD tags. This flag is _o_n by
default.
closefrom_override closefrom_override
If set, the user may use ssuuddoo's --CC option which If set, the user may use ssuuddoo's --CC option which
overrides the default starting point at which ssuuddoo overrides the default starting point at which ssuuddoo
@ -781,9 +784,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
fqdn Set this flag if you want to put fully qualified host fqdn Set this flag if you want to put fully qualified host
names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you
would use myhost.mydomain.edu. You may still use the
short form if you wish (and even mix the two). Beware
that turning on _f_q_d_n requires ssuuddoo to make DNS lookups
@ -796,6 +796,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
would use myhost.mydomain.edu. You may still use the
short form if you wish (and even mix the two). Beware
that turning on _f_q_d_n requires ssuuddoo to make DNS lookups
which may make ssuuddoo unusable if DNS stops working (for which may make ssuuddoo unusable if DNS stops working (for
example if the machine is not plugged into the example if the machine is not plugged into the
network). Also note that you must use the host's network). Also note that you must use the host's
@ -847,9 +850,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
does not enter the correct password. This flag is _o_f_f does not enter the correct password. This flag is _o_f_f
by default. by default.
mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the
invoking user exists in the _s_u_d_o_e_r_s file, but is not
allowed to run commands on the current host. This flag
@ -862,6 +862,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the
invoking user exists in the _s_u_d_o_e_r_s file, but is not
allowed to run commands on the current host. This flag
is _o_f_f by default. is _o_f_f by default.
mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the
@ -914,9 +917,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
able to determine the length of the password being able to determine the length of the password being
entered. This flag is _o_f_f by default. entered. This flag is _o_f_f by default.
requiretty If set, ssuuddoo will only run when the user is logged in
to a real tty. When this flag is set, ssuuddoo can only be
1.8.0b1 July 19, 2010 14 1.8.0b1 July 19, 2010 14
@ -928,6 +928,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
requiretty If set, ssuuddoo will only run when the user is logged in
to a real tty. When this flag is set, ssuuddoo can only be
run from a login session and not via other means such run from a login session and not via other means such
as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by
default. default.
@ -950,11 +952,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
instead of the password of the invoking user. This instead of the password of the invoking user. This
flag is _o_f_f by default. flag is _o_f_f by default.
set_home If set and ssuuddoo is invoked with the --ss option the HOME set_home If enabled and ssuuddoo is invoked with the --ss option the
environment variable will be set to the home directory HOME environment variable will be set to the home
of the target user (which is root unless the --uu option directory of the target user (which is root unless the
is used). This effectively makes the --ss option imply --uu option is used). This effectively makes the --ss
--HH. This flag is _o_f_f by default. option imply --HH. Note that HOME is already set when
the the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is
only effective for configurations where _e_n_v___r_e_s_e_t is
disabled. This flag is _o_f_f by default.
set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME
environment variables to the name of the target user environment variables to the name of the target user
@ -977,11 +982,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
shell_noargs If set and ssuuddoo is invoked with no arguments it acts as shell_noargs If set and ssuuddoo is invoked with no arguments it acts as
if the --ss option had been given. That is, it runs a if the --ss option had been given. That is, it runs a
shell as root (the shell is determined by the SHELL
environment variable if it is set, falling back on the
shell listed in the invoking user's /etc/passwd entry
if not). This flag is _o_f_f by default.
@ -994,6 +994,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
shell as root (the shell is determined by the SHELL
environment variable if it is set, falling back on the
shell listed in the invoking user's /etc/passwd entry
if not). This flag is _o_f_f by default.
stay_setuid Normally, when ssuuddoo executes a command the real and stay_setuid Normally, when ssuuddoo executes a command the real and
effective UIDs are set to the target user (root by effective UIDs are set to the target user (root by
default). This option changes that behavior such that default). This option changes that behavior such that
@ -1043,11 +1048,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Normally, ssuuddoo uses a directory in the ticket dir with Normally, ssuuddoo uses a directory in the ticket dir with
the same name as the user running it. With this flag the same name as the user running it. With this flag
enabled, ssuuddoo will use a file named for the tty the enabled, ssuuddoo will use a file named for the tty the
user is logged in on in that directory. This flag is
_o_f_f by default.
umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s
without modification. This makes it possible to
@ -1060,6 +1060,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
user is logged in on in that directory. This flag is
_o_f_f by default.
umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s
without modification. This makes it possible to
specify a more permissive umask in _s_u_d_o_e_r_s than the specify a more permissive umask in _s_u_d_o_e_r_s than the
user's own umask and matches historical behavior. If user's own umask and matches historical behavior. If
_u_m_a_s_k___o_v_e_r_r_i_d_e is not set, ssuuddoo will set the umask to _u_m_a_s_k___o_v_e_r_r_i_d_e is not set, ssuuddoo will set the umask to
@ -1109,11 +1114,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
passwd_timeout Number of minutes before the ssuuddoo password prompt times passwd_timeout Number of minutes before the ssuuddoo password prompt times
out, or 0 for no timeout. The timeout may include a out, or 0 for no timeout. The timeout may include a
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5.
timestamp_timeout
Number of minutes that can elapse before ssuuddoo will ask
@ -1126,6 +1126,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5.
timestamp_timeout
Number of minutes that can elapse before ssuuddoo will ask
for a passwd again. The timeout may include a for a passwd again. The timeout may include a
fractional component if minute granularity is fractional component if minute granularity is
insufficient, for example 2.5. The default is 5. Set insufficient, for example 2.5. The default is 5. Set
@ -1176,11 +1181,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
domain name (on if the machine's host name is fully domain name (on if the machine's host name is fully
qualified or the _f_q_d_n option is set) qualified or the _f_q_d_n option is set)
%h expanded to the local host name without the domain
name
%p expanded to the user whose password is being asked
1.8.0b1 July 19, 2010 18 1.8.0b1 July 19, 2010 18
@ -1192,6 +1192,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
%h expanded to the local host name without the domain
name
%p expanded to the user whose password is being asked
for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w
flags in _s_u_d_o_e_r_s) flags in _s_u_d_o_e_r_s)
@ -1242,10 +1246,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
askpass The _a_s_k_p_a_s_s option specifies the fully qualified path to a askpass The _a_s_k_p_a_s_s option specifies the fully qualified path to a
helper program used to read the user's password when no helper program used to read the user's password when no
terminal is available. This may be the case when ssuuddoo is
executed from a graphical (as opposed to text-based)
application. The program specified by _a_s_k_p_a_s_s should
display the argument passed to it as the prompt and write
@ -1258,6 +1258,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
terminal is available. This may be the case when ssuuddoo is
executed from a graphical (as opposed to text-based)
application. The program specified by _a_s_k_p_a_s_s should
display the argument passed to it as the prompt and write
the user's password to the standard output. The value of the user's password to the standard output. The value of
_a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment
variable. variable.
@ -1308,10 +1312,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
lecture_file lecture_file
Path to a file containing an alternate ssuuddoo lecture that Path to a file containing an alternate ssuuddoo lecture that
will be used in place of the standard lecture if the named
file exists. By default, ssuuddoo uses a built-in lecture.
listpw This option controls when a password will be required when
@ -1324,6 +1324,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
will be used in place of the standard lecture if the named
file exists. By default, ssuuddoo uses a built-in lecture.
listpw This option controls when a password will be required when
a user runs ssuuddoo with the --ll option. It has the following a user runs ssuuddoo with the --ll option. It has the following
possible values: possible values:
@ -1374,10 +1378,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
syslog Syslog facility if syslog is being used for logging (negate syslog Syslog facility if syslog is being used for logging (negate
to disable syslog logging). Defaults to local2. to disable syslog logging). Defaults to local2.
verifypw This option controls when a password will be required when
a user runs ssuuddoo with the --vv option. It has the following
possible values:
@ -1390,6 +1390,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
verifypw This option controls when a password will be required when
a user runs ssuuddoo with the --vv option. It has the following
possible values:
all All the user's _s_u_d_o_e_r_s entries for the current host all All the user's _s_u_d_o_e_r_s entries for the current host
must have the NOPASSWD flag set to avoid entering a must have the NOPASSWD flag set to avoid entering a
password. password.
@ -1440,10 +1444,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
env_keep Environment variables to be preserved in the user's env_keep Environment variables to be preserved in the user's
environment when the _e_n_v___r_e_s_e_t option is in effect. environment when the _e_n_v___r_e_s_e_t option is in effect.
This allows fine-grained control over the environment This allows fine-grained control over the environment
ssuuddoo-spawned processes will receive. The argument may
be a double-quoted, space-separated list or a single
value without double-quotes. The list can be replaced,
added to, deleted from, or disabled by using the =, +=,
@ -1456,6 +1456,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
ssuuddoo-spawned processes will receive. The argument may
be a double-quoted, space-separated list or a single
value without double-quotes. The list can be replaced,
added to, deleted from, or disabled by using the =, +=,
-=, and ! operators respectively. The default list of -=, and ! operators respectively. The default list of
variables to keep is displayed when ssuuddoo is run by root variables to keep is displayed when ssuuddoo is run by root
with the _-_V option. with the _-_V option.
@ -1506,10 +1510,6 @@ EEXXAAMMPPLLEESS
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
SGI = grolsch, dandelion, black :\ SGI = grolsch, dandelion, black :\
ALPHA = widget, thalamus, foobar :\ ALPHA = widget, thalamus, foobar :\
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = master, mail, www, ns
@ -1522,6 +1522,10 @@ EEXXAAMMPPLLEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules Host_Alias CDROM = orion, perseus, hercules
# Cmnd alias specification # Cmnd alias specification
@ -1573,10 +1577,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
PARTTIMERS ALL = ALL PARTTIMERS ALL = ALL
Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on
any host but they must authenticate themselves first (since the entry
lacks the NOPASSWD tag).
1.8.0b1 July 19, 2010 24 1.8.0b1 July 19, 2010 24
@ -1588,6 +1588,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on
any host but they must authenticate themselves first (since the entry
lacks the NOPASSWD tag).
jack CSNETS = ALL jack CSNETS = ALL
The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias
@ -1638,10 +1642,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Users in the sseeccrreettaarriieess netgroup need to help manage the printers as Users in the sseeccrreettaarriieess netgroup need to help manage the printers as
well as add and remove users, so they are allowed to run those commands well as add and remove users, so they are allowed to run those commands
on all machines.
fred ALL = (DB) NOPASSWD: ALL
@ -1654,6 +1654,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
on all machines.
fred ALL = (DB) NOPASSWD: ALL
The user ffrreedd can run commands as any user in the _D_B Runas_Alias The user ffrreedd can run commands as any user in the _D_B Runas_Alias
(oorraaccllee or ssyybbaassee) without giving a password. (oorraaccllee or ssyybbaassee) without giving a password.
@ -1705,10 +1709,6 @@ SSEECCUURRIITTYY NNOOTTEESS
bill ALL = ALL, !SU, !SHELLS bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bbiillll from running the commands listed in _S_U or
_S_H_E_L_L_S since he can simply copy those commands to a different name, or
use a shell escape from an editor or other program. Therefore, these
1.8.0b1 July 19, 2010 26 1.8.0b1 July 19, 2010 26
@ -1720,6 +1720,9 @@ SSEECCUURRIITTYY NNOOTTEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Doesn't really prevent bbiillll from running the commands listed in _S_U or
_S_H_E_L_L_S since he can simply copy those commands to a different name, or
use a shell escape from an editor or other program. Therefore, these
kind of restrictions should be considered advisory at best (and kind of restrictions should be considered advisory at best (and
reinforced by policy). reinforced by policy).
@ -1772,9 +1775,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
If the resulting output contains a line that begins with: If the resulting output contains a line that begins with:
File containing dummy exec functions:
1.8.0b1 July 19, 2010 27 1.8.0b1 July 19, 2010 27
@ -1786,6 +1786,8 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
File containing dummy exec functions:
then ssuuddoo may be able to replace the exec family of functions then ssuuddoo may be able to replace the exec family of functions
in the standard library with its own that simply return an in the standard library with its own that simply return an
error. Unfortunately, there is no foolproof way to know error. Unfortunately, there is no foolproof way to know
@ -1838,8 +1840,6 @@ SSEECCUURRIITTYY NNOOTTEESS
writable directory. writable directory.
On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time
stamps that date from before the machine booted.
@ -1852,6 +1852,8 @@ SSEECCUURRIITTYY NNOOTTEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
stamps that date from before the machine booted.
Since time stamp files live in the file system, they can outlive a Since time stamp files live in the file system, they can outlive a
user's login session. As a result, a user may be able to login, run a user's login session. As a result, a user may be able to login, run a
command with ssuuddoo after authenticating, logout, login again, and run command with ssuuddoo after authenticating, logout, login again, and run
@ -1907,8 +1909,6 @@ DDIISSCCLLAAIIMMEERR
1.8.0b1 July 19, 2010 29 1.8.0b1 July 19, 2010 29

16
doc/sudoers.man.in
View File

@ -828,9 +828,12 @@ grouped by type, are listed below.
\&\fBBoolean Flags\fR: \&\fBBoolean Flags\fR:
.IP "always_set_home" 16 .IP "always_set_home" 16
.IX Item "always_set_home" .IX Item "always_set_home"
If set, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the
directory of the target user (which is root unless the \fB\-u\fR option is used). home directory of the target user (which is root unless the \fB\-u\fR
This effectively means that the \fB\-H\fR option is always implied. option is used). This effectively means that the \fB\-H\fR option is
always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the
\&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only
effective for configurations where \fIenv_reset\fR is disabled.
This flag is \fIoff\fR by default. This flag is \fIoff\fR by default.
.IP "authenticate" 16 .IP "authenticate" 16
.IX Item "authenticate" .IX Item "authenticate"
@ -1021,10 +1024,13 @@ If set, \fBsudo\fR will prompt for the password of the user defined by the
password of the invoking user. This flag is \fIoff\fR by default. password of the invoking user. This flag is \fIoff\fR by default.
.IP "set_home" 16 .IP "set_home" 16
.IX Item "set_home" .IX Item "set_home"
If set and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR
environment variable will be set to the home directory of the target environment variable will be set to the home directory of the target
user (which is root unless the \fB\-u\fR option is used). This effectively user (which is root unless the \fB\-u\fR option is used). This effectively
makes the \fB\-s\fR option imply \fB\-H\fR. This flag is \fIoff\fR by default. makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already
set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is
only effective for configurations where \fIenv_reset\fR is disabled.
This flag is \fIoff\fR by default.
.IP "set_logname" 16 .IP "set_logname" 16
.IX Item "set_logname" .IX Item "set_logname"
Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR

16
doc/sudoers.pod
View File

@ -689,9 +689,12 @@ B<Boolean Flags>:
=item always_set_home =item always_set_home
If set, B<sudo> will set the C<HOME> environment variable to the home If enabled, B<sudo> will set the C<HOME> environment variable to the
directory of the target user (which is root unless the B<-u> option is used). home directory of the target user (which is root unless the B<-u>
This effectively means that the B<-H> option is always implied. option is used). This effectively means that the B<-H> option is
always implied. Note that C<HOME> is already set when the the
I<env_reset> option is enabled, so I<always_set_home> is only
effective for configurations where I<env_reset> is disabled.
This flag is I<off> by default. This flag is I<off> by default.
=item authenticate =item authenticate
@ -910,10 +913,13 @@ password of the invoking user. This flag is I<off> by default.
=item set_home =item set_home
If set and B<sudo> is invoked with the B<-s> option the C<HOME> If enabled and B<sudo> is invoked with the B<-s> option the C<HOME>
environment variable will be set to the home directory of the target environment variable will be set to the home directory of the target
user (which is root unless the B<-u> option is used). This effectively user (which is root unless the B<-u> option is used). This effectively
makes the B<-s> option imply B<-H>. This flag is I<off> by default. makes the B<-s> option imply B<-H>. Note that C<HOME> is already
set when the the I<env_reset> option is enabled, so I<set_home> is
only effective for configurations where I<env_reset> is disabled.
This flag is I<off> by default.
=item set_logname =item set_logname

29
plugins/sudoers/env.c
View File

@ -193,7 +193,6 @@ static const char *initial_checkenv_table[] = {
static const char *initial_keepenv_table[] = { static const char *initial_keepenv_table[] = {
"COLORS", "COLORS",
"DISPLAY", "DISPLAY",
"HOME",
"HOSTNAME", "HOSTNAME",
"KRB5CCNAME", "KRB5CCNAME",
"LS_COLORS", "LS_COLORS",
@ -416,6 +415,7 @@ rebuild_env(int noexec)
char **old_envp, **ep, *cp, *ps1; char **old_envp, **ep, *cp, *ps1;
char idbuf[MAX_UID_T_LEN]; char idbuf[MAX_UID_T_LEN];
unsigned int didvar; unsigned int didvar;
int reset_home = FALSE;
/* /*
* Either clean out the environment or reset to a safe default. * Either clean out the environment or reset to a safe default.
@ -430,6 +430,9 @@ rebuild_env(int noexec)
memset(env.envp, 0, env.env_size * sizeof(char *)); memset(env.envp, 0, env.env_size * sizeof(char *));
#endif #endif
if (def_env_reset || ISSET(sudo_mode, MODE_LOGIN_SHELL)) { if (def_env_reset || ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
/* Reset HOME based on target user unless keeping old value. */
reset_home = TRUE;
/* Pull in vars we want to keep from the old environment. */ /* Pull in vars we want to keep from the old environment. */
for (ep = old_envp; *ep; ep++) { for (ep = old_envp; *ep; ep++) {
int keepit; int keepit;
@ -498,7 +501,6 @@ rebuild_env(int noexec)
* on sudoers options). * on sudoers options).
*/ */
if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) { if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
sudo_setenv("HOME", runas_pw->pw_dir, ISSET(didvar, DID_HOME));
sudo_setenv("SHELL", runas_pw->pw_shell, ISSET(didvar, DID_SHELL)); sudo_setenv("SHELL", runas_pw->pw_shell, ISSET(didvar, DID_SHELL));
sudo_setenv("LOGNAME", runas_pw->pw_name, sudo_setenv("LOGNAME", runas_pw->pw_name,
ISSET(didvar, DID_LOGNAME)); ISSET(didvar, DID_LOGNAME));
@ -506,8 +508,6 @@ rebuild_env(int noexec)
sudo_setenv("USERNAME", runas_pw->pw_name, sudo_setenv("USERNAME", runas_pw->pw_name,
ISSET(didvar, DID_USERNAME)); ISSET(didvar, DID_USERNAME));
} else { } else {
if (!ISSET(didvar, DID_HOME))
sudo_setenv("HOME", user_dir, FALSE);
if (!ISSET(didvar, DID_SHELL)) if (!ISSET(didvar, DID_SHELL))
sudo_setenv("SHELL", sudo_user.pw->pw_shell, FALSE); sudo_setenv("SHELL", sudo_user.pw->pw_shell, FALSE);
if (!ISSET(didvar, DID_LOGNAME)) if (!ISSET(didvar, DID_LOGNAME))
@ -530,6 +530,13 @@ rebuild_env(int noexec)
sudo_putenv(cp, ISSET(didvar, DID_MAIL), TRUE); sudo_putenv(cp, ISSET(didvar, DID_MAIL), TRUE);
} }
} else { } else {
/* Reset HOME based on target user if configured to. */
if (ISSET(sudo_mode, MODE_RUN)) {
if (def_always_set_home || ISSET(sudo_mode, MODE_RESET_HOME) ||
(ISSET(sudo_mode, MODE_SHELL) && def_set_home))
reset_home = TRUE;
}
/* /*
* Copy environ entries as long as they don't match env_delete or * Copy environ entries as long as they don't match env_delete or
* env_check. * env_check.
@ -569,8 +576,7 @@ rebuild_env(int noexec)
} }
/* Set $USER, $LOGNAME and $USERNAME to target if "set_logname" is true. */ /* Set $USER, $LOGNAME and $USERNAME to target if "set_logname" is true. */
/* XXX - not needed for MODE_LOGIN_SHELL */ if (def_set_logname && !ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
if (def_set_logname && runas_pw->pw_name) {
if (!ISSET(didvar, KEPT_LOGNAME)) if (!ISSET(didvar, KEPT_LOGNAME))
sudo_setenv("LOGNAME", runas_pw->pw_name, TRUE); sudo_setenv("LOGNAME", runas_pw->pw_name, TRUE);
if (!ISSET(didvar, KEPT_USER)) if (!ISSET(didvar, KEPT_USER))
@ -579,14 +585,9 @@ rebuild_env(int noexec)
sudo_setenv("USERNAME", runas_pw->pw_name, TRUE); sudo_setenv("USERNAME", runas_pw->pw_name, TRUE);
} }
/* Set $HOME for `sudo -H'. Only valid at PERM_FULL_RUNAS. */ /* Set $HOME to target user if not preserving user's value. */
/* XXX - not needed for MODE_LOGIN_SHELL */ if (reset_home && !ISSET(didvar, KEPT_HOME))
if (runas_pw->pw_dir) { sudo_setenv("HOME", runas_pw->pw_dir, ISSET(didvar, DID_HOME));
if (ISSET(sudo_mode, MODE_RESET_HOME) ||
(ISSET(sudo_mode, MODE_RUN) && (def_always_set_home ||
(ISSET(sudo_mode, MODE_SHELL) && def_set_home))))
sudo_setenv("HOME", runas_pw->pw_dir, TRUE);
}
/* Provide default values for $TERM and $PATH if they are not set. */ /* Provide default values for $TERM and $PATH if they are not set. */
if (!ISSET(didvar, DID_TERM)) if (!ISSET(didvar, DID_TERM))