mirror of
https://github.com/sudo-project/sudo.git
synced 2025-08-29 13:28:10 +00:00
Expand on NOEXEC a little.
This commit is contained in:
parent
bf8eb4bcaf
commit
fc1dea2ed3
14
sudoers.pod
14
sudoers.pod
@ -1152,7 +1152,7 @@ running under binary emulation are not affected.
|
|||||||
To tell whether or not B<sudo> supports I<noexec>, you can run
|
To tell whether or not B<sudo> supports I<noexec>, you can run
|
||||||
the following as root:
|
the following as root:
|
||||||
|
|
||||||
\# sudo -V | grep "dummy exec"
|
sudo -V | grep "dummy exec"
|
||||||
|
|
||||||
If the resulting output contains a line that begins with:
|
If the resulting output contains a line that begins with:
|
||||||
|
|
||||||
@ -1170,9 +1170,15 @@ manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
|
|||||||
dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
|
dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
|
||||||
|
|
||||||
To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
|
To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
|
||||||
in the User Specification section above. If you are unsure whether
|
in the User Specification section above. Here is that example again:
|
||||||
or not your system is capable of supporting I<noexec> you can always
|
|
||||||
just try it out and see if it works.
|
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
|
||||||
|
|
||||||
|
This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
|
||||||
|
with I<noexec> enabled. This will prevent those two commands from
|
||||||
|
executing other commands (such as a shell). If you are unsure
|
||||||
|
whether or not your system is capable of supporting I<noexec> you
|
||||||
|
can always just try it out and see if it works.
|
||||||
|
|
||||||
Note that disabling shell escapes is not a panacea. Programs running
|
Note that disabling shell escapes is not a panacea. Programs running
|
||||||
as root are still capable of many potentially hazardous operations
|
as root are still capable of many potentially hazardous operations
|
||||||
|
Loading…
x
Reference in New Issue
Block a user