summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTodd C. Miller <Todd.Miller@courtesan.com>2010-04-07 09:46:01 -0400
committerTodd C. Miller <Todd.Miller@courtesan.com>2010-04-07 09:46:01 -0400
commit9c30b0e3deafaedca87f8a8d3b1e7ac06e06c7bc (patch)
treef63c35038111d8ffec68e8cafc8807bd1e357b0f
parente07c84b2d774062d049951e7ddd06e3ea66241f5 (diff)
downloadsudo-9c30b0e3deafaedca87f8a8d3b1e7ac06e06c7bc.tar.gz
Add a note about the security implications of the fast_glob option.
Diffstat
-rw-r--r--sudoers.cat308
-rw-r--r--sudoers.man.in59
-rw-r--r--sudoers.pod25
3 files changed, 214 insertions, 178 deletions
diff --git a/sudoers.cat b/sudoers.cat
index a68748d13..7ba92863b 100644
--- a/sudoers.cat
+++ b/sudoers.cat
@@ -22,8 +22,7 @@ DDEESSCCRRIIPPTTIIOONN
what EBNF is; it is fairly simple, and the definitions
below are annotated.
- QQuuiicckk gguuiiddee ttoo EEBBNNFF
-
+ QQuuiicckk gguuiiddee ttoo EEBBNNFF
EBNF is a concise and exact way of describing the grammar
of a language. Each EBNF definition is made up of
_p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g.,
@@ -51,17 +50,18 @@ DDEESSCCRRIIPPTTIIOONN
is a verbatim character string (as opposed to a symbol
name).
- AAlliiaasseess
-
+ AAlliiaasseess
There are four kinds of aliases: User_Alias, Runas_Alias,
Host_Alias and Cmnd_Alias.
+ Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
+ 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
+ 'Host_Alias' Host_Alias (':' Host_Alias)* |
+ 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
-
-
-1.6.9p21 February 23, 2010 1
+1.6.9p21 April 7, 2010 1
@@ -70,10 +70,6 @@ DDEESSCCRRIIPPTTIIOONN
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
- 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
- 'Host_Alias' Host_Alias (':' Host_Alias)* |
- 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
User_Alias ::= NAME '=' User_List
@@ -125,9 +121,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
'!'* +netgroup |
'!'* Runas_Alias
+ A Runas_List is similar to a User_List except that it can
+ also contain uids (prefixed with '#') and instead of
+ User_Aliases it can contain Runas_Aliases. Note that
+
-1.6.9p21 February 23, 2010 2
+1.6.9p21 April 7, 2010 2
@@ -136,9 +136,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- A Runas_List is similar to a User_List except that it can
- also contain uids (prefixed with '#') and instead of
- User_Aliases it can contain Runas_Aliases. Note that
usernames and groups are matched as strings. In other
words, two users (groups) with the same uid (gid) are
considered to be distinct. If you wish to match all
@@ -190,10 +187,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
he/she wishes. However, you may also specify command line
arguments (including wildcards). Alternately, you can
specify "" to indicate that the command may only be run
+ wwiitthhoouutt command line arguments. A directory is a fully
+ qualified pathname ending in a '/'. When you specify a
+ directory in a Cmnd_List, the user will be able to run any
-1.6.9p21 February 23, 2010 3
+1.6.9p21 April 7, 2010 3
@@ -202,9 +202,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- wwiitthhoouutt command line arguments. A directory is a fully
- qualified pathname ending in a '/'. When you specify a
- directory in a Cmnd_List, the user will be able to run any
file within that directory (but not in any subdirectories
therein).
@@ -218,8 +215,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
--ee option (or as ssuuddooeeddiitt). It may take command line
arguments just as a normal command does.
- DDeeffaauullttss
-
+ DDeeffaauullttss
Certain configuration options may be changed from their
default values at runtime via one or more Default_Entry
lines. These may affect all users on any host, all users
@@ -257,21 +253,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
See "SUDOERS OPTIONS" for a list of supported Defaults
parameters.
+ UUsseerr SSppeecciiffiiccaattiioonn
+ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
+ (':' Host_List '=' Cmnd_Spec_List)*
-1.6.9p21 February 23, 2010 4
+1.6.9p21 April 7, 2010 4
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- UUsseerr SSppeecciiffiiccaattiioonn
- User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
- (':' Host_List '=' Cmnd_Spec_List)*
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
@@ -290,8 +286,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Let's break that down into its constituent parts:
- RRuunnaass__SSppeecc
-
+ RRuunnaass__SSppeecc
A Runas_Spec is simply a Runas_List (as defined above)
enclosed in a set of parentheses. If you do not specify a
Runas_Spec in the user specification, a default Runas_Spec
@@ -314,8 +309,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr,
but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
- TTaagg__SSppeecc
-
+ TTaagg__SSppeecc
A command may have zero or more tags associated with it.
There are six possible tag values, NOPASSWD, PASSWD,
NOEXEC, EXEC, SETENV and NOSETENV. Once a tag is set on a
@@ -323,22 +317,23 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
tag unless it is overridden by the opposite tag (i.e.:
PASSWD overrides NOPASSWD and NOEXEC overrides EXEC).
+ _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D
+ By default, ssuuddoo requires that a user authenticate him or
+ herself before running a command. This behavior can be
+ modified via the NOPASSWD tag. Like a Runas_Spec, the
-1.6.9p21 February 23, 2010 5
+1.6.9p21 April 7, 2010 5
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
- By default, ssuuddoo requires that a user authenticate him or
- herself before running a command. This behavior can be
- modified via the NOPASSWD tag. Like a Runas_Spec, the
NOPASSWD tag sets a default for the commands that follow
it in the Cmnd_Spec_List. Conversely, the PASSWD tag can
be used to reverse things. For example:
@@ -388,24 +383,23 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted
users should be allowed to set variables in this manner.
If the command matched is AALLLL, the SETENV tag is implied
+ for that command; this default may be overridden by use of
+ the UNSETENV tag.
+ WWiillddccaarrddss
+ ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob
-1.6.9p21 February 23, 2010 6
+1.6.9p21 April 7, 2010 6
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- for that command; this default may be overridden by use of
- the UNSETENV tag.
-
- WWiillddccaarrddss
- ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob
characters) to be used in hostnames, pathnames and command
line arguments in the _s_u_d_o_e_r_s file. Wildcard matching is
done via the PPOOSSIIXX _g_l_o_b(3) and _f_n_m_a_t_c_h(3) routines. Note
@@ -432,8 +426,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
- EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
-
+ EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
The following exceptions apply to the above rules:
"" If the empty string "" is the only command line
@@ -441,8 +434,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
command is not allowed to be run with aannyy
arguments.
- OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss
-
+ OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss
The pound sign ('#') is used to indicate a comment (unless
it is part of a #include directive or unless it occurs in
the context of a user name and is followed by one or more
@@ -454,10 +446,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
causes a match to succeed. It can be used wherever one
might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
or Host_Alias. You should not try to define your own
+ _a_l_i_a_s called AALLLL as the built-in alias will be used in
+ preference to your own. Please note that using AALLLL can be
+ dangerous since in a command context, it allows the user
+ to run aannyy command on the system.
+
+ An exclamation point ('!') can be used as a logical _n_o_t
+ operator both in an _a_l_i_a_s and in front of a Cmnd. This
+ allows one to exclude certain values. Note, however, that
-1.6.9p21 February 23, 2010 7
+1.6.9p21 April 7, 2010 7
@@ -466,14 +466,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- _a_l_i_a_s called AALLLL as the built-in alias will be used in
- preference to your own. Please note that using AALLLL can be
- dangerous since in a command context, it allows the user
- to run aannyy command on the system.
-
- An exclamation point ('!') can be used as a logical _n_o_t
- operator both in an _a_l_i_a_s and in front of a Cmnd. This
- allows one to exclude certain values. Note, however, that
using a ! in conjunction with the built-in ALL alias to
allow a user to run "all but a few" commands rarely works
as intended (see SECURITY NOTES below).
@@ -520,26 +512,26 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
a colon-separated list of editors in the
editor variable. vviissuuddoo will then only
use the EDITOR or VISUAL if they match a
+ value specified in editor. This flag is
+ _o_f_f by default.
+ env_reset If set, ssuuddoo will reset the environment to
+ only contain the LOGNAME, SHELL, USER,
+ USERNAME and the SUDO_* variables. Any
+ variables in the caller's environment that
+ match the env_keep and env_check lists are
-1.6.9p21 February 23, 2010 8
+1.6.9p21 April 7, 2010 8
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- value specified in editor. This flag is
- _o_f_f by default.
- env_reset If set, ssuuddoo will reset the environment to
- only contain the LOGNAME, SHELL, USER,
- USERNAME and the SUDO_* variables. Any
- variables in the caller's environment that
- match the env_keep and env_check lists are
then added. The default contents of the
env_keep and env_check lists are displayed
when ssuuddoo is run by root with the _-_V
@@ -586,26 +578,26 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
is used. This thwarts the efforts of
rogue operators who would attempt to add
roles to _/_e_t_c_/_s_u_d_o_e_r_s. When this option
+ is present, _/_e_t_c_/_s_u_d_o_e_r_s does not even
+ need to exist. Since this option tells
+ ssuuddoo how to behave when no specific LDAP
+ entries have been matched, this sudoOption
+ is only meaningful for the cn=defaults
+ section. This flag is _o_f_f by default.
+ insults If set, ssuuddoo will insult users when they
-1.6.9p21 February 23, 2010 9
+1.6.9p21 April 7, 2010 9
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- is present, _/_e_t_c_/_s_u_d_o_e_r_s does not even
- need to exist. Since this option tells
- ssuuddoo how to behave when no specific LDAP
- entries have been matched, this sudoOption
- is only meaningful for the cn=defaults
- section. This flag is _o_f_f by default.
- insults If set, ssuuddoo will insult users when they
enter an incorrect password. This flag is
_o_f_f by default.
@@ -652,26 +644,26 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
noexec If set, all commands run via ssuuddoo will
behave as if the NOEXEC tag has been set,
+ unless overridden by a EXEC tag. See the
+ description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as
+ well as the "PREVENTING SHELL ESCAPES"
+ section at the end of this manual. This
+ flag is _o_f_f by default.
+ path_info Normally, ssuuddoo will tell the user when a
+ command could not be found in their PATH
-1.6.9p21 February 23, 2010 10
+1.6.9p21 April 7, 2010 10
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- unless overridden by a EXEC tag. See the
- description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as
- well as the "PREVENTING SHELL ESCAPES"
- section at the end of this manual. This
- flag is _o_f_f by default.
- path_info Normally, ssuuddoo will tell the user when a
- command could not be found in their PATH
environment variable. Some sites may wish
to disable this as it could be used to
gather information on the location of
@@ -718,26 +710,26 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
running ssuuddooeeddiitt. Disabling _r_o_o_t___s_u_d_o
provides no real additional security; it
exists purely for historical reasons.
+ This flag is _o_n by default.
+ rootpw If set, ssuuddoo will prompt for the root
+ password instead of the password of the
+ invoking user. This flag is _o_f_f by
+ default.
+ runaspw If set, ssuuddoo will prompt for the password
-1.6.9p21 February 23, 2010 11
+1.6.9p21 April 7, 2010 11
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- This flag is _o_n by default.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- rootpw If set, ssuuddoo will prompt for the root
- password instead of the password of the
- invoking user. This flag is _o_f_f by
- default.
- runaspw If set, ssuuddoo will prompt for the password
of the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t
option (defaults to root) instead of the
password of the invoking user. This flag
@@ -785,9 +777,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
user's /etc/passwd entry if not). This
flag is _o_f_f by default.
+ fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function
+ to do shell-style globbing when matching
+ pathnames. However, since it accesses the
+ file system, _g_l_o_b(3) can take a long time
+ to complete for some patterns, especially
+ when the pattern references a network file
+ system that is mounted on demand
+
-1.6.9p21 February 23, 2010 12
+1.6.9p21 April 7, 2010 12
@@ -796,21 +796,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function
- to do shell-style globbing when matching
- pathnames. However, since it accesses the
- file system, _g_l_o_b(3) can take a long time
- to complete for some patterns, especially
- when the pattern references a network file
- system that is mounted on demand
(automounted). The _f_a_s_t___g_l_o_b option
causes ssuuddoo to use the _f_n_m_a_t_c_h(3)
function, which does not access the file
system to do its matching. The
disadvantage of _f_a_s_t___g_l_o_b is that it is
unable to match relative pathnames such as
- _._/_l_s or _._._/_b_i_n_/_l_s. This flag is _o_f_f by
- default.
+ _._/_l_s or _._._/_b_i_n_/_l_s. This has security
+ implications when path names that include
+ globbing characters are used with the
+ negation operator, '!', as such rules can
+ be trivially bypassed. As such, this
+ option should not be used when _s_u_d_o_e_r_s
+ contains rules that contain negated path
+ names which include globbing characters.
+ This flag is _o_f_f by default.
stay_setuid Normally, when ssuuddoo executes a command the
real and effective UIDs are set to the
@@ -853,7 +853,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.6.9p21 February 23, 2010 13
+1.6.9p21 April 7, 2010 13
@@ -919,7 +919,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.6.9p21 February 23, 2010 14
+1.6.9p21 April 7, 2010 14
@@ -985,7 +985,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.6.9p21 February 23, 2010 15
+1.6.9p21 April 7, 2010 15
@@ -1051,7 +1051,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.6.9p21 February 23, 2010 16
+1.6.9p21 April 7, 2010 16
@@ -1117,7 +1117,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.6.9p21 February 23, 2010 17
+1.6.9p21 April 7, 2010 17
@@ -1183,7 +1183,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.6.9p21 February 23, 2010 18
+1.6.9p21 April 7, 2010 18
@@ -1249,7 +1249,7 @@ EEXXAAMMPPLLEESS
-1.6.9p21 February 23, 2010 19
+1.6.9p21 April 7, 2010 19
@@ -1315,7 +1315,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.6.9p21 February 23, 2010 20
+1.6.9p21 April 7, 2010 20
@@ -1381,7 +1381,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.6.9p21 February 23, 2010 21
+1.6.9p21 April 7, 2010 21
@@ -1447,7 +1447,7 @@ SSEECCUURRIITTYY NNOOTTEESS
-1.6.9p21 February 23, 2010 22
+1.6.9p21 April 7, 2010 22
@@ -1462,6 +1462,24 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
restrictions should be considered advisory at best (and
reinforced by policy).
+ Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not
+ possible to reliably negate commands where the path name
+ includes globbing (aka wildcard) characters. This is
+ because the C library's _f_n_m_a_t_c_h(3) function cannot resolve
+ relative paths. While this is typically only an
+ inconvenience for rules that grant privileges, it can
+ result in a security issue for rules that subtract or
+ revoke privileges.
+
+ For example, given the following _s_u_d_o_e_r_s entry:
+
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+
+ User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b
+ is enabled by changing to _/_u_s_r_/_b_i_n and running ./passwd
+ root instead.
+
PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
Once ssuuddoo executes a program, that program is free to do
whatever it pleases, including run other programs. This
@@ -1492,6 +1510,18 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
Note, however, that this applies only to native
dynamically-linked executables. Statically-
linked executables and foreign executables
+
+
+
+1.6.9p21 April 7, 2010 23
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
running under binary emulation are not affected.
To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you
@@ -1510,18 +1540,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
there is no foolproof way to know whether or not
_n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c should
work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
-
-
-
-1.6.9p21 February 23, 2010 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
UNIX, MacOS X, and HP-UX 11.x. It is known nnoott
to work on AIX and UnixWare. _n_o_e_x_e_c is expected
to work on most operating systems that support
@@ -1558,6 +1576,18 @@ SSEEEE AALLSSOO
CCAAVVEEAATTSS
The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo
command which locks the file and does grammatical
+
+
+
+1.6.9p21 April 7, 2010 24
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
checking. It is imperative that _s_u_d_o_e_r_s be free of syntax
errors since ssuuddoo will not run with a syntactically
incorrect _s_u_d_o_e_r_s file.
@@ -1576,18 +1606,6 @@ SSUUPPPPOORRTT
Limited free support is available via the sudo-users
mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to
-
-
-
-1.6.9p21 February 23, 2010 24
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
subscribe or search the archives.
DDIISSCCLLAAIIMMEERR
@@ -1627,24 +1645,6 @@ DDIISSCCLLAAIIMMEERR
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.6.9p21 February 23, 2010 25
+1.6.9p21 April 7, 2010 25
diff --git a/sudoers.man.in b/sudoers.man.in
index 4068a85f3..f07c7a570 100644
--- a/sudoers.man.in
+++ b/sudoers.man.in
@@ -1,4 +1,4 @@
-.\" Copyright (c) 1994-1996, 1998-2005, 2007
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@@ -18,18 +18,10 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
+.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
-.de Sh \" Subsection heading
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
@@ -73,7 +65,7 @@
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
@@ -152,7 +144,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "February 23, 2010" "1.6.9p21" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "April 7, 2010" "1.6.9p21" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -172,7 +164,7 @@ not necessarily the most specific match).
The \fIsudoers\fR grammar will be described below in Extended Backus-Naur
Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is
fairly simple, and the definitions below are annotated.
-.Sh "Quick guide to \s-1EBNF\s0"
+.SS "Quick guide to \s-1EBNF\s0"
.IX Subsection "Quick guide to EBNF"
\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
@@ -205,7 +197,7 @@ one or more times.
Parentheses may be used to group symbols together. For clarity,
we will use single quotes ('') to designate what is a verbatim character
string (as opposed to a symbol name).
-.Sh "Aliases"
+.SS "Aliases"
.IX Subsection "Aliases"
There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
\&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
@@ -339,7 +331,7 @@ arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR
is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or
as \fBsudoedit\fR). It may take command line arguments just as
a normal command does.
-.Sh "Defaults"
+.SS "Defaults"
.IX Subsection "Defaults"
Certain configuration options may be changed from their default
values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
@@ -376,7 +368,7 @@ It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an elemen
that does not exist in a list.
.PP
See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
-.Sh "User Specification"
+.SS "User Specification"
.IX Subsection "User Specification"
.Vb 2
\& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
@@ -398,7 +390,7 @@ A \fBuser specification\fR determines which commands a user may run
run as \fBroot\fR, but this can be changed on a per-command basis.
.PP
Let's break that down into its constituent parts:
-.Sh "Runas_Spec"
+.SS "Runas_Spec"
.IX Subsection "Runas_Spec"
A \f(CW\*(C`Runas_Spec\*(C'\fR is simply a \f(CW\*(C`Runas_List\*(C'\fR (as defined above)
enclosed in a set of parentheses. If you do not specify a
@@ -426,7 +418,7 @@ entry. If we modify the entry like so:
.PP
Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
-.Sh "Tag_Spec"
+.SS "Tag_Spec"
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
six possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
@@ -497,7 +489,7 @@ to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or
variables in this manner. If the command matched is \fB\s-1ALL\s0\fR, the
\&\f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this default may
be overridden by use of the \f(CW\*(C`UNSETENV\*(C'\fR tag.
-.Sh "Wildcards"
+.SS "Wildcards"
.IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
to be used in hostnames, pathnames and command line arguments in
@@ -536,7 +528,7 @@ wildcards. This is to make a path like:
.Ve
.PP
match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
-.Sh "Exceptions to wildcard rules"
+.SS "Exceptions to wildcard rules"
.IX Subsection "Exceptions to wildcard rules"
The following exceptions apply to the above rules:
.ie n .IP """""" 8
@@ -545,7 +537,7 @@ The following exceptions apply to the above rules:
If the empty string \f(CW""\fR is the only command line argument in the
\&\fIsudoers\fR entry it means that command is not allowed to be run
with \fBany\fR arguments.
-.Sh "Other special characters and reserved words"
+.SS "Other special characters and reserved words"
.IX Subsection "Other special characters and reserved words"
The pound sign ('#') is used to indicate a comment (unless it is
part of a #include directive or unless it occurs in the context of
@@ -788,7 +780,12 @@ system that is mounted on demand (automounted). The \fIfast_glob\fR
option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
not access the file system to do its matching. The disadvantage
of \fIfast_glob\fR is that it is unable to match relative pathnames
-such as \fI./ls\fR or \fI../bin/ls\fR. This flag is \fIoff\fR by default.
+such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
+when path names that include globbing characters are used with the
+negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
+As such, this option should not be used when \fIsudoers\fR contains rules
+that contain negated path names which include globbing characters.
+This flag is \fIoff\fR by default.
.IP "stay_setuid" 16
.IX Item "stay_setuid"
Normally, when \fBsudo\fR executes a command the real and effective
@@ -1355,6 +1352,24 @@ Doesn't really prevent \fBbill\fR from running the commands listed in
different name, or use a shell escape from an editor or other
program. Therefore, these kind of restrictions should be considered
advisory at best (and reinforced by policy).
+.PP
+Furthermore, if the \fIfast_glob\fR option is in use, it is not possible
+to reliably negate commands where the path name includes globbing
+(aka wildcard) characters. This is because the C library's
+\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
+is typically only an inconvenience for rules that grant privileges,
+it can result in a security issue for rules that subtract or revoke
+privileges.
+.PP
+For example, given the following \fIsudoers\fR entry:
+.PP
+.Vb 2
+\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
+\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
+.Ve
+.PP
+User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
+enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
.SH "PREVENTING SHELL ESCAPES"
.IX Header "PREVENTING SHELL ESCAPES"
Once \fBsudo\fR executes a program, that program is free to do whatever
diff --git a/sudoers.pod b/sudoers.pod
index 74ddb5da1..267c26547 100644
--- a/sudoers.pod
+++ b/sudoers.pod
@@ -1,4 +1,4 @@
-Copyright (c) 1994-1996, 1998-2005, 2007
+Copyright (c) 1994-1996, 1998-2005, 2007-2010
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
@@ -669,7 +669,12 @@ system that is mounted on demand (automounted). The I<fast_glob>
option causes B<sudo> to use the L<fnmatch(3)> function, which does
not access the file system to do its matching. The disadvantage
of I<fast_glob> is that it is unable to match relative pathnames
-such as F<./ls> or F<../bin/ls>. This flag is I<off> by default.
+such as F<./ls> or F<../bin/ls>. This has security implications
+when path names that include globbing characters are used with the
+negation operator, C<'!'>, as such rules can be trivially bypassed.
+As such, this option should not be used when I<sudoers> contains rules
+that contain negated path names which include globbing characters.
+This flag is I<off> by default.
=item stay_setuid
@@ -1269,6 +1274,22 @@ different name, or use a shell escape from an editor or other
program. Therefore, these kind of restrictions should be considered
advisory at best (and reinforced by policy).
+Furthermore, if the I<fast_glob> option is in use, it is not possible
+to reliably negate commands where the path name includes globbing
+(aka wildcard) characters. This is because the C library's
+L<fnmatch(3)> function cannot resolve relative paths. While this
+is typically only an inconvenience for rules that grant privileges,
+it can result in a security issue for rules that subtract or revoke
+privileges.
+
+For example, given the following I<sudoers> entry:
+
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+
+User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is
+enabled by changing to F</usr/bin> and running C<./passwd root> instead.
+
=head1 PREVENTING SHELL ESCAPES
Once B<sudo> executes a program, that program is free to do whatever
View Lorry Controller Status