From 9c30b0e3deafaedca87f8a8d3b1e7ac06e06c7bc Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 7 Apr 2010 09:46:01 -0400 Subject: Add a note about the security implications of the fast_glob option. --- sudoers.cat | 308 ++++++++++++++++++++++++++++----------------------------- sudoers.man.in | 59 ++++++----- sudoers.pod | 25 ++++- 3 files changed, 214 insertions(+), 178 deletions(-) diff --git a/sudoers.cat b/sudoers.cat index a68748d13..7ba92863b 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -22,8 +22,7 @@ DDEESSCCRRIIPPTTIIOONN what EBNF is; it is fairly simple, and the definitions below are annotated. - QQuuiicckk gguuiiddee ttoo EEBBNNFF - + QQuuiicckk gguuiiddee ttoo EEBBNNFF EBNF is a concise and exact way of describing the grammar of a language. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g., @@ -51,17 +50,18 @@ DDEESSCCRRIIPPTTIIOONN is a verbatim character string (as opposed to a symbol name). - AAlliiaasseess - + AAlliiaasseess There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias. + Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | + 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | + 'Host_Alias' Host_Alias (':' Host_Alias)* | + 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* - - -1.6.9p21 February 23, 2010 1 +1.6.9p21 April 7, 2010 1 @@ -70,10 +70,6 @@ DDEESSCCRRIIPPTTIIOONN SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | - 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | - 'Host_Alias' Host_Alias (':' Host_Alias)* | - 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* User_Alias ::= NAME '=' User_List @@ -125,9 +121,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) '!'* +netgroup | '!'* Runas_Alias + A Runas_List is similar to a User_List except that it can + also contain uids (prefixed with '#') and instead of + User_Aliases it can contain Runas_Aliases. Note that + -1.6.9p21 February 23, 2010 2 +1.6.9p21 April 7, 2010 2 @@ -136,9 +136,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - A Runas_List is similar to a User_List except that it can - also contain uids (prefixed with '#') and instead of - User_Aliases it can contain Runas_Aliases. Note that usernames and groups are matched as strings. In other words, two users (groups) with the same uid (gid) are considered to be distinct. If you wish to match all @@ -190,10 +187,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify "" to indicate that the command may only be run + wwiitthhoouutt command line arguments. A directory is a fully + qualified pathname ending in a '/'. When you specify a + directory in a Cmnd_List, the user will be able to run any -1.6.9p21 February 23, 2010 3 +1.6.9p21 April 7, 2010 3 @@ -202,9 +202,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - wwiitthhoouutt command line arguments. A directory is a fully - qualified pathname ending in a '/'. When you specify a - directory in a Cmnd_List, the user will be able to run any file within that directory (but not in any subdirectories therein). @@ -218,8 +215,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) --ee option (or as ssuuddooeeddiitt). It may take command line arguments just as a normal command does. - DDeeffaauullttss - + DDeeffaauullttss Certain configuration options may be changed from their default values at runtime via one or more Default_Entry lines. These may affect all users on any host, all users @@ -257,21 +253,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) See "SUDOERS OPTIONS" for a list of supported Defaults parameters. + UUsseerr SSppeecciiffiiccaattiioonn + User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ + (':' Host_List '=' Cmnd_Spec_List)* -1.6.9p21 February 23, 2010 4 +1.6.9p21 April 7, 2010 4 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - UUsseerr SSppeecciiffiiccaattiioonn - User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ - (':' Host_List '=' Cmnd_Spec_List)* Cmnd_Spec_List ::= Cmnd_Spec | Cmnd_Spec ',' Cmnd_Spec_List @@ -290,8 +286,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Let's break that down into its constituent parts: - RRuunnaass__SSppeecc - + RRuunnaass__SSppeecc A Runas_Spec is simply a Runas_List (as defined above) enclosed in a set of parentheses. If you do not specify a Runas_Spec in the user specification, a default Runas_Spec @@ -314,8 +309,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. - TTaagg__SSppeecc - + TTaagg__SSppeecc A command may have zero or more tags associated with it. There are six possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV and NOSETENV. Once a tag is set on a @@ -323,22 +317,23 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) tag unless it is overridden by the opposite tag (i.e.: PASSWD overrides NOPASSWD and NOEXEC overrides EXEC). + _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D + By default, ssuuddoo requires that a user authenticate him or + herself before running a command. This behavior can be + modified via the NOPASSWD tag. Like a Runas_Spec, the -1.6.9p21 February 23, 2010 5 +1.6.9p21 April 7, 2010 5 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + - By default, ssuuddoo requires that a user authenticate him or - herself before running a command. This behavior can be - modified via the NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used to reverse things. For example: @@ -388,24 +383,23 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set variables in this manner. If the command matched is AALLLL, the SETENV tag is implied + for that command; this default may be overridden by use of + the UNSETENV tag. + WWiillddccaarrddss + ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob -1.6.9p21 February 23, 2010 6 +1.6.9p21 April 7, 2010 6 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - for that command; this default may be overridden by use of - the UNSETENV tag. - - WWiillddccaarrddss - ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be used in hostnames, pathnames and command line arguments in the _s_u_d_o_e_r_s file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and _f_n_m_a_t_c_h(3) routines. Note @@ -432,8 +426,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. - EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess - + EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess The following exceptions apply to the above rules: "" If the empty string "" is the only command line @@ -441,8 +434,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) command is not allowed to be run with aannyy arguments. - OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss - + OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss The pound sign ('#') is used to indicate a comment (unless it is part of a #include directive or unless it occurs in the context of a user name and is followed by one or more @@ -454,10 +446,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) causes a match to succeed. It can be used wherever one might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, or Host_Alias. You should not try to define your own + _a_l_i_a_s called AALLLL as the built-in alias will be used in + preference to your own. Please note that using AALLLL can be + dangerous since in a command context, it allows the user + to run aannyy command on the system. + + An exclamation point ('!') can be used as a logical _n_o_t + operator both in an _a_l_i_a_s and in front of a Cmnd. This + allows one to exclude certain values. Note, however, that -1.6.9p21 February 23, 2010 7 +1.6.9p21 April 7, 2010 7 @@ -466,14 +466,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - _a_l_i_a_s called AALLLL as the built-in alias will be used in - preference to your own. Please note that using AALLLL can be - dangerous since in a command context, it allows the user - to run aannyy command on the system. - - An exclamation point ('!') can be used as a logical _n_o_t - operator both in an _a_l_i_a_s and in front of a Cmnd. This - allows one to exclude certain values. Note, however, that using a ! in conjunction with the built-in ALL alias to allow a user to run "all but a few" commands rarely works as intended (see SECURITY NOTES below). @@ -520,26 +512,26 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS a colon-separated list of editors in the editor variable. vviissuuddoo will then only use the EDITOR or VISUAL if they match a + value specified in editor. This flag is + _o_f_f by default. + env_reset If set, ssuuddoo will reset the environment to + only contain the LOGNAME, SHELL, USER, + USERNAME and the SUDO_* variables. Any + variables in the caller's environment that + match the env_keep and env_check lists are -1.6.9p21 February 23, 2010 8 +1.6.9p21 April 7, 2010 8 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - value specified in editor. This flag is - _o_f_f by default. - env_reset If set, ssuuddoo will reset the environment to - only contain the LOGNAME, SHELL, USER, - USERNAME and the SUDO_* variables. Any - variables in the caller's environment that - match the env_keep and env_check lists are then added. The default contents of the env_keep and env_check lists are displayed when ssuuddoo is run by root with the _-_V @@ -586,26 +578,26 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) is used. This thwarts the efforts of rogue operators who would attempt to add roles to _/_e_t_c_/_s_u_d_o_e_r_s. When this option + is present, _/_e_t_c_/_s_u_d_o_e_r_s does not even + need to exist. Since this option tells + ssuuddoo how to behave when no specific LDAP + entries have been matched, this sudoOption + is only meaningful for the cn=defaults + section. This flag is _o_f_f by default. + insults If set, ssuuddoo will insult users when they -1.6.9p21 February 23, 2010 9 +1.6.9p21 April 7, 2010 9 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - is present, _/_e_t_c_/_s_u_d_o_e_r_s does not even - need to exist. Since this option tells - ssuuddoo how to behave when no specific LDAP - entries have been matched, this sudoOption - is only meaningful for the cn=defaults - section. This flag is _o_f_f by default. - insults If set, ssuuddoo will insult users when they enter an incorrect password. This flag is _o_f_f by default. @@ -652,26 +644,26 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) noexec If set, all commands run via ssuuddoo will behave as if the NOEXEC tag has been set, + unless overridden by a EXEC tag. See the + description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as + well as the "PREVENTING SHELL ESCAPES" + section at the end of this manual. This + flag is _o_f_f by default. + path_info Normally, ssuuddoo will tell the user when a + command could not be found in their PATH -1.6.9p21 February 23, 2010 10 +1.6.9p21 April 7, 2010 10 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - unless overridden by a EXEC tag. See the - description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as - well as the "PREVENTING SHELL ESCAPES" - section at the end of this manual. This - flag is _o_f_f by default. - path_info Normally, ssuuddoo will tell the user when a - command could not be found in their PATH environment variable. Some sites may wish to disable this as it could be used to gather information on the location of @@ -718,26 +710,26 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) running ssuuddooeeddiitt. Disabling _r_o_o_t___s_u_d_o provides no real additional security; it exists purely for historical reasons. + This flag is _o_n by default. + rootpw If set, ssuuddoo will prompt for the root + password instead of the password of the + invoking user. This flag is _o_f_f by + default. + runaspw If set, ssuuddoo will prompt for the password -1.6.9p21 February 23, 2010 11 +1.6.9p21 April 7, 2010 11 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - This flag is _o_n by default. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - rootpw If set, ssuuddoo will prompt for the root - password instead of the password of the - invoking user. This flag is _o_f_f by - default. - runaspw If set, ssuuddoo will prompt for the password of the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) instead of the password of the invoking user. This flag @@ -785,9 +777,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) user's /etc/passwd entry if not). This flag is _o_f_f by default. + fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function + to do shell-style globbing when matching + pathnames. However, since it accesses the + file system, _g_l_o_b(3) can take a long time + to complete for some patterns, especially + when the pattern references a network file + system that is mounted on demand + -1.6.9p21 February 23, 2010 12 +1.6.9p21 April 7, 2010 12 @@ -796,21 +796,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function - to do shell-style globbing when matching - pathnames. However, since it accesses the - file system, _g_l_o_b(3) can take a long time - to complete for some patterns, especially - when the pattern references a network file - system that is mounted on demand (automounted). The _f_a_s_t___g_l_o_b option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function, which does not access the file system to do its matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is unable to match relative pathnames such as - _._/_l_s or _._._/_b_i_n_/_l_s. This flag is _o_f_f by - default. + _._/_l_s or _._._/_b_i_n_/_l_s. This has security + implications when path names that include + globbing characters are used with the + negation operator, '!', as such rules can + be trivially bypassed. As such, this + option should not be used when _s_u_d_o_e_r_s + contains rules that contain negated path + names which include globbing characters. + This flag is _o_f_f by default. stay_setuid Normally, when ssuuddoo executes a command the real and effective UIDs are set to the @@ -853,7 +853,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p21 February 23, 2010 13 +1.6.9p21 April 7, 2010 13 @@ -919,7 +919,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p21 February 23, 2010 14 +1.6.9p21 April 7, 2010 14 @@ -985,7 +985,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p21 February 23, 2010 15 +1.6.9p21 April 7, 2010 15 @@ -1051,7 +1051,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p21 February 23, 2010 16 +1.6.9p21 April 7, 2010 16 @@ -1117,7 +1117,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p21 February 23, 2010 17 +1.6.9p21 April 7, 2010 17 @@ -1183,7 +1183,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p21 February 23, 2010 18 +1.6.9p21 April 7, 2010 18 @@ -1249,7 +1249,7 @@ EEXXAAMMPPLLEESS -1.6.9p21 February 23, 2010 19 +1.6.9p21 April 7, 2010 19 @@ -1315,7 +1315,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p21 February 23, 2010 20 +1.6.9p21 April 7, 2010 20 @@ -1381,7 +1381,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p21 February 23, 2010 21 +1.6.9p21 April 7, 2010 21 @@ -1447,7 +1447,7 @@ SSEECCUURRIITTYY NNOOTTEESS -1.6.9p21 February 23, 2010 22 +1.6.9p21 April 7, 2010 22 @@ -1462,6 +1462,24 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) restrictions should be considered advisory at best (and reinforced by policy). + Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not + possible to reliably negate commands where the path name + includes globbing (aka wildcard) characters. This is + because the C library's _f_n_m_a_t_c_h(3) function cannot resolve + relative paths. While this is typically only an + inconvenience for rules that grant privileges, it can + result in a security issue for rules that subtract or + revoke privileges. + + For example, given the following _s_u_d_o_e_r_s entry: + + john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, + /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root + + User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b + is enabled by changing to _/_u_s_r_/_b_i_n and running ./passwd + root instead. + PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS Once ssuuddoo executes a program, that program is free to do whatever it pleases, including run other programs. This @@ -1492,6 +1510,18 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS Note, however, that this applies only to native dynamically-linked executables. Statically- linked executables and foreign executables + + + +1.6.9p21 April 7, 2010 23 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + running under binary emulation are not affected. To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you @@ -1510,18 +1540,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS there is no foolproof way to know whether or not _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 - - - -1.6.9p21 February 23, 2010 23 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - UNIX, MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and UnixWare. _n_o_e_x_e_c is expected to work on most operating systems that support @@ -1558,6 +1576,18 @@ SSEEEE AALLSSOO CCAAVVEEAATTSS The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which locks the file and does grammatical + + + +1.6.9p21 April 7, 2010 24 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + checking. It is imperative that _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a syntactically incorrect _s_u_d_o_e_r_s file. @@ -1576,18 +1606,6 @@ SSUUPPPPOORRTT Limited free support is available via the sudo-users mailing list, see http://www.sudo.ws/mailman/listinfo/sudo-users to - - - -1.6.9p21 February 23, 2010 24 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - subscribe or search the archives. DDIISSCCLLAAIIMMEERR @@ -1627,24 +1645,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - - - - - - - - - -1.6.9p21 February 23, 2010 25 +1.6.9p21 April 7, 2010 25 diff --git a/sudoers.man.in b/sudoers.man.in index 4068a85f3..f07c7a570 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -1,4 +1,4 @@ -.\" Copyright (c) 1994-1996, 1998-2005, 2007 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -18,18 +18,10 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05) +.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) .\" .\" Standard preamble: .\" ======================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp @@ -73,7 +65,7 @@ .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ @@ -152,7 +144,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "February 23, 2010" "1.6.9p21" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "April 7, 2010" "1.6.9p21" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -172,7 +164,7 @@ not necessarily the most specific match). The \fIsudoers\fR grammar will be described below in Extended Backus-Naur Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is fairly simple, and the definitions below are annotated. -.Sh "Quick guide to \s-1EBNF\s0" +.SS "Quick guide to \s-1EBNF\s0" .IX Subsection "Quick guide to EBNF" \&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g., @@ -205,7 +197,7 @@ one or more times. Parentheses may be used to group symbols together. For clarity, we will use single quotes ('') to designate what is a verbatim character string (as opposed to a symbol name). -.Sh "Aliases" +.SS "Aliases" .IX Subsection "Aliases" There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR. @@ -339,7 +331,7 @@ arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or as \fBsudoedit\fR). It may take command line arguments just as a normal command does. -.Sh "Defaults" +.SS "Defaults" .IX Subsection "Defaults" Certain configuration options may be changed from their default values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These @@ -376,7 +368,7 @@ It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an elemen that does not exist in a list. .PP See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters. -.Sh "User Specification" +.SS "User Specification" .IX Subsection "User Specification" .Vb 2 \& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e @@ -398,7 +390,7 @@ A \fBuser specification\fR determines which commands a user may run run as \fBroot\fR, but this can be changed on a per-command basis. .PP Let's break that down into its constituent parts: -.Sh "Runas_Spec" +.SS "Runas_Spec" .IX Subsection "Runas_Spec" A \f(CW\*(C`Runas_Spec\*(C'\fR is simply a \f(CW\*(C`Runas_List\*(C'\fR (as defined above) enclosed in a set of parentheses. If you do not specify a @@ -426,7 +418,7 @@ entry. If we modify the entry like so: .PP Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR, but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR. -.Sh "Tag_Spec" +.SS "Tag_Spec" .IX Subsection "Tag_Spec" A command may have zero or more tags associated with it. There are six possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR, @@ -497,7 +489,7 @@ to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or variables in this manner. If the command matched is \fB\s-1ALL\s0\fR, the \&\f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this default may be overridden by use of the \f(CW\*(C`UNSETENV\*(C'\fR tag. -.Sh "Wildcards" +.SS "Wildcards" .IX Subsection "Wildcards" \&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters) to be used in hostnames, pathnames and command line arguments in @@ -536,7 +528,7 @@ wildcards. This is to make a path like: .Ve .PP match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR. -.Sh "Exceptions to wildcard rules" +.SS "Exceptions to wildcard rules" .IX Subsection "Exceptions to wildcard rules" The following exceptions apply to the above rules: .ie n .IP """""" 8 @@ -545,7 +537,7 @@ The following exceptions apply to the above rules: If the empty string \f(CW""\fR is the only command line argument in the \&\fIsudoers\fR entry it means that command is not allowed to be run with \fBany\fR arguments. -.Sh "Other special characters and reserved words" +.SS "Other special characters and reserved words" .IX Subsection "Other special characters and reserved words" The pound sign ('#') is used to indicate a comment (unless it is part of a #include directive or unless it occurs in the context of @@ -788,7 +780,12 @@ system that is mounted on demand (automounted). The \fIfast_glob\fR option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does not access the file system to do its matching. The disadvantage of \fIfast_glob\fR is that it is unable to match relative pathnames -such as \fI./ls\fR or \fI../bin/ls\fR. This flag is \fIoff\fR by default. +such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications +when path names that include globbing characters are used with the +negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed. +As such, this option should not be used when \fIsudoers\fR contains rules +that contain negated path names which include globbing characters. +This flag is \fIoff\fR by default. .IP "stay_setuid" 16 .IX Item "stay_setuid" Normally, when \fBsudo\fR executes a command the real and effective @@ -1355,6 +1352,24 @@ Doesn't really prevent \fBbill\fR from running the commands listed in different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). +.PP +Furthermore, if the \fIfast_glob\fR option is in use, it is not possible +to reliably negate commands where the path name includes globbing +(aka wildcard) characters. This is because the C library's +\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this +is typically only an inconvenience for rules that grant privileges, +it can result in a security issue for rules that subtract or revoke +privileges. +.PP +For example, given the following \fIsudoers\fR entry: +.PP +.Vb 2 +\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*, +\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root +.Ve +.PP +User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is +enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead. .SH "PREVENTING SHELL ESCAPES" .IX Header "PREVENTING SHELL ESCAPES" Once \fBsudo\fR executes a program, that program is free to do whatever diff --git a/sudoers.pod b/sudoers.pod index 74ddb5da1..267c26547 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -1,4 +1,4 @@ -Copyright (c) 1994-1996, 1998-2005, 2007 +Copyright (c) 1994-1996, 1998-2005, 2007-2010 Todd C. Miller Permission to use, copy, modify, and distribute this software for any @@ -669,7 +669,12 @@ system that is mounted on demand (automounted). The I option causes B to use the L function, which does not access the file system to do its matching. The disadvantage of I is that it is unable to match relative pathnames -such as F<./ls> or F<../bin/ls>. This flag is I by default. +such as F<./ls> or F<../bin/ls>. This has security implications +when path names that include globbing characters are used with the +negation operator, C<'!'>, as such rules can be trivially bypassed. +As such, this option should not be used when I contains rules +that contain negated path names which include globbing characters. +This flag is I by default. =item stay_setuid @@ -1269,6 +1274,22 @@ different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). +Furthermore, if the I option is in use, it is not possible +to reliably negate commands where the path name includes globbing +(aka wildcard) characters. This is because the C library's +L function cannot resolve relative paths. While this +is typically only an inconvenience for rules that grant privileges, +it can result in a security issue for rules that subtract or revoke +privileges. + +For example, given the following I entry: + + john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, + /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root + +User B can still run C if I is +enabled by changing to F and running C<./passwd root> instead. + =head1 PREVENTING SHELL ESCAPES Once B executes a program, that program is free to do whatever -- cgit v1.2.1