This patch will upgrade Sudo version 1.6.2 to version 1.6.2 patchlevel 3. To apply, do: cd sudo-1.6.2 patch -p1 < sudo-1.6.2p3.patch diff -ur sudo-1.6.2/CHANGES sudo-1.6.2p3/CHANGES --- sudo-1.6.2/CHANGES Sun Jan 23 20:02:12 2000 +++ sudo-1.6.2p3/CHANGES Thu Mar 9 11:39:43 2000 @@ -1242,3 +1242,15 @@ 392) PAM fixups: custom prompts now work correctly and errors are dealt with more sanely. Patches from Cloyce D. Spradling. + +Sudo 1.6.2 released. + +393) Users in the 'exempt' group shouldn't get their $PATH overridden + by 'secure-path'. Patch from jmknoble@pobox.com. + +394) Pam now works on HP-UX 11.0, thanks to Jeff A. Earickson. + +395) Fixed a bug that caused an infinite loop when the password + timeout was disabled. + +396) Fixed a typo/thinko that broke secureware support for long passwords. diff -ur sudo-1.6.2/INSTALL sudo-1.6.2p3/INSTALL --- sudo-1.6.2/INSTALL Mon Jan 17 16:42:10 2000 +++ sudo-1.6.2p3/INSTALL Thu Jan 27 12:33:10 2000 @@ -159,11 +159,17 @@ on the machine. --with-pam - Enable PAM support. Tested on Redhat Linux 5.x, 6.0 and - Solaris 2.6, 7. - NOTE: on RedHat Linux (and perhaps others) you *must* install - an /etc/pam.d/sudo file. You may either use the sample.pam - file included with sudo or use /etc/pam.d/su as a reference. + Enable PAM support. Tested on: + Redhat Linux 5.x, 6.0, and 6.1 + Solaris 2.6 and 7 + HP-UX 11.0 + NOTE: on RedHat Linux you *must* install an /etc/pam.d/sudo file. + You may either use the sample.pam file included with sudo or use + /etc/pam.d/su as a reference. On Solaris and HP-UX 11 systems + you should check (and understand) the contents of /etc/pam.conf. + Do a "man pam.conf" for more information and consider using the + "debug" option, if available, with your PAM libraries in + /etc/pam.conf to obtain syslog output for debugging purposes. --with-AFS Enable AFS support with kerberos authentication. Should work under @@ -171,8 +177,14 @@ link without it. --with-DCE - Enable DCE support. Known to work on HP-UX 9.X and 10.0. Other - platforms may require source code and/or `configure' changes. + Enable DCE support. Known to work on HP-UX 9.X, 10.X, and 11.0. + The use of PAM is recommended for HP-UX 11.X systems, since PAM is + fully implemented (this is not true for 10.20 and earlier versions). + Check to see that your 11.X (or other) system uses DCE via PAM by + looking at /etc/pam.conf to see if "libpam_dce" libraries are + referenced there. Other platforms may require source code and/or + `configure' changes; you should check to see if your platform can + access DCE via PAM before using this option. --disable-sia Disable SIA support. This is the "Security Integration Architecture" @@ -228,11 +240,11 @@ security hole as most editors allow a user to get a shell (which would be a root shell and hence, no logging). -The following options are also configurable at runtime: - --with-otp-only This option is now just an alias for --without-passwd. +The following options are also configurable at runtime: + --with-long-otp-prompt When validating with a One Time Password scheme (S/Key or OPIE), a two-line prompt is used to make it easier to cut and paste the @@ -286,7 +298,7 @@ Default is "*** SECURITY information for %h ***". --without-mail-if-no-user - Normally, sudo will mail to the "alermail" user if the user invoking + Normally, sudo will mail to the "alertmail" user if the user invoking sudo is not in the sudoers file. This option disables that behavior. --with-mail-if-no-host @@ -357,8 +369,8 @@ The default is 5, set this to 0 for no password timeout. --with-tty-tickets - This makes sudo use a different ticket file for each tty (per user). - Ie: instead of the ticket file being "username" it is "username:tty". + This makes sudo use a different ticket file for each user/tty combo. + Ie: instead of the ticket path being "username" it is "username/tty". This is useful for "shared" accounts like "operator". Note that this means that there will be more files in the timestamp dir. This is not a problem if your system has a cron job to remove of files from /tmp diff -ur sudo-1.6.2/Makefile.in sudo-1.6.2p3/Makefile.in --- sudo-1.6.2/Makefile.in Mon Jan 17 16:46:24 2000 +++ sudo-1.6.2p3/Makefile.in Mon Jan 24 08:48:46 2000 @@ -34,7 +34,7 @@ # # @configure_input@ # -# $Sudo: Makefile.in,v 1.193 2000/01/17 23:46:24 millert Exp $ +# $Sudo: Makefile.in,v 1.194 2000/01/24 15:48:46 millert Exp $ # #### Start of system configuration section. #### @@ -148,7 +148,7 @@ sample.sudoers sudo.cat sudo.man sudo.pod sudoers sudoers.cat \ sudoers.man sudoers.pod visudo.cat visudo.man visudo.pod auth/API -BINFILES= BUGS CHANGES FAQ HISTORY LICENSE README TODO TROUBLESHOOTING \ +BINFILES= BUGS CHANGES HISTORY LICENSE README TODO TROUBLESHOOTING \ UPGRADE install-sh mkinstalldirs sample.syslog.conf sample.sudoers \ sudo sudo.cat sudo.man sudo.pod sudoers sudoers.cat sudoers.man \ sudoers.pod visudo visudo.cat visudo.man visudo.pod @@ -342,6 +342,7 @@ cp ../../$(srcdir)/$$i . ; \ fi ; \ done ; \ + ln -s TROUBLESHOOTING FAQ ; \ for i in $(BINSPECIAL) ; do \ if [ -f ../../$$i ]; then \ cp ../../$$i `basename $$i .binary` ; \ diff -ur sudo-1.6.2/RUNSON sudo-1.6.2p3/RUNSON --- sudo-1.6.2/RUNSON Sun Jan 23 20:41:58 2000 +++ sudo-1.6.2p3/RUNSON Sat Feb 26 20:22:33 2000 @@ -6,16 +6,16 @@ Name Rev Arch Used Version By Options ======= ======= ======= =============== ======= =============== =============== Auspex 1.6.1 sun4 bundled cc 1.3.4 Alek Komarnitsky none -SunOS 4.1.3 sun4 bundled cc 1.6.2 Todd Miller none -SunOS 4.1.3 sun4 gcc2.9.5.2 1.6.2 Todd Miller none +SunOS 4.1.3 sun4 bundled cc 1.6.2p2 Todd Miller none +SunOS 4.1.3 sun4 gcc2.9.5.2 1.6.2p2 Todd Miller none SunOS 4.1.3 sun4 gcc2.7.2.1 1.5.3 Todd Miller --with-kerb4 -SunOS 4.1.3 sun4 gcc2.9.5.2 1.6.2 Todd Miller --with-skey +SunOS 4.1.3 sun4 gcc2.9.5.2 1.6.2p2 Todd Miller --with-skey Solaris 2.5.1 sparc SC4.0 1.5.6p1 Brian Jackson none Solaris 2.5.1 sun4u gcc2.7.2.3 1.5.4 Leon von Stauber none Solaris 2.5.1 i386 gcc2.7.2 1.5.4 Leon von Stauber none -Solaris 2.6 sparc gcc2.9.5.2 1.6.2 Todd Miller none -Solaris 2.6 sparc gcc2.9.5.2 1.6.2 Todd Miller --with-pam -Solaris 2.6 i386 gcc2.9.5.2 1.6.2 Todd Miller none +Solaris 2.6 sparc gcc2.9.5.2 1.6.2p2 Todd Miller none +Solaris 2.6 sparc gcc2.9.5.2 1.6.2p2 Todd Miller --with-pam +Solaris 2.6 i386 gcc2.9.5.2 1.6.2p2 Todd Miller none Solaris 2.6 sparc unbundled cc 1.5.7 Giff Hammar none Solaris 2.6 i386 unbundled cc 1.5.8p2 Udo Keller none Solaris 7 i386 gcc 2.8.1 1.6.1 Ido Dubrawsky none @@ -32,14 +32,15 @@ HP-UX 9.05 hp700 gcc2.7.2.1 1.5.3 Todd Miller --with-kerb4 HP-UX 9.07 hp700 unbundled cc 1.5 Alek Komarnitsky --with-C2 HP-UX 9.05 hp700 unbundled cc 1.4 Todd Miller none -HP-UX 10.10 hp700 unbundled cc 1.6.2 Todd Miller --with-skey -HP-UX 10.20 hp700 gcc2.9.5.2 1.6.2 Todd Miller --with-skey -HP-UX 10.20 hp700 bundled cc 1.6.2 Todd Miller none +HP-UX 10.10 hp700 unbundled cc 1.6.2p2 Todd Miller --with-skey +HP-UX 10.20 hp700 gcc2.9.5.2 1.6.2p2 Todd Miller --with-skey +HP-UX 10.20 hp700 bundled cc 1.6.2p2 Todd Miller none HP-UX 10.20 PA-RISC2.0 bundled cc 1.5.4 Leon von Stauber none HP-UX 11.00 hp700 ansi-c 1.5.5b1 Alek Komarnitsky --with-C2 HP-UX 11.00 hp700 bundled cc 1.5.5p5 Lynn Osburn none -HP-UX 10.20 hp700 gcc 2.8.1 1.5.6b2 Jeff Earickson --with-DCE -Ultrix 4.3 mips bundled cc 1.6.2 Todd Miller none +HP-UX 11.00 hp700 HP C compiler 1.6.2 Jeff Earickson --with-pam +HP-UX 10.20 hp700 gcc 2.95.2 1.6.2 Jeff Earickson --with-DCE +Ultrix 4.3 mips bundled cc 1.6.2p2 Todd Miller none Ultrix 4.3 mips gcc2.7.2.1 1.5.9 Todd Miller --with-skey IRIX 4.05H mips gcc2.6.3 1.5.3 Todd Miller none IRIX 4.05H mips unbundled cc 1.4 Todd Miller none @@ -47,8 +48,8 @@ IRIX 5.3 mips MipsPro C 1.5.6p1 Brian Jackson none IRIX 6.2 mips MipsPro C 1.5.6p1 Brian Jackson none IRIX 6.5 mips MipsPro C 1.5.6p1 Brian Jackson none -IRIX 5.3 mips unbundled cc 1.6.2 Todd Miller none -IRIX 5.3 mips gcc2.9.5.2 1.6.2 Todd Miller --with-skey +IRIX 5.3 mips unbundled cc 1.6.2p2 Todd Miller none +IRIX 5.3 mips gcc2.9.5.2 1.6.2p2 Todd Miller --with-skey IRIX 5.3 mips gcc2.7.2.1 1.5.3 Todd Miller --with-kerb4 IRIX 5.3 mips unbundled cc 1.4 Wallace Winfrey --with-C2 IRIX 6.2 mips unbundled cc 1.5 Alek Komarnitsky --with-C2 @@ -66,15 +67,14 @@ NEXTSTEP 3.3 i386 bundled cc 1.4 Jonathan Adams none NEXTSTEP 3.3 sparc bundled cc 1.5.3 Mike Kienenberger none DEC UNIX 3.2c alpha bundled cc 1.5.3 Todd Miller none -DEC UNIX 4.0D alpha gcc-2.9.5.2 1.6.2 Todd Miller --with-skey +DEC UNIX 4.0D alpha gcc-2.9.5.2 1.6.2p2 Todd Miller --with-skey DEC UNIX 4.0 alpha gcc-2.7.2.1 1.5.3 Todd Miller --with-kerb4 DEC UNIX 4.0D alpha bundled cc 1.5.3 Randall R. Cable --with-C2 DEC UNIX 4.0E alpha bundled cc 1.5.9p2 Vangelis Haniotakis none AIX 3.2.X rs6000 bundled cc 1.4 Todd Miller none -AIX 4.1.3 rs6000 gcc-2.8.1 1.6.2 Todd Miller none AIX 4.1.3 PowerPC gcc-2.7.0 1.4 Bob Shair none -AIX 4.1.4 rs6000 gcc-2.8.1 1.6.2 Todd Miller none -AIX 4.1.4 rs6000 gcc-2.8.1 1.6.2 Todd Miller --with-authenticate +AIX 4.1.4 rs6000 gcc-2.8.1 1.6.2p2 Todd Miller none +AIX 4.1.4 rs6000 gcc-2.8.1 1.6.2p2 Todd Miller --with-authenticate AIX 4.1.5 rs6000 gcc-2.7.2.3 1.4.4 Daniel Robitaille none AIX 4.1.X rs6000 bundled cc 1.5.3 Robin Jackson --with-AFS AIX 4.1.X PowerPC bundled cc 1.5.3 Robin Jackson --with-AFS @@ -85,9 +85,9 @@ ConvexOS 9.1 convex bundled cc 1.3.6 Todd Miller none ConvexOS 9.1 convex gcc2.4.5 1.3.6 Todd Miller none BSD/OS 2.1 i386 shlicc 1.5.3 Todd Miller none -OpenBSD 2.X i586 gcc-2.8.1 1.6.2 Todd Miller none -OpenBSD 2.X alpha gcc-2.8.1 1.6.2 Todd Miller none -OpenBSD 2.X m68k gcc-2.8.1 1.6.2 Todd Miller none +OpenBSD 2.X i586 gcc-2.8.1 1.6.2p2 Todd Miller none +OpenBSD 2.X alpha gcc-2.8.1 1.6.2p2 Todd Miller none +OpenBSD 2.X m68k gcc-2.8.1 1.6.2p2 Todd Miller none OpenBSD 2.X mvme88k gcc-2.8.1 1.5.9 Steve Murphree none FreeBSD 1.1 i386 gcc 1.3.2 Dworkin Muller none FreeBSD 2.0.5 i386 gcc 1.3.4 Dworkin Muller none @@ -95,12 +95,12 @@ Linux 1.2.13 i486 gcc-2.7.0 1.4 Michael Forman none Linux 1.2.8 i486 gcc-2.5.8 1.3.5 Ted Coady --with-C2 Linux 2.0.15 i586 gcc-2.7.2.1 1.5 Danny Barron none -Linux 2.0.36 i586 gcc-2.95.2 1.6.2 Todd Miller none +Linux 2.0.36 i586 gcc-2.95.2 1.6.2p2 Todd Miller none Linux 2.0.34 i586 egcs-2.91.57 1.5.6p2 Darrin Chandler none Linux 2.0.36 i586 gcc-2.7.2.3 1.5.7p4 Nathan Haney none Linux 2.0.34 alpha egcs-2.90.27 1.5.3 Karl Schlitt none Linux 2.0.33pl1 m68k gcc 2.7.2.3 1.5.6 James Troup none -Linux 2.2.12 i586 gcc-2.95.2 1.6.2 Todd Miller --with-pam +Linux 2.2.12 i586 gcc-2.95.2 1.6.2p2 Todd Miller --with-pam Linux 2.2.6-15 ppc egcs-1.1.2 1.5.9p4 Barbara Schelkle none Linux 2.0.34 mips gcc-2.7.2 1.6 Tristan Roddis none UnixWare 1.1.4 i386 gcc-2.7.2 1.4 Michael Hancock none diff -ur sudo-1.6.2/auth/sudo_auth.c sudo-1.6.2p3/auth/sudo_auth.c --- sudo-1.6.2/auth/sudo_auth.c Sun Dec 5 23:47:19 1999 +++ sudo-1.6.2p3/auth/sudo_auth.c Thu Mar 9 11:38:57 2000 @@ -67,7 +67,7 @@ # ifndef WITHOUT_PASSWD AUTH_ENTRY(0, "passwd", NULL, NULL, passwd_verify, NULL) # endif -# if defined(HAVE_SECUREWARE) && !defined(WITHOUT_PASSWD) +# if defined(HAVE_GETPRPWNAM) && !defined(WITHOUT_PASSWD) AUTH_ENTRY(0, "secureware", secureware_init, NULL, secureware_verify, NULL) # endif # ifdef HAVE_AFS diff -ur sudo-1.6.2/configure sudo-1.6.2p3/configure --- sudo-1.6.2/configure Wed Jan 19 11:52:00 2000 +++ sudo-1.6.2p3/configure Thu Jan 27 12:58:49 2000 @@ -7630,6 +7630,44 @@ AUTH_OBJS="${AUTH_OBJS} kerb5.o" fi +if test "$with_pam" = "yes"; then + echo $ac_n "checking for -ldl""... $ac_c" 1>&6 +echo "configure:7636: checking for -ldl" >&5 +if eval "test \"`echo '$''{'ac_cv_lib_dl'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-ldl $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest; then + rm -rf conftest* + ac_cv_lib_dl=yes +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + ac_cv_lib_dl=no +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +echo "$ac_t""$ac_cv_lib_dl" 1>&6 +if test "$ac_cv_lib_dl" = yes; then + SUDO_LIBS="${SUDO_LIBS} -ldl -lpam" +else + SUDO_LIBS="${SUDO_LIBS} -lpam" +fi + +fi + if test "$with_kerb4" = "yes"; then cat >> confdefs.h <<\EOF #define HAVE_KERB4 1 @@ -7658,21 +7696,21 @@ fi echo $ac_n "checking for -ldes""... $ac_c" 1>&6 -echo "configure:7662: checking for -ldes" >&5 +echo "configure:7700: checking for -ldes" >&5 if eval "test \"`echo '$''{'ac_cv_lib_des'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_save_LIBS="$LIBS" LIBS="-ldes $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest; then +if { (eval echo configure:7714: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then rm -rf conftest* ac_cv_lib_des=yes else @@ -7695,10 +7733,6 @@ AUTH_OBJS="${AUTH_OBJS} kerb4.o" fi -if test "$with_pam" = "yes"; then - SUDO_LIBS="${SUDO_LIBS} -ldl -lpam" -fi - if test "$with_AFS" = "yes"; then # looks like the "standard" place for AFS libs is /usr/afsws/lib @@ -7795,7 +7829,7 @@ fi echo $ac_n "checking for log file location""... $ac_c" 1>&6 -echo "configure:7799: checking for log file location" >&5 +echo "configure:7833: checking for log file location" >&5 if test -n "$with_logpath"; then echo "$ac_t""$with_logpath" 1>&6 cat >> confdefs.h <&6 -echo "configure:7829: checking for timestamp file location" >&5 +echo "configure:7863: checking for timestamp file location" >&5 if test -n "$with_timedir"; then echo "$ac_t""$with_timedir" 1>&6 cat >> confdefs.h < dnl @@ -1433,6 +1433,13 @@ fi dnl +dnl PAM libs +dnl +if test "$with_pam" = "yes"; then + AC_HAVE_LIBRARY(dl, SUDO_LIBS="${SUDO_LIBS} -ldl -lpam", SUDO_LIBS="${SUDO_LIBS} -lpam") +fi + +dnl dnl Find kerberos 4 includes and libs or complain dnl if test "$with_kerb4" = "yes"; then @@ -1461,13 +1468,6 @@ AC_HAVE_LIBRARY(des, SUDO_LIBS="${SUDO_LIBS} -lkrb -ldes", SUDO_LIBS="${SUDO_LIBS} -lkrb") AUTH_OBJS="${AUTH_OBJS} kerb4.o" -fi - -dnl -dnl PAM libs -dnl -if test "$with_pam" = "yes"; then - SUDO_LIBS="${SUDO_LIBS} -ldl -lpam" fi dnl diff -ur sudo-1.6.2/find_path.c sudo-1.6.2p3/find_path.c --- sudo-1.6.2/find_path.c Thu Oct 7 15:20:57 1999 +++ sudo-1.6.2p3/find_path.c Wed Jan 26 21:31:58 2000 @@ -64,7 +64,7 @@ #endif /* !STDC_HEADERS */ #ifndef lint -static const char rcsid[] = "$Sudo: find_path.c,v 1.94 1999/10/07 21:20:57 millert Exp $"; +static const char rcsid[] = "$Sudo: find_path.c,v 1.95 2000/01/27 04:31:58 millert Exp $"; #endif /* lint */ /* @@ -108,7 +108,7 @@ * Grab PATH out of the environment (or from the string table * if SECURE_PATH is in effect) and make a local copy. */ - if (def_str(I_SECURE_PATH)) + if (def_str(I_SECURE_PATH) && !user_is_exempt()) path = def_str(I_SECURE_PATH); else if ((path = getenv("PATH")) == NULL) return(NOT_FOUND); diff -ur sudo-1.6.2/sudo.tab.c sudo-1.6.2p3/sudo.tab.c --- sudo-1.6.2/sudo.tab.c Tue Jan 11 11:20:40 2000 +++ sudo-1.6.2p3/sudo.tab.c Thu Jan 27 18:41:33 2000 @@ -4,7 +4,7 @@ #if __GNUC__ == 2 __attribute__ ((unused)) #endif /* __GNUC__ == 2 */ - = "$OpenBSD: skeleton.c,v 1.13 1998/11/18 15:45:12 dm Exp $"; + = "$OpenBSD: skeleton.c,v 1.15 2000/01/27 21:34:23 deraadt Exp $"; #endif #include #define YYBYACC 1 @@ -18,7 +18,7 @@ #define YYPREFIX "yy" #line 2 "parse.yacc" /* - * Copyright (c) 1996, 1998, 1999 Todd C. Miller + * Copyright (c) 1996, 1998-2000 Todd C. Miller * All rights reserved. * * This code is derived from software contributed by Chris Jepeway @@ -97,7 +97,7 @@ #endif /* HAVE_LSEARCH */ #ifndef lint -static const char rcsid[] = "$Sudo: sudo.tab.c,v 1.47 2000/01/11 18:20:40 millert Exp $"; +static const char rcsid[] = "$Sudo: sudo.tab.c,v 1.49 2000/01/28 01:41:33 millert Exp $"; #endif /* lint */ /* @@ -950,18 +950,27 @@ newss = yyss ? (short *)realloc(yyss, newsize * sizeof *newss) : (short *)malloc(newsize * sizeof *newss); if (newss == NULL) - return -1; + goto bail; yyss = newss; yyssp = newss + i; newvs = yyvs ? (YYSTYPE *)realloc(yyvs, newsize * sizeof *newvs) : (YYSTYPE *)malloc(newsize * sizeof *newvs); if (newvs == NULL) - return -1; + goto bail; yyvs = newvs; yyvsp = newvs + i; yystacksize = newsize; yysslim = yyss + newsize - 1; return 0; +bail: + if (yyss) + free(yyss); + if (yyvs) + free(yyvs); + yyss = yyssp = NULL; + yyvs = yyvsp = NULL; + yystacksize = 0; + return -1; } #define YYABORT goto yyabort @@ -1793,7 +1802,7 @@ yyval.BOOLEAN = TRUE; } break; -#line 1797 "sudo.tab.c" +#line 1806 "sudo.tab.c" } yyssp -= yym; yystate = *yyssp; diff -ur sudo-1.6.2/sudoers.cat sudo-1.6.2p3/sudoers.cat --- sudo-1.6.2/sudoers.cat Sun Jan 23 20:59:01 2000 +++ sudo-1.6.2p3/sudoers.cat Thu Jan 27 13:11:06 2000 @@ -61,7 +61,7 @@ -23/Jan/2000 1.6.2 1 +26/Jan/2000 1.6.2 1 @@ -127,7 +127,7 @@ -23/Jan/2000 1.6.2 2 +26/Jan/2000 1.6.2 2 @@ -193,7 +193,7 @@ -23/Jan/2000 1.6.2 3 +26/Jan/2000 1.6.2 3 @@ -225,147 +225,284 @@ FFFFllllaaaaggggssss: long_otp_prompt - Put OTP prompt on its own line + When validating with a One Time Password + scheme (SSSS////KKKKeeeeyyyy or OOOOPPPPIIIIEEEE), a two-line prompt is + used to make it easier to cut and paste the + challenge to a local window. It's not as + pretty as the default but some people find it + more convenient. This flag is off by default. + + ignore_dot If set, ssssuuuuddddoooo will ignore '.' or '' (current + dir) in $PATH; the $PATH itself is not + modified. This flag is off by default. - ignore_dot Ignore '.' in $PATH - - mail_always Always send mail when sudo is run + mail_always Send mail to the _m_a_i_l_t_o user every time a + users runs sudo. This flag is off by default. mail_no_user - Send mail if the user is not in sudoers + If set, mail will be sent to the _m_a_i_l_t_o user + if the invoking user is not in the _s_u_d_o_e_r_s + file. This flag is on by default. mail_no_host - Send mail if the user is not in sudoers for - this host + If set, mail will be sent to the _m_a_i_l_t_o user + if the invoking user exists in the _s_u_d_o_e_r_s + file, but is not allowed to run commands on + the current host. This flag is off by + default. mail_no_perms - Send mail if the user is not allowed to run a - command - - tty_tickets Use a separate timestamp for each user/tty - combo + If set, mail will be sent to the _m_a_i_l_t_o user + if the invoking user allowed to use sudo but + the command they are trying is not listed in + their _s_u_d_o_e_r_s file entry. This flag is off by - lecture Lecture user the first time they run sudo - authenticate - Require users to authenticate by default - root_sudo Root may run sudo +26/Jan/2000 1.6.2 4 - log_host Log the hostname in the (non-syslog) log file - log_year Log the year in the (non-syslog) log file +sudoers(5) FILE FORMATS sudoers(5) -23/Jan/2000 1.6.2 4 + default. + tty_tickets If set, users must authenticate on a per-tty + basis. Normally, ssssuuuuddddoooo uses a directory in the + ticket dir with the same name as the user + running it. With this flag enabled, ssssuuuuddddoooo will + use a file named for the tty the user is + logged in on in that directory. This flag is + off by default. + lecture If set, a user will receive a short lecture + the first time he/she runs ssssuuuuddddoooo. This flag is + on by default. + authenticate + If set, users must authenticate themselves via + a password (or other means of authentication) + before they may run commands. This default + may be overridden via the PASSWD and NOPASSWD + tags. This flag is on by default. + + root_sudo If set, root is allowed to run sudo too. + Disabling this prevents users from "chaining" + sudo commands to get a root shell by doing + something like "sudo sudo /bin/sh". This flag + is on by default. + + log_host If set, the hostname will be logged in the + (non-syslog) ssssuuuuddddoooo log file. This flag is off + by default. + + log_year If set, the four-digit year will be logged in + the (non-syslog) ssssuuuuddddoooo log file. This flag is + off by default. -sudoers(5) FILE FORMATS sudoers(5) + shell_noargs + If set and ssssuuuuddddoooo is invoked with no arguments + it acts as if the -s flag had been given. + That is, it runs a shell as root (the shell is + determined by the SHELL environment variable + if it is set, falling back on the shell listed + in the invoking user's /etc/passwd entry if + not). This flag is off by default. + + set_home If set and ssssuuuuddddoooo is invoked with the -s flag + the HOME environment variable will be set to + the home directory of the target user (which + is root unless the -u option is used). This + effectively makes the -s flag imply -H. This + flag is off by default. + + path_info Normally, ssssuuuuddddoooo will tell the user when a + command could not be found in their $PATH. + Some sites may wish to disable this as it + + + +26/Jan/2000 1.6.2 5 - shell_noargs - If sudo is invoked with no arguments, start a - shell - set_home Set $HOME to the target user when starting a - shell with -s - path_info Allow some information gathering to give - useful error messages - fqdn Require fully-qualified hostnames in the - sudoers file +sudoers(5) FILE FORMATS sudoers(5) - insults Insult the user when they enter an incorrect - password - requiretty Only allow the user to run sudo if they have a - tty + could be used to gather information on the + location of executables that the normal user + does not have access to. The disadvantage is + that if the executable is simply not in the + user's $PATH, ssssuuuuddddoooo will tell the user that + they are not allowed to run it, which can be + confusing. This flag is off by default. + + fqdn Set this flag if you want to put fully + qualified hostnames in the _s_u_d_o_e_r_s file. Ie: + instead of myhost you would use + myhost.mydomain.edu. You may still use the + short form if you wish (and even mix the two). + Beware that turning on _f_q_d_n requires sudo to + make DNS lookups which may make ssssuuuuddddoooo unusable + if DNS stops working (for example if the + machine is not plugged into the network). + Also note that you must use the host's + official name as DNS knows it. That is, you + may not use a host alias (CNAME entry) due to + performance issues and the fact that there is + no way to get all aliases from DNS. If your + machine's hostname (as returned by the + hostname command) is already fully qualified + you shouldn't need to set _f_q_f_n. This flag is + off by default. + + insults If set, sudo will insult users when they enter + an incorrect password. This flag is off by + default. + + requiretty If set, sudo will only run when the user is + logged in to a real tty. This will disallow + things like "rsh somehost sudo ls" since + _r_s_h(1) does not allocate a tty. Because it is + not possible to turn of echo when there is no + tty present, some sites may with to set this + flag to prevent a user from entering a visible + password. This flag is off by default. IIIInnnntttteeeeggggeeeerrrrssss: passwd_tries - Number of tries to enter a password + The number of tries a user gets to enter + his/her password before sudo logs the failure + and exits. The default is 3. IIIInnnntttteeeeggggeeeerrrrssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt: - loglinelen Length at which to wrap log file lines (use 0 - or negate for no wrap) + loglinelen Number of characters per line for the file + log. This value is used to decide when to + wrap lines for nicer log files. This has no + effect on the syslog log file, only the file + log. The default is 80 (use 0 or negate to + + + +26/Jan/2000 1.6.2 6 + + + + + +sudoers(5) FILE FORMATS sudoers(5) + + + disable word wrap). timestamp_timeout - Authentication timestamp timeout + Number of minutes that can elapse before ssssuuuuddddoooo + will ask for a passwd again. The default is + 5, set this to 0 to always prompt for a + password. passwd_timeout - Password prompt timeout - - umask Umask to use or 0777 to use user's + Number of minutes before the sudo password + prompt times out. The default is 5, set this + to 0 for no password timeout. + + umask Umask to use when running the root command. + Set this to 0777 to not override the user's + umask. The default is 0022. SSSSttttrrrriiiinnnnggggssss: - mailsub Subject line for mail messages + mailsub Subject of the mail sent to the _m_a_i_l_t_o user. + The escape %h will expand to the hostname of + the machine. Default is "*** SECURITY + information for %h ***". badpass_message - Incorrect password message + Message that is displayed if a user enters an + incorrect password. The default is "Sorry, + try again." unless insults are enabled. timestampdir - Path to authentication timestamp dir - - passprompt Default password prompt + The directory in which ssssuuuuddddoooo stores its + timestamp files. The default is either + /var/run/sudo or /tmp/sudo. + + passprompt The default prompt to use when asking for a + password; can be overridden via the -p option + or the SUDO_PROMPT environment variable. + Supports two escapes: "%u" expands to the + user's login name and "%h" expands to the + local hostname. The default value is + "Password:". runas_default - Default user to run commands as + The default user to run commands as if the -u + flag is not specified on the command line. + This defaults to "root". syslog_goodpri Syslog priority to use when user authenticates + successfully. Defaults to "notice". + syslog_badpri + Syslog priority to use when user authenticates + unsuccessfully. Defaults to "alert". -23/Jan/2000 1.6.2 5 - +26/Jan/2000 1.6.2 7 -sudoers(5) FILE FORMATS sudoers(5) - successfully +sudoers(5) FILE FORMATS sudoers(5) - syslog_badpri - Syslog priority to use when user authenticates - unsuccessfully SSSSttttrrrriiiinnnnggggssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt: syslog Syslog facility if syslog is being used for - logging (negate to disable syslog) + logging (negate to disable syslog logging). + Defaults to "local2". - mailerpath Path to mail program + mailerpath Path to mail program used to send warning + mail. Defaults to the path to sendmail found + at configure time. - mailerflags Flags for mail program + mailerflags Flags to use when invoking mailer. Defaults to + -t. - mailto Address to send mail to + mailto Address to send warning and erorr mail to. + Defaults to "root". exempt_group Users in this group are exempt from password - and PATH requirements + and PATH requirements. This is not set by + default. - secure_path Value to override user's $PATH with + secure_path Path used for every command run from ssssuuuuddddoooo. If + you don't trust the people running sudo to + have a sane PATH environment variable you may + want to use this. Another use is if you want + to have the "root path" be separate from the + "user path." This is not set by default. verifypw This option controls when a password will be required when a user runs sudo with the ----vvvv. It has the following possible values: - all All the user's sudoers entries for the + all All the user's I entries for the current host must have the C flag set to avoid entering a password. - any At least one of the user's sudoers entries + any At least one of the user's I entries for the current host must have the C flag set to avoid entering a password. @@ -382,16 +519,11 @@ required when a user runs sudo with the ----llll. It has the following possible values: - all All the user's sudoers entries for the - current host must have the C - flag set to avoid entering a password. - - -23/Jan/2000 1.6.2 6 +26/Jan/2000 1.6.2 8 @@ -400,7 +532,11 @@ sudoers(5) FILE FORMATS sudoers(5) - any At least one of the user's sudoers entries + all All the user's I entries for the + current host must have the C + flag set to avoid entering a password. + + any At least one of the user's I entries for the current host must have the C flag set to avoid entering a password. @@ -450,14 +586,10 @@ commands that follow it. What this means is that for the entry: - dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who - - The user ddddggggbbbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m - -- but only as ooooppppeeeerrrraaaattttoooorrrr. Eg. -23/Jan/2000 1.6.2 7 +26/Jan/2000 1.6.2 9 @@ -466,6 +598,11 @@ sudoers(5) FILE FORMATS sudoers(5) + dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who + + The user ddddggggbbbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m + -- but only as ooooppppeeeerrrraaaattttoooorrrr. Eg. + sudo -u operator /bin/ls. It is also possible to override a Runas_Spec later on in @@ -515,22 +652,21 @@ * Matches any set of zero or more characters. - ? Matches any single character. - - [...] Matches any character in the specified range. +26/Jan/2000 1.6.2 10 -23/Jan/2000 1.6.2 8 +sudoers(5) FILE FORMATS sudoers(5) -sudoers(5) FILE FORMATS sudoers(5) + ? Matches any single character. + [...] Matches any character in the specified range. [!...] Matches any character nnnnooootttt in the specified range. @@ -583,13 +719,9 @@ Long lines can be continued with a backslash ('\') as the last character on the line. - Whitespace between elements in a list as well as specicial - syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', - '(', ')') is optional. - -23/Jan/2000 1.6.2 9 +26/Jan/2000 1.6.2 11 @@ -598,6 +730,10 @@ sudoers(5) FILE FORMATS sudoers(5) + Whitespace between elements in a list as well as specicial + syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', + '(', ')') is optional. + The following characters must be escaped with a backslash ('\') when used as part of a word (eg. a username or hostname): '@', '!', '=', ':', ',', '(', ')', '\'. @@ -647,15 +783,11 @@ sure we log the year in each log line since the log entries will be kept around for several years. - # Override builtin defaults - Defaults syslog=auth - Defaults:FULLTIMERS !lecture - Defaults:millert !authenticate - Defaults@SERVERS log_year, logfile=/var/log/sudo.log -23/Jan/2000 1.6.2 10 + +26/Jan/2000 1.6.2 12 @@ -664,6 +796,12 @@ sudoers(5) FILE FORMATS sudoers(5) + # Override builtin defaults + Defaults syslog=auth + Defaults:FULLTIMERS !lecture + Defaults:millert !authenticate + Defaults@SERVERS log_year, logfile=/var/log/sudo.log + The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run what. @@ -713,15 +851,9 @@ pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root - The user ppppeeeetttteeee is allowed to change anyone's password - except for root on the _H_P_P_A machines. Note that this - assumes _p_a_s_s_w_d(1) does not take multiple usernames on the - command line. - - -23/Jan/2000 1.6.2 11 +26/Jan/2000 1.6.2 13 @@ -730,6 +862,11 @@ sudoers(5) FILE FORMATS sudoers(5) + The user ppppeeeetttteeee is allowed to change anyone's password + except for root on the _H_P_P_A machines. Note that this + assumes _p_a_s_s_w_d(1) does not take multiple usernames on the + command line. + bob SPARC = (OP) ALL : SGI = (OP) ALL The user bbbboooobbbb may run anything on the _S_P_A_R_C and _S_G_I @@ -780,14 +917,9 @@ On his personal workstation, valkyrie, mmmmaaaatttttttt needs to be able to kill hung processes. - WEBMASTERS www = (www) ALL, (root) /usr/bin/su www - - On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias - (will, wendy, and wim), may run any command as user www - -23/Jan/2000 1.6.2 12 +26/Jan/2000 1.6.2 14 @@ -796,6 +928,10 @@ sudoers(5) FILE FORMATS sudoers(5) + WEBMASTERS www = (www) ALL, (root) /usr/bin/su www + + On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias + (will, wendy, and wim), may run any command as user www (which owns the web pages) or simply _s_u(1) to www. ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ @@ -849,11 +985,7 @@ - - - - -23/Jan/2000 1.6.2 13 +26/Jan/2000 1.6.2 15 @@ -919,6 +1051,6 @@ -23/Jan/2000 1.6.2 14 +26/Jan/2000 1.6.2 16 diff -ur sudo-1.6.2/sudoers.man sudo-1.6.2p3/sudoers.man --- sudo-1.6.2/sudoers.man Sun Jan 23 20:57:49 2000 +++ sudo-1.6.2p3/sudoers.man Wed Jan 26 14:21:28 2000 @@ -1,9 +1,9 @@ .rn '' }` -''' $RCSfile: sudoers.man,v $$Revision: 1.22 $$Date: 2000/01/24 03:57:49 $ +''' $RCSfile: sudoers.man,v $$Revision: 1.23 $$Date: 2000/01/26 21:21:28 $ ''' ''' $Log: sudoers.man,v $ -''' Revision 1.22 2000/01/24 03:57:49 millert -''' Add netgroup caveat +''' Revision 1.23 2000/01/26 21:21:28 millert +''' Expanded docs on sudoers 'defaults' options based on INSTALL file info. ''' ''' .de Sh @@ -96,7 +96,7 @@ .nr % 0 .rr F .\} -.TH sudoers 5 "1.6.2" "23/Jan/2000" "FILE FORMATS" +.TH sudoers 5 "1.6.2" "26/Jan/2000" "FILE FORMATS" .UC .if n .hy 0 .if n .na @@ -376,96 +376,172 @@ .PP \fBFlags\fR: .Ip "long_otp_prompt" 12 -Put \s-1OTP\s0 prompt on its own line +When validating with a One Time Password scheme (\fBS/Key\fR or \fB\s-1OPIE\s0\fR), +a two-line prompt is used to make it easier to cut and paste the +challenge to a local window. It's not as pretty as the default but +some people find it more convenient. This flag is off by default. .Ip "ignore_dot" 12 -Ignore \*(L'.\*(R' in \f(CW$PATH\fR +If set, \fBsudo\fR will ignore \*(L'.\*(R' or \*(L'\*(R' (current dir) in \f(CW$PATH\fR; +the \f(CW$PATH\fR itself is not modified. This flag is off by default. .Ip "mail_always" 12 -Always send mail when sudo is run +Send mail to the \fImailto\fR user every time a users runs sudo. +This flag is off by default. .Ip "mail_no_user" 12 -Send mail if the user is not in sudoers +If set, mail will be sent to the \fImailto\fR user if the invoking +user is not in the \fIsudoers\fR file. This flag is on by default. .Ip "mail_no_host" 12 -Send mail if the user is not in sudoers for this host +If set, mail will be sent to the \fImailto\fR user if the invoking +user exists in the \fIsudoers\fR file, but is not allowed to run +commands on the current host. This flag is off by default. .Ip "mail_no_perms" 12 -Send mail if the user is not allowed to run a command +If set, mail will be sent to the \fImailto\fR user if the invoking +user allowed to use sudo but the command they are trying is not +listed in their \fIsudoers\fR file entry. This flag is off by default. .Ip "tty_tickets" 12 -Use a separate timestamp for each user/tty combo +If set, users must authenticate on a per-tty basis. Normally, +\fBsudo\fR uses a directory in the ticket dir with the same name as +the user running it. With this flag enabled, \fBsudo\fR will use a +file named for the tty the user is logged in on in that directory. +This flag is off by default. .Ip "lecture" 12 -Lecture user the first time they run sudo +If set, a user will receive a short lecture the first time he/she +runs \fBsudo\fR. This flag is on by default. .Ip "authenticate" 12 -Require users to authenticate by default +If set, users must authenticate themselves via a password (or other +means of authentication) before they may run commands. This default +may be overridden via the \f(CWPASSWD\fR and \f(CWNOPASSWD\fR tags. +This flag is on by default. .Ip "root_sudo" 12 -Root may run sudo +If set, root is allowed to run sudo too. Disabling this prevents users +from \*(L"chaining\*(R" sudo commands to get a root shell by doing something +like \f(CW"sudo sudo /bin/sh"\fR. +This flag is on by default. .Ip "log_host" 12 -Log the hostname in the (non-syslog) log file +If set, the hostname will be logged in the (non-syslog) \fBsudo\fR log file. +This flag is off by default. .Ip "log_year" 12 -Log the year in the (non-syslog) log file +If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file. +This flag is off by default. .Ip "shell_noargs" 12 -If sudo is invoked with no arguments, start a shell +If set and \fBsudo\fR is invoked with no arguments it acts as if the +\f(CW-s\fR flag had been given. That is, it runs a shell as root (the +shell is determined by the \f(CWSHELL\fR environment variable if it is +set, falling back on the shell listed in the invoking user's +/etc/passwd entry if not). This flag is off by default. .Ip "set_home" 12 -Set \f(CW$HOME\fR to the target user when starting a shell with \f(CW-s\fR +If set and \fBsudo\fR is invoked with the \f(CW-s\fR flag the \f(CWHOME\fR +environment variable will be set to the home directory of the target +user (which is root unless the \f(CW-u\fR option is used). This effectively +makes the \f(CW-s\fR flag imply \f(CW-H\fR. This flag is off by default. .Ip "path_info" 12 -Allow some information gathering to give useful error messages +Normally, \fBsudo\fR will tell the user when a command could not be +found in their \f(CW$PATH\fR. Some sites may wish to disable this as +it could be used to gather information on the location of executables +that the normal user does not have access to. The disadvantage is +that if the executable is simply not in the user's \f(CW$PATH\fR, \fBsudo\fR +will tell the user that they are not allowed to run it, which can +be confusing. This flag is off by default. .Ip "fqdn" 12 -Require fully-qualified hostnames in the sudoers file +Set this flag if you want to put fully qualified hostnames in the +\fIsudoers\fR file. Ie: instead of myhost you would use myhost.mydomain.edu. +You may still use the short form if you wish (and even mix the two). +Beware that turning on \fIfqdn\fR requires sudo to make \s-1DNS\s0 lookups +which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example +if the machine is not plugged into the network). Also note that +you must use the host's official name as \s-1DNS\s0 knows it. That is, +you may not use a host alias (\f(CWCNAME\fR entry) due to performance +issues and the fact that there is no way to get all aliases from +\s-1DNS\s0. If your machine's hostname (as returned by the \f(CWhostname\fR +command) is already fully qualified you shouldn't need to set +\fIfqfn\fR. This flag is off by default. .Ip "insults" 12 -Insult the user when they enter an incorrect password +If set, sudo will insult users when they enter an incorrect +password. This flag is off by default. .Ip "requiretty" 12 -Only allow the user to run sudo if they have a tty +If set, sudo will only run when the user is logged in to a real +tty. This will disallow things like \f(CW"rsh somehost sudo ls"\fR since +\fIrsh\fR\|(1) does not allocate a tty. Because it is not possible to turn +of echo when there is no tty present, some sites may with to set +this flag to prevent a user from entering a visible password. This +flag is off by default. .PP \fBIntegers\fR: .Ip "passwd_tries" 12 -Number of tries to enter a password +The number of tries a user gets to enter his/her password before +sudo logs the failure and exits. The default is 3. .PP \fBIntegers that can be used in a boolean context\fR: .Ip "loglinelen" 12 -Length at which to wrap log file lines (use 0 or negate for no wrap) +Number of characters per line for the file log. This value is used +to decide when to wrap lines for nicer log files. This has no +effect on the syslog log file, only the file log. The default is +80 (use 0 or negate to disable word wrap). .Ip "timestamp_timeout" 12 -Authentication timestamp timeout +Number of minutes that can elapse before \fBsudo\fR will ask for a passwd +again. The default is 5, set this to 0 to always prompt for a password. .Ip "passwd_timeout" 12 -Password prompt timeout +Number of minutes before the sudo password prompt times out. +The default is 5, set this to 0 for no password timeout. .Ip "umask" 12 -Umask to use or 0777 to use user's +Umask to use when running the root command. Set this to 0777 to +not override the user's umask. The default is 0022. .PP \fBStrings\fR: .Ip "mailsub" 12 -Subject line for mail messages +Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR +will expand to the hostname of the machine. +Default is \*(L"*** \s-1SECURITY\s0 information for \f(CW%h\fR ***\*(R". .Ip "badpass_message" 12 -Incorrect password message +Message that is displayed if a user enters an incorrect password. +The default is \*(L"Sorry, try again.\*(R" unless insults are enabled. .Ip "timestampdir" 12 -Path to authentication timestamp dir +The directory in which \fBsudo\fR stores its timestamp files. +The default is either \f(CW/var/run/sudo\fR or \f(CW/tmp/sudo\fR. .Ip "passprompt" 12 -Default password prompt +The default prompt to use when asking for a password; can be overridden +via the \f(CW-p\fR option or the \f(CWSUDO_PROMPT\fR environment variable. Supports +two escapes: \*(L"%u\*(R" expands to the user's login name and \*(L"%h\*(R" expands +to the local hostname. The default value is \*(L"Password:\*(R". .Ip "runas_default" 12 -Default user to run commands as +The default user to run commands as if the \f(CW-u\fR flag is not specified +on the command line. This defaults to \*(L"root\*(R". .Ip "syslog_goodpri" 12 -Syslog priority to use when user authenticates successfully +Syslog priority to use when user authenticates successfully. +Defaults to \*(L"notice\*(R". .Ip "syslog_badpri" 12 -Syslog priority to use when user authenticates unsuccessfully +Syslog priority to use when user authenticates unsuccessfully. +Defaults to \*(L"alert\*(R". .PP \fBStrings that can be used in a boolean context\fR: .Ip "syslog" 12 -Syslog facility if syslog is being used for logging (negate to disable syslog) +Syslog facility if syslog is being used for logging (negate to +disable syslog logging). Defaults to \*(L"local2\*(R". .Ip "mailerpath" 12 -Path to mail program +Path to mail program used to send warning mail. +Defaults to the path to sendmail found at configure time. .Ip "mailerflags" 12 -Flags for mail program +Flags to use when invoking mailer. Defaults to \f(CW-t\fR. .Ip "mailto" 12 -Address to send mail to +Address to send warning and erorr mail to. Defaults to \*(L"root\*(R". .Ip "exempt_group" 12 -Users in this group are exempt from password and \s-1PATH\s0 requirements +Users in this group are exempt from password and \s-1PATH\s0 requirements. +This is not set by default. .Ip "secure_path" 12 -Value to override user's \f(CW$PATH\fR with +Path used for every command run from \fBsudo\fR. If you don't trust the +people running sudo to have a sane \f(CWPATH\fR environment variable you may +want to use this. Another use is if you want to have the \*(L"root path\*(R" +be separate from the \*(L"user path.\*(R" This is not set by default. .Ip "verifypw" 12 This option controls when a password will be required when a user runs sudo with the \fB\-v\fR. It has the following possible values: .Sp .Vb 3 -\& all All the user's sudoers entries for the +\& all All the user's I entries for the \& current host must have the C \& flag set to avoid entering a password. .Ve .Vb 4 -\& any At least one of the user's sudoers entries +\& any At least one of the user's I entries \& for the current host must have the \& C flag set to avoid entering a \& password. @@ -484,12 +560,12 @@ user runs sudo with the \fB\-l\fR. It has the following possible values: .Sp .Vb 3 -\& all All the user's sudoers entries for the +\& all All the user's I entries for the \& current host must have the C \& flag set to avoid entering a password. .Ve .Vb 4 -\& any At least one of the user's sudoers entries +\& any At least one of the user's I entries \& for the current host must have the \& C flag set to avoid entering a \& password. diff -ur sudo-1.6.2/sudoers.pod sudo-1.6.2p3/sudoers.pod --- sudo-1.6.2/sudoers.pod Sun Jan 23 20:57:49 2000 +++ sudo-1.6.2p3/sudoers.pod Wed Jan 26 14:21:28 2000 @@ -32,7 +32,7 @@ OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -$Sudo: sudoers.pod,v 1.28 2000/01/24 03:57:49 millert Exp $ +$Sudo: sudoers.pod,v 1.29 2000/01/26 21:21:28 millert Exp $ =pod =head1 NAME @@ -223,75 +223,128 @@ =item long_otp_prompt -Put OTP prompt on its own line +When validating with a One Time Password scheme (B or B), +a two-line prompt is used to make it easier to cut and paste the +challenge to a local window. It's not as pretty as the default but +some people find it more convenient. This flag is off by default. =item ignore_dot -Ignore '.' in $PATH +If set, B will ignore '.' or '' (current dir) in C<$PATH>; +the C<$PATH> itself is not modified. This flag is off by default. =item mail_always -Always send mail when sudo is run +Send mail to the I user every time a users runs sudo. +This flag is off by default. =item mail_no_user -Send mail if the user is not in sudoers +If set, mail will be sent to the I user if the invoking +user is not in the I file. This flag is on by default. =item mail_no_host -Send mail if the user is not in sudoers for this host +If set, mail will be sent to the I user if the invoking +user exists in the I file, but is not allowed to run +commands on the current host. This flag is off by default. =item mail_no_perms -Send mail if the user is not allowed to run a command +If set, mail will be sent to the I user if the invoking +user allowed to use sudo but the command they are trying is not +listed in their I file entry. This flag is off by default. =item tty_tickets -Use a separate timestamp for each user/tty combo +If set, users must authenticate on a per-tty basis. Normally, +B uses a directory in the ticket dir with the same name as +the user running it. With this flag enabled, B will use a +file named for the tty the user is logged in on in that directory. +This flag is off by default. =item lecture -Lecture user the first time they run sudo +If set, a user will receive a short lecture the first time he/she +runs B. This flag is on by default. =item authenticate -Require users to authenticate by default +If set, users must authenticate themselves via a password (or other +means of authentication) before they may run commands. This default +may be overridden via the C and C tags. +This flag is on by default. =item root_sudo -Root may run sudo +If set, root is allowed to run sudo too. Disabling this prevents users +from "chaining" sudo commands to get a root shell by doing something +like C<"sudo sudo /bin/sh">. +This flag is on by default. =item log_host -Log the hostname in the (non-syslog) log file +If set, the hostname will be logged in the (non-syslog) B log file. +This flag is off by default. =item log_year -Log the year in the (non-syslog) log file +If set, the four-digit year will be logged in the (non-syslog) B log file. +This flag is off by default. =item shell_noargs -If sudo is invoked with no arguments, start a shell +If set and B is invoked with no arguments it acts as if the +C<-s> flag had been given. That is, it runs a shell as root (the +shell is determined by the C environment variable if it is +set, falling back on the shell listed in the invoking user's +/etc/passwd entry if not). This flag is off by default. =item set_home -Set $HOME to the target user when starting a shell with C<-s> +If set and B is invoked with the C<-s> flag the C +environment variable will be set to the home directory of the target +user (which is root unless the C<-u> option is used). This effectively +makes the C<-s> flag imply C<-H>. This flag is off by default. =item path_info -Allow some information gathering to give useful error messages +Normally, B will tell the user when a command could not be +found in their C<$PATH>. Some sites may wish to disable this as +it could be used to gather information on the location of executables +that the normal user does not have access to. The disadvantage is +that if the executable is simply not in the user's C<$PATH>, B +will tell the user that they are not allowed to run it, which can +be confusing. This flag is off by default. =item fqdn -Require fully-qualified hostnames in the sudoers file +Set this flag if you want to put fully qualified hostnames in the +I file. Ie: instead of myhost you would use myhost.mydomain.edu. +You may still use the short form if you wish (and even mix the two). +Beware that turning on I requires sudo to make DNS lookups +which may make B unusable if DNS stops working (for example +if the machine is not plugged into the network). Also note that +you must use the host's official name as DNS knows it. That is, +you may not use a host alias (C entry) due to performance +issues and the fact that there is no way to get all aliases from +DNS. If your machine's hostname (as returned by the C +command) is already fully qualified you shouldn't need to set +I. This flag is off by default. =item insults -Insult the user when they enter an incorrect password +If set, sudo will insult users when they enter an incorrect +password. This flag is off by default. =item requiretty -Only allow the user to run sudo if they have a tty +If set, sudo will only run when the user is logged in to a real +tty. This will disallow things like C<"rsh somehost sudo ls"> since +rsh(1) does not allocate a tty. Because it is not possible to turn +of echo when there is no tty present, some sites may with to set +this flag to prevent a user from entering a visible password. This +flag is off by default. =back @@ -301,7 +354,8 @@ =item passwd_tries -Number of tries to enter a password +The number of tries a user gets to enter his/her password before +sudo logs the failure and exits. The default is 3. =back @@ -311,19 +365,25 @@ =item loglinelen -Length at which to wrap log file lines (use 0 or negate for no wrap) +Number of characters per line for the file log. This value is used +to decide when to wrap lines for nicer log files. This has no +effect on the syslog log file, only the file log. The default is +80 (use 0 or negate to disable word wrap). =item timestamp_timeout -Authentication timestamp timeout +Number of minutes that can elapse before B will ask for a passwd +again. The default is 5, set this to 0 to always prompt for a password. =item passwd_timeout -Password prompt timeout +Number of minutes before the sudo password prompt times out. +The default is 5, set this to 0 for no password timeout. =item umask -Umask to use or 0777 to use user's +Umask to use when running the root command. Set this to 0777 to +not override the user's umask. The default is 0022. =back @@ -333,31 +393,41 @@ =item mailsub -Subject line for mail messages +Subject of the mail sent to the I user. The escape C<%h> +will expand to the hostname of the machine. +Default is "*** SECURITY information for %h ***". =item badpass_message -Incorrect password message +Message that is displayed if a user enters an incorrect password. +The default is "Sorry, try again." unless insults are enabled. =item timestampdir -Path to authentication timestamp dir +The directory in which B stores its timestamp files. +The default is either C or C. =item passprompt -Default password prompt +The default prompt to use when asking for a password; can be overridden +via the C<-p> option or the C environment variable. Supports +two escapes: "%u" expands to the user's login name and "%h" expands +to the local hostname. The default value is "Password:". =item runas_default -Default user to run commands as +The default user to run commands as if the C<-u> flag is not specified +on the command line. This defaults to "root". =item syslog_goodpri -Syslog priority to use when user authenticates successfully +Syslog priority to use when user authenticates successfully. +Defaults to "notice". =item syslog_badpri -Syslog priority to use when user authenticates unsuccessfully +Syslog priority to use when user authenticates unsuccessfully. +Defaults to "alert". =back 12 @@ -367,38 +437,44 @@ =item syslog -Syslog facility if syslog is being used for logging (negate to disable syslog) +Syslog facility if syslog is being used for logging (negate to +disable syslog logging). Defaults to "local2". =item mailerpath -Path to mail program +Path to mail program used to send warning mail. +Defaults to the path to sendmail found at configure time. =item mailerflags -Flags for mail program +Flags to use when invoking mailer. Defaults to C<-t>. =item mailto -Address to send mail to +Address to send warning and erorr mail to. Defaults to "root". =item exempt_group -Users in this group are exempt from password and PATH requirements +Users in this group are exempt from password and PATH requirements. +This is not set by default. =item secure_path -Value to override user's $PATH with +Path used for every command run from B. If you don't trust the +people running sudo to have a sane C environment variable you may +want to use this. Another use is if you want to have the "root path" +be separate from the "user path." This is not set by default. =item verifypw This option controls when a password will be required when a user runs sudo with the B<-v>. It has the following possible values: - all All the user's sudoers entries for the + all All the user's I entries for the current host must have the C flag set to avoid entering a password. - any At least one of the user's sudoers entries + any At least one of the user's I entries for the current host must have the C flag set to avoid entering a password. @@ -416,11 +492,11 @@ This option controls when a password will be required when a user runs sudo with the B<-l>. It has the following possible values: - all All the user's sudoers entries for the + all All the user's I entries for the current host must have the C flag set to avoid entering a password. - any At least one of the user's sudoers entries + any At least one of the user's I entries for the current host must have the C flag set to avoid entering a password. diff -ur sudo-1.6.2/tgetpass.c sudo-1.6.2p3/tgetpass.c --- sudo-1.6.2/tgetpass.c Mon Jan 17 16:46:26 2000 +++ sudo-1.6.2p3/tgetpass.c Sat Feb 26 19:59:42 2000 @@ -223,7 +223,7 @@ free(readfds); } else { /* Keep reading until out of space, EOF, error, or newline */ - while (--left && (n = read(fd, &c, 1)) == 1 && (c != '\n' || c != '\r')) + while (--left && (n = read(fd, &c, 1)) == 1 && c != '\n' && c != '\r') *cp++ = c; } *cp = '\0'; diff -ur sudo-1.6.2/version.h sudo-1.6.2p3/version.h --- sudo-1.6.2/version.h Mon Jan 17 16:46:26 2000 +++ sudo-1.6.2p3/version.h Thu Mar 9 11:39:10 2000 @@ -37,6 +37,6 @@ #ifndef _SUDO_VERSION_H #define _SUDO_VERSION_H -static const char version[] = "1.6.2"; +static const char version[] = "1.6.2p3"; #endif /* _SUDO_VERSION_H */