454
Comment:
|
2822
adding one example
|
Deletions are marked like this. | Additions are marked like this. |
Line 6: | Line 6: |
* [http://packages.debian.org/cgi-bin/search_packages.pl?version=all&subword=0&exact=1&arch=any&releases=all&case=insensitive&keywords=sudo&searchon=names Packages]. | * DebPkg:sudo == Example == {{{ # /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # # Example from http://www.lea-linux.org/cached/index/Admin-admin_env-sudo.html # User alias specification # ------------------------ User_Alias PPPUSERS = fred, bibi, jice, serge User_Alias HALTUSERS = fred, bibi User_Alias ROOT_FRIENDS = jice, serge, fred # Host alias specification # ------------------------ Host_Alias ICI = localhost, 192.168.1.1, ma.machine.fr Host_Alias LABAS = www.tuxfamily.org, talk.revolink.com, 233.12.66.4 Host_Alias WWW = www*, mail*, pop*, *fr # Runas alias specification # ------------------------- Runsas_Alias USERPPP = pppuser, serialuser # Cmnd alias specification # ------------------------ Cmnd_Alias STOPPC = /sbin/halt, /sbin/reboot, !/sbin/shutdown -*, /sbin/shutdown -r, \ /sbin/shutdown -h Cmnd_Alias PPPCMD = /etc/ppp/scripts/pppconnect, /etc/ppp/scripts/pppdisconnect # User privilege specification # ---------------------------- fred localhost = (ALL) ALL, (root) !ALL PPPUSERS MONRESEAU = (USERPPP) NOPASSWD: /sbin/pppd, PPPCMD john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* +secretaires LOCALE = PRINTING_CMDS, /usr/sbin/adduser [A-z]* }}} == Troubles and tweaks == === CVE-2005-4158 === With the fix for CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars, the default behaviour of handling environment variables was switched to protect against malicious local users with sudo privileges getting sudo to do more than the malcontent was given privileges to do. sudo (1.6.8p7-1.3) stable-security; urgency=high * Non-maintainer upload by the Security Team * Reverse the environment semantic by forcing users to maintain a whitelist [env.c, Bug#342948, CVE-2005-4158] As a result, unless you modify your sudoers file to contain '''Defaults env_reset''', you may experiance problems using sudo like the following: * E138: Can’t write viminfo file $HOME/.viminfo! * dircolors: no SHELL environment variable, and no shell type option given * squidview: can't get your home directory, exiting If you had more complex setups where you meant to pass through environment variables, your work around may be more complex or no longer possible. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342948 |
["root"]
Sudo is a program designed to allow a sysadmin to give limited ["root"] privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow people to get their work done.
Example
# /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # # Example from http://www.lea-linux.org/cached/index/Admin-admin_env-sudo.html # User alias specification # ------------------------ User_Alias PPPUSERS = fred, bibi, jice, serge User_Alias HALTUSERS = fred, bibi User_Alias ROOT_FRIENDS = jice, serge, fred # Host alias specification # ------------------------ Host_Alias ICI = localhost, 192.168.1.1, ma.machine.fr Host_Alias LABAS = www.tuxfamily.org, talk.revolink.com, 233.12.66.4 Host_Alias WWW = www*, mail*, pop*, *fr # Runas alias specification # ------------------------- Runsas_Alias USERPPP = pppuser, serialuser # Cmnd alias specification # ------------------------ Cmnd_Alias STOPPC = /sbin/halt, /sbin/reboot, !/sbin/shutdown -*, /sbin/shutdown -r, \ /sbin/shutdown -h Cmnd_Alias PPPCMD = /etc/ppp/scripts/pppconnect, /etc/ppp/scripts/pppdisconnect # User privilege specification # ---------------------------- fred localhost = (ALL) ALL, (root) !ALL PPPUSERS MONRESEAU = (USERPPP) NOPASSWD: /sbin/pppd, PPPCMD john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* +secretaires LOCALE = PRINTING_CMDS, /usr/sbin/adduser [A-z]*
Troubles and tweaks
CVE-2005-4158
With the fix for CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars, the default behaviour of handling environment variables was switched to protect against malicious local users with sudo privileges getting sudo to do more than the malcontent was given privileges to do.
- sudo (1.6.8p7-1.3) stable-security; urgency=high
- Non-maintainer upload by the Security Team
- Reverse the environment semantic by forcing users to maintain a whitelist [env.c, Bug#342948, CVE-2005-4158]
As a result, unless you modify your sudoers file to contain Defaults env_reset, you may experiance problems using sudo like the following:
- E138: Can’t write viminfo file $HOME/.viminfo!
- dircolors: no SHELL environment variable, and no shell type option given
- squidview: can't get your home directory, exiting
If you had more complex setups where you meant to pass through environment variables, your work around may be more complex or no longer possible.