|
 |
ce887b |
diff -up ./doc/sudoers.cat.manpage ./doc/sudoers.cat
|
|
|
ce887b |
--- ./doc/sudoers.cat.manpage 2017-09-11 15:16:47.443869930 +0200
|
|
|
ce887b |
+++ ./doc/sudoers.cat 2017-09-11 15:42:15.140500826 +0200
|
|
|
ce887b |
@@ -1088,13 +1088,19 @@ S?SU?UD?DO?OE?ER?RS?S O?OP?PT?TI?IO?ON?N
|
|
|
ce887b |
connected to the user's tty, due to I/O redirection or
|
|
|
ce887b |
because the command is part of a pipeline, that input
|
|
|
ce887b |
is also captured and stored in a separate log file.
|
|
|
ce887b |
- For more information, see the _?I_?/_?O _?L_?O_?G _?F_?I_?L_?E_?S section.
|
|
|
ce887b |
- This flag is _?o_?f_?f by default.
|
|
|
ce887b |
+ Anything sent to the standard input will be consumed,
|
|
|
ce887b |
+ regardless of whether or not the command run via s?su?ud?do?o
|
|
|
ce887b |
+ is actually reading the standard input. This may have
|
|
|
ce887b |
+ unexpected results when using s?su?ud?do?o in a shell script
|
|
|
ce887b |
+ that expects to process the standard input. For more
|
|
|
ce887b |
+ information about I/O logging, see the _?I_?/_?O _?L_?O_?G _?F_?I_?L_?E_?S
|
|
|
ce887b |
+ section. This flag is _?o_?f_?f by default.
|
|
|
ce887b |
|
|
|
ce887b |
log_output If set, s?su?ud?do?o will run the command in a pseudo-tty and
|
|
|
ce887b |
log all output that is sent to the screen, similar to
|
|
|
ce887b |
- the script(1) command. For more information, see the
|
|
|
ce887b |
- _?I_?/_?O _?L_?O_?G _?F_?I_?L_?E_?S section. This flag is _?o_?f_?f by default.
|
|
|
ce887b |
+ the script(1) command. For more information about I/O
|
|
|
ce887b |
+ logging, see the _?I_?/_?O _?L_?O_?G _?F_?I_?L_?E_?S section. This flag is
|
|
|
ce887b |
+ _?o_?f_?f by default.
|
|
|
ce887b |
|
|
|
ce887b |
log_year If set, the four-digit year will be logged in the (non-
|
|
|
ce887b |
syslog) s?su?ud?do?o log file. This flag is _?o_?f_?f by default.
|
|
|
ce887b |
@@ -1396,13 +1402,18 @@ S?SU?UD?DO?OE?ER?RS?S O?OP?PT?TI?IO?ON?N
|
|
|
ce887b |
not needed, this option can be disabled to reduce the
|
|
|
ce887b |
load on the LDAP server. This flag is _?o_?n by default.
|
|
|
ce887b |
|
|
|
ce887b |
- use_pty If set, s?su?ud?do?o will run the command in a pseudo-pty even
|
|
|
ce887b |
- if no I/O logging is being gone. A malicious program
|
|
|
ce887b |
- run under s?su?ud?do?o could conceivably fork a background
|
|
|
ce887b |
- process that retains to the user's terminal device
|
|
|
ce887b |
- after the main program has finished executing. Use of
|
|
|
ce887b |
- this option will make that impossible. This flag is
|
|
|
ce887b |
- _?o_?f_?f by default.
|
|
|
ce887b |
+ use_pty If set, and s?su?ud?do?o is running in a terminal, the command
|
|
|
ce887b |
+ will be run in a pseudo-pty (even if no I/O logging is
|
|
|
ce887b |
+ being done). If the s?su?ud?do?o process is not attached to a
|
|
|
ce887b |
+ terminal, _?u_?s_?e_?__?p_?t_?y has no effect.
|
|
|
ce887b |
+
|
|
|
ce887b |
+ A malicious program run under s?su?ud?do?o may be capable of
|
|
|
ce887b |
+ injecting injecting commands into the user's terminal
|
|
|
ce887b |
+ or running a background process that retains access to
|
|
|
ce887b |
+ the user's terminal device even after the main program
|
|
|
ce887b |
+ has finished executing. By running the command in a
|
|
|
ce887b |
+ separate pseudo-pty, this attack is no longer possible.
|
|
|
ce887b |
+ This flag is _?o_?f_?f by default.
|
|
|
ce887b |
|
|
|
ce887b |
utmp_runas If set, s?su?ud?do?o will store the name of the runas user when
|
|
|
ce887b |
updating the utmp (or utmpx) file. By default, s?su?ud?do?o
|
|
|
ce887b |
@@ -2135,11 +2146,11 @@ L?LO?OG?G F?FO?OR?RM?MA?AT?T
|
|
|
ce887b |
|
|
|
ce887b |
I?I/?/O?O L?LO?OG?G F?FI?IL?LE?ES?S
|
|
|
ce887b |
When I/O logging is enabled, s?su?ud?do?o will run the command in a pseudo-tty
|
|
|
ce887b |
- and log all user input and/or output. I/O is logged to the directory
|
|
|
ce887b |
- specified by the _?i_?o_?l_?o_?g_?__?d_?i_?r option (_?/_?v_?a_?r_?/_?l_?o_?g_?/_?s_?u_?d_?o_?-_?i_?o by default) using a
|
|
|
ce887b |
- unique session ID that is included in the s?su?ud?do?o log line, prefixed with
|
|
|
ce887b |
- ``TSID=''. The _?i_?o_?l_?o_?g_?__?f_?i_?l_?e option may be used to control the format of
|
|
|
ce887b |
- the session ID.
|
|
|
ce887b |
+ and log all user input and/or output, depending on which options are
|
|
|
ce887b |
+ are enabled. I/O is logged to the directory specified by the _?i_?o_?l_?o_?g_?__?d_?i_?r
|
|
|
ce887b |
+ option (_?/_?v_?a_?r_?/_?l_?o_?g_?/_?s_?u_?d_?o_?-_?i_?o by default) using a unique session ID that is
|
|
|
ce887b |
+ included in the s?su?ud?do?o log line, prefixed with "TSID=". The _?i_?o_?l_?o_?g_?__?f_?i_?l_?e
|
|
|
ce887b |
+ option may be used to control the format of the session ID.
|
|
|
ce887b |
|
|
|
ce887b |
Each I/O log is stored in a separate directory that contains the
|
|
|
ce887b |
following files:
|
|
|
ce887b |
diff -up ./doc/sudoers.man.in.manpage ./doc/sudoers.man.in
|
|
|
ce887b |
--- ./doc/sudoers.man.in.manpage 2017-09-11 15:16:47.444869925 +0200
|
|
|
ce887b |
+++ ./doc/sudoers.man.in 2017-09-11 15:16:47.456869864 +0200
|
|
|
ce887b |
@@ -2300,7 +2300,14 @@ will run the command in a pseudo-tty and
|
|
|
ce887b |
If the standard input is not connected to the user's tty, due to
|
|
|
ce887b |
I/O redirection or because the command is part of a pipeline, that
|
|
|
ce887b |
input is also captured and stored in a separate log file.
|
|
|
ce887b |
-For more information, see the
|
|
|
ce887b |
+Anything sent to the standard input will be consumed, regardless of
|
|
|
ce887b |
+whether or not the command run via
|
|
|
ce887b |
+\fBsudo\fR
|
|
|
ce887b |
+is actually reading the standard input.
|
|
|
ce887b |
+This may have unexpected results when using
|
|
|
ce887b |
+\fBsudo\fR
|
|
|
ce887b |
+in a shell script that expects to process the standard input.
|
|
|
ce887b |
+For more information about I/O logging, see the
|
|
|
ce887b |
\fII/O LOG FILES\fR
|
|
|
ce887b |
section.
|
|
|
ce887b |
This flag is
|
|
|
ce887b |
@@ -2314,7 +2321,7 @@ will run the command in a pseudo-tty and
|
|
|
ce887b |
to the screen, similar to the
|
|
|
ce887b |
script(1)
|
|
|
ce887b |
command.
|
|
|
ce887b |
-For more information, see the
|
|
|
ce887b |
+For more information about I/O logging, see the
|
|
|
ce887b |
\fII/O LOG FILES\fR
|
|
|
ce887b |
section.
|
|
|
ce887b |
This flag is
|
|
|
ce887b |
@@ -2934,14 +2941,24 @@ This flag is
|
|
|
ce887b |
by default.
|
|
|
ce887b |
.TP 18n
|
|
|
ce887b |
use_pty
|
|
|
ce887b |
-If set,
|
|
|
ce887b |
+If set, and
|
|
|
ce887b |
\fBsudo\fR
|
|
|
ce887b |
-will run the command in a pseudo-pty even if no I/O logging is being gone.
|
|
|
ce887b |
+is running in a terminal, the command will be run in a pseudo-pty
|
|
|
ce887b |
+(even if no I/O logging is being done).
|
|
|
ce887b |
+If the
|
|
|
ce887b |
+\fBsudo\fR
|
|
|
ce887b |
+process is not attached to a terminal,
|
|
|
ce887b |
+\fIuse_pty\fR
|
|
|
ce887b |
+has no effect.
|
|
|
ce887b |
+.sp
|
|
|
ce887b |
A malicious program run under
|
|
|
ce887b |
\fBsudo\fR
|
|
|
ce887b |
-could conceivably fork a background process that retains to the user's
|
|
|
ce887b |
-terminal device after the main program has finished executing.
|
|
|
ce887b |
-Use of this option will make that impossible.
|
|
|
ce887b |
+may be capable of injecting injecting commands into the user's
|
|
|
ce887b |
+terminal or running a background process that retains access to the
|
|
|
ce887b |
+user's terminal device even after the main program has finished
|
|
|
ce887b |
+executing.
|
|
|
ce887b |
+By running the command in a separate pseudo-pty, this attack is
|
|
|
ce887b |
+no longer possible.
|
|
|
ce887b |
This flag is
|
|
|
ce887b |
\fIoff\fR
|
|
|
ce887b |
by default.
|
|
|
ce887b |
@@ -4281,7 +4298,8 @@ word wrap will be disabled.
|
|
|
ce887b |
.SH "I/O LOG FILES"
|
|
|
ce887b |
When I/O logging is enabled,
|
|
|
ce887b |
\fBsudo\fR
|
|
|
ce887b |
-will run the command in a pseudo-tty and log all user input and/or output.
|
|
|
ce887b |
+will run the command in a pseudo-tty and log all user input and/or output,
|
|
|
ce887b |
+depending on which options are enabled.
|
|
|
ce887b |
I/O is logged to the directory specified by the
|
|
|
ce887b |
\fIiolog_dir\fR
|
|
|
ce887b |
option
|
|
|
ce887b |
diff -up ./doc/sudoers.mdoc.in.manpage ./doc/sudoers.mdoc.in
|
|
|
ce887b |
--- ./doc/sudoers.mdoc.in.manpage 2017-09-11 15:16:47.445869920 +0200
|
|
|
ce887b |
+++ ./doc/sudoers.mdoc.in 2017-09-11 15:16:47.456869864 +0200
|
|
|
ce887b |
@@ -2155,7 +2155,14 @@ will run the command in a pseudo-tty and
|
|
|
ce887b |
If the standard input is not connected to the user's tty, due to
|
|
|
ce887b |
I/O redirection or because the command is part of a pipeline, that
|
|
|
ce887b |
input is also captured and stored in a separate log file.
|
|
|
ce887b |
-For more information, see the
|
|
|
ce887b |
+Anything sent to the standard input will be consumed, regardless of
|
|
|
ce887b |
+whether or not the command run via
|
|
|
ce887b |
+.Nm sudo
|
|
|
ce887b |
+is actually reading the standard input.
|
|
|
ce887b |
+This may have unexpected results when using
|
|
|
ce887b |
+.Nm sudo
|
|
|
ce887b |
+in a shell script that expects to process the standard input.
|
|
|
ce887b |
+For more information about I/O logging, see the
|
|
|
ce887b |
.Sx "I/O LOG FILES"
|
|
|
ce887b |
section.
|
|
|
ce887b |
This flag is
|
|
|
ce887b |
@@ -2168,7 +2175,7 @@ will run the command in a pseudo-tty and
|
|
|
ce887b |
to the screen, similar to the
|
|
|
ce887b |
.Xr script 1
|
|
|
ce887b |
command.
|
|
|
ce887b |
-For more information, see the
|
|
|
ce887b |
+For more information about I/O logging, see the
|
|
|
ce887b |
.Sx "I/O LOG FILES"
|
|
|
ce887b |
section.
|
|
|
ce887b |
This flag is
|
|
|
ce887b |
@@ -2752,14 +2759,24 @@ This flag is
|
|
|
ce887b |
.Em on
|
|
|
ce887b |
by default.
|
|
|
ce887b |
.It use_pty
|
|
|
ce887b |
-If set,
|
|
|
ce887b |
+If set, and
|
|
|
ce887b |
.Nm sudo
|
|
|
ce887b |
-will run the command in a pseudo-pty even if no I/O logging is being gone.
|
|
|
ce887b |
+is running in a terminal, the command will be run in a pseudo-pty
|
|
|
ce887b |
+(even if no I/O logging is being done).
|
|
|
ce887b |
+If the
|
|
|
ce887b |
+.Nm sudo
|
|
|
ce887b |
+process is not attached to a terminal,
|
|
|
ce887b |
+.Em use_pty
|
|
|
ce887b |
+has no effect.
|
|
|
ce887b |
+.Pp
|
|
|
ce887b |
A malicious program run under
|
|
|
ce887b |
.Nm sudo
|
|
|
ce887b |
-could conceivably fork a background process that retains to the user's
|
|
|
ce887b |
-terminal device after the main program has finished executing.
|
|
|
ce887b |
-Use of this option will make that impossible.
|
|
|
ce887b |
+may be capable of injecting injecting commands into the user's
|
|
|
ce887b |
+terminal or running a background process that retains access to the
|
|
|
ce887b |
+user's terminal device even after the main program has finished
|
|
|
ce887b |
+executing.
|
|
|
ce887b |
+By running the command in a separate pseudo-pty, this attack is
|
|
|
ce887b |
+no longer possible.
|
|
|
ce887b |
This flag is
|
|
|
ce887b |
.Em off
|
|
|
ce887b |
by default.
|
|
|
ce887b |
@@ -3976,7 +3993,8 @@ word wrap will be disabled.
|
|
|
ce887b |
.Sh I/O LOG FILES
|
|
|
ce887b |
When I/O logging is enabled,
|
|
|
ce887b |
.Nm sudo
|
|
|
ce887b |
-will run the command in a pseudo-tty and log all user input and/or output.
|
|
|
ce887b |
+will run the command in a pseudo-tty and log all user input and/or output,
|
|
|
ce887b |
+depending on which options are enabled.
|
|
|
ce887b |
I/O is logged to the directory specified by the
|
|
|
ce887b |
.Em iolog_dir
|
|
|
ce887b |
option
|