Blob Blame History Raw
diff -up sudo-1.8.6p7/doc/sudoers.cat.digest-backport-docs sudo-1.8.6p7/doc/sudoers.cat
--- sudo-1.8.6p7/doc/sudoers.cat.digest-backport-docs	2015-07-07 13:06:11.078653045 +0200
+++ sudo-1.8.6p7/doc/sudoers.cat	2015-07-07 13:12:05.170955417 +0200
@@ -260,6 +260,14 @@ SSUUDDOOEERRSS FFIILLEE FFO
      ``localhost'' will only match if that is the actual host name, which is
      usually only the case for non-networked systems.
 
+     digest ::= [A-Fa-f0-9]+ |
+                [[A-Za-z0-9+/=]+
+
+     Digest_Spec ::= "sha224" ':' digest |
+                     "sha256" ':' digest |
+                     "sha384" ':' digest |
+                     "sha512" ':' digest
+
      Cmnd_List ::= Cmnd |
                    Cmnd ',' Cmnd_List
 
@@ -267,7 +275,7 @@ SSUUDDOOEERRSS FFIILLEE FFO
                       file name args |
                       file name '""'
 
-     Cmnd ::= '!'* command name |
+     Cmnd ::= Digest_Spec? '!'* command name |
               '!'* directory |
               '!'* "sudoedit" |
               '!'* Cmnd_Alias
@@ -291,6 +299,26 @@ SSUUDDOOEERRSS FFIILLEE FFO
      to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt).  It may
      take command line arguments just as a normal command does.
 
+     If a command name is prefixed with a Digest_Spec, the command will only
+     match successfully if it can be verified using the specified SHA-2
+     digest.  This may be useful in situations where the user invoking ssuuddoo
+     has write access to the command or its parent directory.  The following
+     digest formats are supported: sha224, sha256, sha384 and sha512.  The
+     string may be specified in either hex or base64 format (base64 is more
+     compact).  There are several utilities capable of generating SHA-2
+     digests in hex format such as openssl, shasum, sha224sum, sha256sum,
+     sha384sum, sha512sum.
+
+     For example, using openssl:
+
+     $ openssl dgst -sha224 /bin/ls
+     SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+
+     It is also possible to use openssl to generate base64 output:
+
+     $ openssl dgst -binary -sha224 /bin/ls | openssl base64
+     EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+
    DDeeffaauullttss
      Certain configuration options may be changed from their default values at
      run-time via one or more Default_Entry lines.  These may affect all users
@@ -1797,7 +1825,9 @@ EEXXAAMMPPLLEESS
 
      # Cmnd alias specification
      Cmnd_Alias      DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
-                             /usr/sbin/restore, /usr/sbin/rrestore
+                             /usr/sbin/restore, /usr/sbin/rrestore\
+                             sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
+                             /home/operator/bin/start_backups
      Cmnd_Alias      KILL = /usr/bin/kill
      Cmnd_Alias      PRINTING = /usr/sbin/lpc, /usr/bin/lprm
      Cmnd_Alias      SHUTDOWN = /usr/sbin/shutdown
@@ -1867,7 +1897,11 @@ EEXXAAMMPPLLEESS
      The ooppeerraattoorr user may run commands limited to simple maintenance.  Here,
      those are commands related to backups, killing processes, the printing
      system, shutting down the system, and any commands in the directory
-     _/_u_s_r_/_o_p_e_r_/_b_i_n_/.
+     _/_u_s_r_/_o_p_e_r_/_b_i_n_/. Note that one command in the DUMPS Cmnd_Alias includes a
+     sha224 digest, _/_h_o_m_e_/_o_p_e_r_a_t_o_r_/_b_i_n_/_s_t_a_r_t___b_a_c_k_u_p_s.  This is because the
+     directory containing the script is writable by the operator user.  If the
+     script is modified (resulting in a digest mismatch) it will no longer be
+     possible to run it via ssuuddoo.
 
      joe             ALL = /usr/bin/su operator
 
diff -up sudo-1.8.6p7/doc/sudoers.man.in.digest-backport-docs sudo-1.8.6p7/doc/sudoers.man.in
--- sudo-1.8.6p7/doc/sudoers.man.in.digest-backport-docs	2015-07-07 13:06:28.363472547 +0200
+++ sudo-1.8.6p7/doc/sudoers.man.in	2015-07-07 13:16:05.250448374 +0200
@@ -602,6 +602,14 @@ only the case for non-networked systems.
 .nf
 .sp
 .RS 0n
+digest ::= [A-Fa-f0-9]+ |
+	   [[A-Za-z0-9\+/=]+
+
+Digest_Spec ::= "sha224" ':' digest |
+		"sha256" ':' digest |
+		"sha384" ':' digest |
+		"sha512" ':' digest
+
 Cmnd_List ::= Cmnd |
               Cmnd ',' Cmnd_List
 
@@ -609,7 +617,7 @@ command name ::= file name |
                  file name args |
                  file name '""'
 
-Cmnd ::= '!'* command name |
+Cmnd ::= Digest_Spec? '!'* command name |
          '!'* directory |
          '!'* "sudoedit" |
          '!'* Cmnd_Alias
@@ -664,6 +672,39 @@ with the
 option (or as
 \fBsudoedit\fR).
 It may take command line arguments just as a normal command does.
+.PP
+If a
+\fRcommand name\fR
+is prefixed with a
+\fRDigest_Spec\fR,
+the command will only match successfully if it can be verified
+using the specified SHA-2 digest.
+This may be useful in situations where the user invoking
+\fBsudo\fR
+has write access to the command or its parent directory.
+The following digest formats are supported: sha224, sha256, sha384 and sha512.
+The string may be specified in either hex or base64 format
+(base64 is more compact).
+There are several utilities capable of generating SHA-2 digests in hex
+format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
+.PP
+For example, using openssl:
+.nf
+.sp
+.RS 0n
+$ openssl dgst -sha224 /bin/ls
+SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+.RE
+.fi
+.PP
+It is also possible to use openssl to generate base64 output:
+.nf
+.sp
+.RS 0n
+$ openssl dgst -binary -sha224 /bin/ls | openssl base64
+EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+.RE
+.fi
 .SS "Defaults"
 Certain configuration options may be changed from their default
 values at run-time via one or more
@@ -3684,7 +3725,9 @@ Host_Alias	CDROM = orion, perseus, hercu
 
 # Cmnd alias specification
 Cmnd_Alias	DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
-			/usr/sbin/restore, /usr/sbin/rrestore
+			/usr/sbin/restore, /usr/sbin/rrestore\e
+			sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
+			/home/operator/bin/start_backups
 Cmnd_Alias	KILL = /usr/bin/kill
 Cmnd_Alias	PRINTING = /usr/sbin/lpc, /usr/bin/lprm
 Cmnd_Alias	SHUTDOWN = /usr/sbin/shutdown
@@ -3836,6 +3879,15 @@ Here, those are commands related to back
 printing system, shutting down the system, and any commands in the
 directory
 \fI/usr/oper/bin/\fR.
+Note that one command in the
+\fRDUMPS\fR
+Cmnd_Alias includes a sha224 digest,
+\fI/home/operator/bin/start_backups\fR.
+This is because the directory containing the script is writable by the
+operator user.
+If the script is modified (resulting in a digest mismatch) it will no longer
+be possible to run it via
+\fBsudo\fR.
 .nf
 .sp
 .RS 0n
diff -up sudo-1.8.6p7/doc/sudoers.mdoc.in.digest-backport-docs sudo-1.8.6p7/doc/sudoers.mdoc.in
--- sudo-1.8.6p7/doc/sudoers.mdoc.in.digest-backport-docs	2015-07-07 13:06:18.919571166 +0200
+++ sudo-1.8.6p7/doc/sudoers.mdoc.in	2015-07-07 13:23:45.072854748 +0200
@@ -579,6 +579,14 @@ Also, the host name
 will only match if that is the actual host name, which is usually
 only the case for non-networked systems.
 .Bd -literal
+digest ::= [A-Fa-f0-9]+ |
+	   [[A-Za-z0-9\+/=]+
+
+Digest_Spec ::= "sha224" ':' digest |
+		"sha256" ':' digest |
+		"sha384" ':' digest |
+		"sha512" ':' digest
+
 Cmnd_List ::= Cmnd |
               Cmnd ',' Cmnd_List
 
@@ -586,7 +594,7 @@ command name ::= file name |
                  file name args |
                  file name '""'
 
-Cmnd ::= '!'* command name |
+Cmnd ::= Digest_Spec? '!'* command name |
          '!'* directory |
          '!'* "sudoedit" |
          '!'* Cmnd_Alias
@@ -640,6 +648,33 @@ with the
 option (or as
 .Nm sudoedit ) .
 It may take command line arguments just as a normal command does.
+.Pp
+If a
+.Li command name
+is prefixed with a
+.Li Digest_Spec ,
+the command will only match successfully if it can be verified
+using the specified SHA-2 digest.
+This may be useful in situations where the user invoking
+.Nm sudo
+has write access to the command or its parent directory.
+The following digest formats are supported: sha224, sha256, sha384 and sha512.
+The string may be specified in either hex or base64 format
+(base64 is more compact).
+There are several utilities capable of generating SHA-2 digests in hex
+format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
+.Pp
+For example, using openssl:
+.Bd -literal
+$ openssl dgst -sha224 /bin/ls
+SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+.Ed
+.Pp
+It is also possible to use openssl to generate base64 output:
+.Bd -literal
+$ openssl dgst -binary -sha224 /bin/ls | openssl base64
+EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+.Ed
 .Ss Defaults
 Certain configuration options may be changed from their default
 values at run-time via one or more
@@ -3407,7 +3442,9 @@ Host_Alias	CDROM = orion, perseus, hercu
 
 # Cmnd alias specification
 Cmnd_Alias	DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
-			/usr/sbin/restore, /usr/sbin/rrestore
+			/usr/sbin/restore, /usr/sbin/rrestore\e
+			sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
+			/home/operator/bin/start_backups
 Cmnd_Alias	KILL = /usr/bin/kill
 Cmnd_Alias	PRINTING = /usr/sbin/lpc, /usr/bin/lprm
 Cmnd_Alias	SHUTDOWN = /usr/sbin/shutdown
@@ -3540,6 +3577,15 @@ Here, those are commands related to back
 printing system, shutting down the system, and any commands in the
 directory
 .Pa /usr/oper/bin/ .
+Note that one command in the
+.Li DUMPS
+Cmnd_Alias includes a sha224 digest,
+.Pa /home/operator/bin/start_backups .
+This is because the directory containing the script is writable by the
+operator user.
+If the script is modified (resulting in a digest mismatch) it will no longer
+be possible to run it via
+.Nm sudo .
 .Bd -literal
 joe		ALL = /usr/bin/su operator
 .Ed