[sudo-workers] missing --with-noexec in sudo-1.6.8/INSTALL
Norihiko Murase
skeleten at shillest.net
Sat Aug 21 14:02:45 EDT 2004
Hi,
I found that the installation notes document
(sudo-1.6.8/INSTALL) doesn't refer to --with-noexec option
though it does to --with-ldap option. (Both of these two
options are newly created at the version 1.6.8, as you
know.)
I'm happy if you add the notation of the option such as:
--with-noexec[=FILE]
Enable "noexec" functionality, which prevents a
dynamically-linked program being run by sudo from executing another
program (think shell escapes of vi and makefile for make). If
specified, FILE is the shared library for it. This functionality is
enabled by default. Please see http://noexec.sourceforge.net/ for more
information.
# Yes, I know the information about this functionality
# enabled by --with-noexec configure option is available at
# least from the change-log file (sudo-1.6.8/CHANGES):
# | 517) A new tag, NOEXEC, will prevent a dynamically-linked program being run
# | by sudo from executing another program (think shell escapes).
# | Because this uses LD_PRELOAD it has no effect on static binaries.
# | Idea from Reznic Valery.
As far as I checked the configure script (lines 19669-19691),
it seems that this functionality is enabled by default (in
the case where I specify NEITHER --with-noexec NOR
--without-noexec when I execute configure script). Is this
deliberate?
As far as I read this change-log file, I think that this
functionality also prevents make utility from executing
other commands in makefiles. Is this right?
Best regards,
---
Norihiko Murase
The University of Aizu
E-mail: skeleten [AT] shillest.net
s1080224 [AT] u-aizu.ac.jp
More information about the sudo-workers
mailing list