changeset 10278:24a3d9215c64

Document the race condition between the digest check and command execution.
author Todd C. Miller <Todd.Miller@courtesan.com>
date Sun, 06 Dec 2015 15:34:53 -0700
parents 31004144421b
children dcc9d15b0f3c
files doc/sudoers.cat doc/sudoers.man.in doc/sudoers.mdoc.in
diffstat 3 files changed, 24 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/doc/sudoers.cat	Wed Dec 02 14:06:37 2015 -0700
+++ b/doc/sudoers.cat	Sun Dec 06 15:34:53 2015 -0700
@@ -392,13 +392,11 @@
 
      If a command name is prefixed with a Digest_Spec, the command will only
      match successfully if it can be verified using the specified SHA-2
-     digest.  This may be useful in situations where the user invoking ssuuddoo
-     has write access to the command or its parent directory.  The following
-     digest formats are supported: sha224, sha256, sha384 and sha512.  The
-     string may be specified in either hex or base64 format (base64 is more
-     compact).  There are several utilities capable of generating SHA-2
-     digests in hex format such as openssl, shasum, sha224sum, sha256sum,
-     sha384sum, sha512sum.
+     digest.  The following digest formats are supported: sha224, sha256,
+     sha384 and sha512.  The string may be specified in either hex or base64
+     format (base64 is more compact).  There are several utilities capable of
+     generating SHA-2 digests in hex format such as openssl, shasum,
+     sha224sum, sha256sum, sha384sum, sha512sum.
 
      For example, using openssl:
 
@@ -410,6 +408,11 @@
      $ openssl dgst -binary -sha224 /bin/ls | openssl base64
      EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
 
+     If the user has write access to either the command itself or the
+     directory in which the command is located (directly or via a ssuuddoo
+     command) it may be possible for the user to replace the command after the
+     digest check has been performed but before the command is executed.
+
      Command digests are only supported by version 1.8.7 or higher.
 
    DDeeffaauullttss
--- a/doc/sudoers.man.in	Wed Dec 02 14:06:37 2015 -0700
+++ b/doc/sudoers.man.in	Sun Dec 06 15:34:53 2015 -0700
@@ -850,9 +850,6 @@
 \fRDigest_Spec\fR,
 the command will only match successfully if it can be verified
 using the specified SHA-2 digest.
-This may be useful in situations where the user invoking
-\fBsudo\fR
-has write access to the command or its parent directory.
 The following digest formats are supported: sha224, sha256, sha384 and sha512.
 The string may be specified in either hex or base64 format
 (base64 is more compact).
@@ -877,6 +874,13 @@
 .RE
 .fi
 .PP
+If the user has write access to either the command itself or the
+directory in which the command is located (directly or via a
+\fBsudo\fR
+command) it may be possible for the user to replace the command
+after the digest check has been performed but before the command
+is executed.
+.PP
 Command digests are only supported by version 1.8.7 or higher.
 .SS "Defaults"
 Certain configuration options may be changed from their default
--- a/doc/sudoers.mdoc.in	Wed Dec 02 14:06:37 2015 -0700
+++ b/doc/sudoers.mdoc.in	Sun Dec 06 15:34:53 2015 -0700
@@ -813,9 +813,6 @@
 .Li Digest_Spec ,
 the command will only match successfully if it can be verified
 using the specified SHA-2 digest.
-This may be useful in situations where the user invoking
-.Nm sudo
-has write access to the command or its parent directory.
 The following digest formats are supported: sha224, sha256, sha384 and sha512.
 The string may be specified in either hex or base64 format
 (base64 is more compact).
@@ -834,6 +831,13 @@
 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
 .Ed
 .Pp
+If the user has write access to either the command itself or the
+directory in which the command is located (directly or via a
+.Nm sudo
+command) it may be possible for the user to replace the command
+after the digest check has been performed but before the command
+is executed.
+.Pp
 Command digests are only supported by version 1.8.7 or higher.
 .Ss Defaults
 Certain configuration options may be changed from their default