Mercurial > repos > sudo
changeset 10278:24a3d9215c64
Document the race condition between the digest check and command
execution.
| author | Todd C. Miller <Todd.Miller@courtesan.com> |
|---|---|
| date | Sun, 06 Dec 2015 15:34:53 -0700 |
| parents | 31004144421b |
| children | dcc9d15b0f3c |
| files | doc/sudoers.cat doc/sudoers.man.in doc/sudoers.mdoc.in |
| diffstat | 3 files changed, 24 insertions(+), 13 deletions(-) [+] |
line wrap: on
line diff
--- a/doc/sudoers.cat Wed Dec 02 14:06:37 2015 -0700 +++ b/doc/sudoers.cat Sun Dec 06 15:34:53 2015 -0700 @@ -392,13 +392,11 @@ If a command name is prefixed with a Digest_Spec, the command will only match successfully if it can be verified using the specified SHA-2 - digest. This may be useful in situations where the user invoking ssuuddoo - has write access to the command or its parent directory. The following - digest formats are supported: sha224, sha256, sha384 and sha512. The - string may be specified in either hex or base64 format (base64 is more - compact). There are several utilities capable of generating SHA-2 - digests in hex format such as openssl, shasum, sha224sum, sha256sum, - sha384sum, sha512sum. + digest. The following digest formats are supported: sha224, sha256, + sha384 and sha512. The string may be specified in either hex or base64 + format (base64 is more compact). There are several utilities capable of + generating SHA-2 digests in hex format such as openssl, shasum, + sha224sum, sha256sum, sha384sum, sha512sum. For example, using openssl: @@ -410,6 +408,11 @@ $ openssl dgst -binary -sha224 /bin/ls | openssl base64 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== + If the user has write access to either the command itself or the + directory in which the command is located (directly or via a ssuuddoo + command) it may be possible for the user to replace the command after the + digest check has been performed but before the command is executed. + Command digests are only supported by version 1.8.7 or higher. DDeeffaauullttss
--- a/doc/sudoers.man.in Wed Dec 02 14:06:37 2015 -0700 +++ b/doc/sudoers.man.in Sun Dec 06 15:34:53 2015 -0700 @@ -850,9 +850,6 @@ \fRDigest_Spec\fR, the command will only match successfully if it can be verified using the specified SHA-2 digest. -This may be useful in situations where the user invoking -\fBsudo\fR -has write access to the command or its parent directory. The following digest formats are supported: sha224, sha256, sha384 and sha512. The string may be specified in either hex or base64 format (base64 is more compact). @@ -877,6 +874,13 @@ .RE .fi .PP +If the user has write access to either the command itself or the +directory in which the command is located (directly or via a +\fBsudo\fR +command) it may be possible for the user to replace the command +after the digest check has been performed but before the command +is executed. +.PP Command digests are only supported by version 1.8.7 or higher. .SS "Defaults" Certain configuration options may be changed from their default
--- a/doc/sudoers.mdoc.in Wed Dec 02 14:06:37 2015 -0700 +++ b/doc/sudoers.mdoc.in Sun Dec 06 15:34:53 2015 -0700 @@ -813,9 +813,6 @@ .Li Digest_Spec , the command will only match successfully if it can be verified using the specified SHA-2 digest. -This may be useful in situations where the user invoking -.Nm sudo -has write access to the command or its parent directory. The following digest formats are supported: sha224, sha256, sha384 and sha512. The string may be specified in either hex or base64 format (base64 is more compact). @@ -834,6 +831,13 @@ EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== .Ed .Pp +If the user has write access to either the command itself or the +directory in which the command is located (directly or via a +.Nm sudo +command) it may be possible for the user to replace the command +after the digest check has been performed but before the command +is executed. +.Pp Command digests are only supported by version 1.8.7 or higher. .Ss Defaults Certain configuration options may be changed from their default
