2010-02-25 01:34:39 +00:00
|
|
|
Index: sudo.man.in
|
|
|
|
|
===================================================================
|
|
|
|
|
--- sudo.man.in.orig
|
2008-08-07 10:00:06 +00:00
|
|
|
+++ sudo.man.in
|
2010-02-25 01:34:39 +00:00
|
|
|
@@ -190,8 +190,8 @@ is initialized based on the group file (
|
2008-08-07 10:00:06 +00:00
|
|
|
specified). If the invoking user is root or if the target user is
|
|
|
|
|
the same as the invoking user, no password is required. Otherwise,
|
|
|
|
|
\&\fBsudo\fR requires that users authenticate themselves with a password
|
|
|
|
|
-by default (\s-1NOTE:\s0 in the default configuration this is the user's
|
|
|
|
|
-password, not the root password). Once a user has been authenticated,
|
|
|
|
|
+by default (\s-1NOTE:\s0 in the default configuration this is the root
|
|
|
|
|
+password, not the user's password). Once a user has been authenticated,
|
|
|
|
|
a timestamp is updated and the user may then use sudo without a
|
|
|
|
|
password for a short period of time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless
|
|
|
|
|
overridden in \fIsudoers\fR).
|
2010-02-25 01:34:39 +00:00
|
|
|
Index: sudoers
|
|
|
|
|
===================================================================
|
|
|
|
|
--- sudoers.orig
|
2007-01-15 23:38:14 +00:00
|
|
|
+++ sudoers
|
2008-08-22 20:03:52 +00:00
|
|
|
@@ -15,6 +15,26 @@
|
2007-01-15 23:38:14 +00:00
|
|
|
|
|
|
|
|
# Defaults specification
|
|
|
|
|
|
2007-07-18 21:01:14 +00:00
|
|
|
+# Prevent environment variables from influencing programs in an
|
|
|
|
|
+# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
|
2007-01-15 23:38:14 +00:00
|
|
|
+Defaults always_set_home
|
|
|
|
|
+Defaults env_reset
|
2008-08-22 20:03:52 +00:00
|
|
|
+# Change env_reset to !env_reset in previous line to keep all environment variables
|
|
|
|
|
+# Following list will no longer be necessary after this change
|
2007-07-18 21:01:14 +00:00
|
|
|
+
|
2007-08-15 18:37:18 +00:00
|
|
|
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
|
2007-07-18 21:01:14 +00:00
|
|
|
+# Comment out the preceding line and uncomment the following one if you need
|
|
|
|
|
+# to use special input methods. This may allow users to compromise the root
|
|
|
|
|
+# account if they are allowed to run commands without authentication.
|
2007-08-15 18:37:18 +00:00
|
|
|
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
|
2007-01-15 23:38:14 +00:00
|
|
|
+
|
|
|
|
|
+# In the default (unconfigured) configuration, sudo asks for the root password.
|
|
|
|
|
+# This allows use of an ordinary user account for administration of a freshly
|
|
|
|
|
+# installed system. When configuring sudo, delete the two
|
|
|
|
|
+# following lines:
|
2007-07-18 21:01:14 +00:00
|
|
|
+Defaults targetpw # ask for the password of the target user i.e. root
|
2008-08-22 20:03:52 +00:00
|
|
|
+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
|
2007-01-15 23:38:14 +00:00
|
|
|
+
|
|
|
|
|
# Runas alias specification
|
|
|
|
|
|
|
|
|
|
# User privilege specification
|
