Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP4
sudo
sudo-sudoers.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File sudo-sudoers.patch of Package sudo
diff --git a/plugins/sudoers/sudoers.in b/plugins/sudoers/sudoers.in index 4a8def4..3a5172c 100644 --- a/plugins/sudoers/sudoers.in +++ b/plugins/sudoers/sudoers.in @@ -32,33 +32,23 @@ ## ## Defaults specification ## -## You may wish to keep some of the following environment variables -## when running commands via sudo. -## -## Locale settings -# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" -## -## Run X applications through sudo; HOME is used to find the -## .Xauthority file. Note that other programs use HOME to find -## configuration files and this may lead to privilege escalation! -# Defaults env_keep += "HOME" -## -## X11 resource path settings -# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" -## -## Desktop path settings -# Defaults env_keep += "QTDIR KDEDIR" -## -## Allow sudo-run commands to inherit the callers' ConsoleKit session -# Defaults env_keep += "XDG_SESSION_COOKIE" -## -## Uncomment to enable special input methods. Care should be taken as -## this may allow users to subvert the command being run via sudo. -# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" -## -## Uncomment to use a hard-coded PATH instead of the user's to find commands -# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -## +## Prevent environment variables from influencing programs in an +## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) +Defaults always_set_home +## Use this PATH instead of the user's to find commands. +Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/sbin" +Defaults env_reset +## Change env_reset to !env_reset in previous line to keep all environment variables +## Following list will no longer be necessary after this change +Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" +## Comment out the preceding line and uncomment the following one if you need +## to use special input methods. This may allow users to compromise the root +## account if they are allowed to run commands without authentication. +#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" + +## Do not insult users when they enter an incorrect password. +Defaults !insults + ## Uncomment to send mail if the user does not enter the correct password. # Defaults mail_badpass ## @@ -66,9 +56,15 @@ ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output -# Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!REBOOT !log_output +## In the default (unconfigured) configuration, sudo asks for the root password. +## This allows use of an ordinary user account for administration of a freshly +## installed system. When configuring sudo, delete the two +## following lines: +Defaults targetpw # ask for the password of the target user i.e. root +ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! + ## ## Runas alias specification ## @@ -84,13 +80,5 @@ root ALL=(ALL:ALL) ALL ## Same thing without a password # %wheel ALL=(ALL:ALL) NOPASSWD: ALL -## Uncomment to allow members of group sudo to execute any command -# %sudo ALL=(ALL:ALL) ALL - -## Uncomment to allow any user to run sudo if they know the password -## of the user they are running the command as (root by default). -# Defaults targetpw # Ask for the password of the target user -# ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults targetpw' - ## Read drop-in files from @sysconfdir@/sudoers.d @includedir @sysconfdir@/sudoers.d
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor