Release 0.2.8 (#1232)

Author: squell

CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## [0.2.8] - 2025-08-04
+
+### Added
+- `sudo -e`, `sudoedit` to safely edit files as another user.
+
+### Fixed
+- `NOEXEC:` could not be used to prevent all shell escapes on multi-architecture
+  installations (#1229)
+- `sudo --list` would not show `NOEXEC`, `SETENV` and `APPARMOR_PROFILE` (#1228)
+- Skip paths not accessible by the target user during command resolution (#1234)
+
 ## [0.2.7] - 2025-07-01
 
 ### Added

Cargo.lock

@@ -1,7 +1,7 @@
 [package]
 name = "sudo-rs"
 description = "A memory safe implementation of sudo and su."
-version = "0.2.7"
+version = "0.2.8"
 license = "Apache-2.0 OR MIT"
 edition = "2021"
 repository = "https://github.com/trifectatechfoundation/sudo-rs"

Cargo.toml

@@ -51,11 +51,11 @@ We currently only offer these for x86-64 systems.
 We recommend installing sudo-rs and su-rs in your `/usr/local` hierarchy so it can co-exist with
 your existing sudo installation. You can achieve this using the commands:
 ```sh
-sudo tar -C /usr/local -xvf sudo-0.2.7.tar.gz
+sudo tar -C /usr/local -xvf sudo-0.2.8.tar.gz
 ```
 and for su-rs:
 ```sh
-sudo tar -C /usr/local -xvf su-0.2.7.tar.gz
+sudo tar -C /usr/local -xvf su-0.2.8.tar.gz
 ```
 This will install sudo-rs and su-rs in `/usr/local/bin` using the usual commands `sudo` and `su`; it
 will also install our version of `visudo` in that location.
@@ -157,6 +157,7 @@ Exceptions to the above, with respect to your `/etc/sudoers` configuration:
   `match_group_by_gid` are not applicable to our implementation, but ignored for
   compatibility reasons.
 * `timestamp_type` is always set at `tty`.
+* `sudoedit_checkdir` is always `on`, and `sudoedit_follow` is always `off`.
 
 Some other notable restrictions to be aware of:
 

README.md

@@ -1,6 +1,6 @@
 .\" Automatically generated by Pandoc 3.6.3
 .\"
-.TH "SU" "1" "" "sudo\-rs 0.2.7" "sudo\-rs"
+.TH "SU" "1" "" "sudo\-rs 0.2.8" "sudo\-rs"
 .SH NAME
 \f[CR]su\f[R] \- run a shell or command as another user
 .SH SYNOPSIS

docs/man/su.1.man

@@ -1,5 +1,5 @@
 ---
-title: SU(1) sudo-rs 0.2.7 | sudo-rs
+title: SU(1) sudo-rs 0.2.8 | sudo-rs
 ---
 
 # NAME

docs/man/su.1.md

@@ -1,20 +1,23 @@
 .\" Automatically generated by Pandoc 3.6.3
 .\"
-.TH "SUDO" "8" "" "sudo\-rs 0.2.7" "sudo\-rs"
+.TH "SUDO" "8" "" "sudo\-rs 0.2.8" "sudo\-rs"
 .SH NAME
-\f[CR]sudo\f[R] \- execute a command as another user
+\f[CR]sudo\f[R], \f[CR]sudoedit\f[R] \- execute a command as another
+user
 .SH SYNOPSIS
-\f[CR]sudo\f[R] [\f[CR]\-u\f[R] \f[I]user\f[R]] [\f[CR]\-g\f[R]
-\f[I]group\f[R]] [\f[CR]\-D\f[R] \f[I]directory\f[R]]
+\f[CR]sudo\f[R] \f[CR]\-h\f[R] | \f[CR]\-K\f[R] | \f[CR]\-k\f[R] |
+\f[CR]\-V\f[R] \f[CR]sudo\f[R] [\f[CR]\-u\f[R] \f[I]user\f[R]]
+[\f[CR]\-g\f[R] \f[I]group\f[R]] [\f[CR]\-D\f[R] \f[I]directory\f[R]]
 [\f[CR]\-BknS\f[R]] [\f[CR]\-i\f[R] | \f[CR]\-s\f[R]]
-[\f[CR]VAR=value\f[R]] [<\f[I]command\f[R]>]
-.PD 0
-.P
-.PD
-\f[CR]sudo\f[R] \f[CR]\-l\f[R] [\f[CR]\-BknS\f[R]] [\f[CR]\-U\f[R]
-\f[I]user\f[R]] [\f[CR]\-u\f[R] \f[I]user\f[R]] [\f[CR]\-g\f[R]
-\f[I]group\f[R]] [command [arg \&...]] \f[CR]sudo\f[R] \f[CR]\-h\f[R] |
-\f[CR]\-K\f[R] | \f[CR]\-k\f[R] | \f[CR]\-V\f[R]
+[\f[CR]VAR=value\f[R]] [<\f[I]command\f[R]>] \f[CR]sudo\f[R]
+\f[CR]\-v\f[R] [\f[CR]\-BknS\f[R]] [\f[CR]\-u\f[R] \f[I]user\f[R]]
+[\f[CR]\-g\f[R] \f[I]group\f[R]] \f[CR]sudo\f[R] \f[CR]\-l\f[R]
+[\f[CR]\-BknS\f[R]] [\f[CR]\-U\f[R] \f[I]user\f[R]] [\f[CR]\-u\f[R]
+\f[I]user\f[R]] [\f[CR]\-g\f[R] \f[I]group\f[R]] [command [arg \&...]]
+\f[CR]sudo\f[R] \f[CR]\-e\f[R] [\f[CR]\-BknS\f[R]] [\f[CR]\-u\f[R]
+\f[I]user\f[R]] [\f[CR]\-g\f[R] \f[I]group\f[R]] file \&...
+\f[CR]sudoedit\f[R] [\f[CR]\-BknS\f[R]] [\f[CR]\-u\f[R] \f[I]user\f[R]]
+[\f[CR]\-g\f[R] \f[I]group\f[R]] file \&...
 .SH DESCRIPTION
 \f[CR]sudo\f[R] allows a user that is permitted to do so to execute a
 \f[I]command\f[R] as another user (for example \f[I]root\f[R]).
@@ -31,6 +34,12 @@ The timeout for session records can be specified in the policy.
 .PP
 Some care is taken to pass signals received by sudo\-rs to the child
 process, even if that process runs in its own pseudo terminal.
+.PP
+On systems where sudo is the primary method of gaining superuser
+privileges, it is imperative to avoid syntax errors in the
+\f[CR]/etc/sudoers\f[R] file.
+Changes to this file should be made using the visudo(8) utility which
+will ensure that no syntax errors are introduced.
 .SH OPTIONS
 .TP
 \f[CR]\-B\f[R], \f[CR]\-\-bell\f[R]
@@ -121,6 +130,28 @@ If no shell was specified, the shell from the user\[cq]s password
 database entry will be used instead.
 If a \f[I]command\f[R] is specified, it is passed to the shell using the
 \f[CR]\-c\f[R] option.
+.PP
+\f[CR]\-e\f[R], \f[CR]sudoedit\f[R]
+.IP
+.EX
+Edit one or more files instead of running a command.  In lieu of a path name, the string \[dq]sudoedit\[dq] is used when consulting the security policy.  If the user is authorized by the policy, the following steps are taken:
+
+1. Temporary copies are made of the files to be edited with the owner set to the invoking user.
+
+2. The editor specified by the policy is run to edit the temporary files.  The sudoers policy uses the SUDO_EDITOR, VISUAL and EDITOR environment variables (in that order).  If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the editor sudoers(5) option is used.
+
+3. If they have been modified, the content of the temporary files is copied back to the originals and the temporary versions are removed.
+
+To help prevent the editing of unauthorized files, the following restrictions are enforced (unless the user is root):
+
+* Symbolic links may not be edited.
+
+* If any component of the path leading to the file is writable by the invoking user, the file may not be edited.
+
+* Users are never allowed to edit device special files.
+
+If the specified file does not exist, it will be created. Unlike most commands run by sudo, the editor is run with the invoking user\[aq]s environment unmodified. If the temporary file becomes empty after editing, the user will be prompted before it is installed.
+.EE
 .TP
 \f[CR]\-u\f[R] \f[I]user\f[R], \f[CR]\-\-user\f[R]=\f[I]user\f[R]
 Run the \f[I]command\f[R] as another user than the default

docs/man/sudo.8.man

@@ -1,16 +1,20 @@
 ---
-title: SUDO(8) sudo-rs 0.2.7 | sudo-rs
+title: SUDO(8) sudo-rs 0.2.8 | sudo-rs
 ---
 
 # NAME
 
-`sudo` - execute a command as another user
+`sudo`, `sudoedit` - execute a command as another user
 
 # SYNOPSIS
 
-`sudo` [`-u` *user*] [`-g` *group*] [`-D` *directory*] [`-BknS`] [`-i` | `-s`] [`VAR=value`] [<*command*>] \
-`sudo` `-l` [`-BknS`] [`-U` *user*] [`-u` *user*]  [`-g` *group*] [command [arg ...]]
 `sudo` `-h` | `-K` | `-k` | `-V`
+`sudo` [`-u` *user*] [`-g` *group*] [`-D` *directory*] [`-BknS`] [`-i` | `-s`] [`VAR=value`] [<*command*>]
+`sudo` `-v` [`-BknS`] [`-u` *user*]  [`-g` *group*]
+`sudo` `-l` [`-BknS`] [`-U` *user*] [`-u` *user*]  [`-g` *group*] [command [arg ...]]
+`sudo` `-e` [`-BknS`] [`-u` *user*] [`-g` *group*] file ...
+`sudoedit` [`-BknS`] [`-u` *user*] [`-g` *group*] file ...
+
 
 # DESCRIPTION
 
@@ -28,6 +32,11 @@ timeout for session records can be specified in the policy.
 Some care is taken to pass signals received by sudo-rs to the child process,
 even if that process runs in its own pseudo terminal.
 
+On systems where sudo is the primary method of gaining superuser privileges, it is
+imperative to avoid syntax errors in the `/etc/sudoers` file. Changes to this file
+should be made using the visudo(8) utility which will ensure that no syntax errors
+are introduced.
+
 # OPTIONS
 
 `-B`, `--bell`
@@ -101,6 +110,26 @@ even if that process runs in its own pseudo terminal.
     was specified, the shell from the user's password database entry will be
     used instead. If a *command* is specified, it is passed to the shell using the `-c` option.
 
+`-e`, `sudoedit`
+
+    Edit one or more files instead of running a command.  In lieu of a path name, the string "sudoedit" is used when consulting the security policy.  If the user is authorized by the policy, the following steps are taken:
+
+    1. Temporary copies are made of the files to be edited with the owner set to the invoking user.
+
+    2. The editor specified by the policy is run to edit the temporary files.  The sudoers policy uses the SUDO_EDITOR, VISUAL and EDITOR environment variables (in that order).  If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the editor sudoers(5) option is used.
+
+    3. If they have been modified, the content of the temporary files is copied back to the originals and the temporary versions are removed.
+
+    To help prevent the editing of unauthorized files, the following restrictions are enforced (unless the user is root):
+
+    * Symbolic links may not be edited.
+
+    * If any component of the path leading to the file is writable by the invoking user, the file may not be edited.
+
+    * Users are never allowed to edit device special files.
+
+    If the specified file does not exist, it will be created. Unlike most commands run by sudo, the editor is run with the invoking user's environment unmodified. If the temporary file becomes empty after editing, the user will be prompted before it is installed.
+
 `-u` *user*, `--user`=*user*
 :   Run the *command* as another user than the default (**root**).
 

docs/man/sudo.8.md

@@ -252,7 +252,7 @@ Again, the value of an item may be negated with the `!' operator.
           \[aq]!\[aq]* directory |
           \[aq]!\[aq]* Cmnd_Alias
           \[aq]!\[aq]* \[dq]list\[dq]
-          \[aq]!\[aq]* \[dq]sudoedit\[dq]
+          \[aq]!\[aq]* \[dq]sudoedit\[dq] [file name]
 .EE
 .PP
 A Cmnd_List is a list of one or more command names, directories, and
@@ -292,9 +292,17 @@ option.
 No command line arguments may be specified with the \[lq]list\[rq]
 built\-in.
 .PP
-The \[lq]sudoedit\[rq] built\-in will be used in the future to permit a
-user to run sudo with the \-e option (or as sudoedit).
-This feature is currently under development.
+The \[lq]sudoedit\[rq] built\-in is used to permit a user to run sudo
+with the \-e option (or as sudoedit).
+It may take command line arguments just as a normal command does.
+Unlike other commands, \[lq]sudoedit\[rq] is built into sudo itself and
+must be specified in the sudoers file without a leading path.
+If a leading path is present, for example /usr/bin/sudoedit, this will
+not give the user permissions to use sudoedit.
+If no arguments are provided, \[lq]sudoedit\[rq] will give the user the
+permission to edit any files; if an argument is present it must be an
+absolute path name that does not contain symbolic links, or the command
+will not be matched.
 .SS Defaults
 Certain configuration options may be changed from their default values
 at run\-time via one or more Default_Entry lines.
@@ -784,6 +792,18 @@ passwd database as an argument to the \-u option.
 This flag is off by default.
 .RE
 .IP \[bu] 2
+umask_override
+.RS 2
+.PP
+If set, sudo will set the umask as specified in the sudoers file without
+modification.
+This makes it possible to specify a umask in the sudoers file that is
+more permissive than the user\[cq]s own umask.
+If umask_override is not set, sudo will set the umask to be the union of
+the user\[cq]s umask and what is specified in sudoers.
+This flag is off by default.
+.RE
+.IP \[bu] 2
 use_pty
 .RS 2
 .PP
@@ -821,6 +841,43 @@ insufficient, for example 2.5.
 The default is 15.
 Set this to 0 to always prompt for a password.
 .RE
+.IP \[bu] 2
+umask
+.RS 2
+.PP
+File mode creation mask to use when running the command.
+Negate this option or set it to 0777 to prevent sudo from changing the
+umask.
+Unless the umask_override flag is set, the actual umask will be the
+union of the user\[cq]s umask and the value of the umask setting, which
+defaults to 0022.
+This guarantees that sudo never lowers the umask when running a command.
+.PP
+If umask is explicitly set, it will override any umask setting in PAM.
+If umask is not set, the umask specified by PAM will take precedence.
+The umask setting in PAM is not used for sudoedit, which does not create
+a new PAM session.
+.RE
+.SS Strings
+.IP \[bu] 2
+editor
+.RS 2
+.PP
+A colon (`:') separated list of editor path names used by
+\f[B]sudoedit\f[R] and \f[B]visudo\f[R].
+For \f[B]sudoedit\f[R], this list is used to find an editor when none of
+the SUDO_EDITOR, VISUAL or EDITOR environment variables are set to an
+editor that exists and is executable.
+For \f[B]visudo\f[R], it is used as a white list of allowed editors;
+\f[B]visudo\f[R] will choose the editor that matches the user\[cq]s
+SUDO_EDITOR, VISUAL or EDITOR environment variable if possible, or the
+first editor in the list that exists and is executable if not.
+Unless invoked as \f[B]sudoedit\f[R], sudo does not preserve the
+SUDO_EDITOR, VISUAL or EDITOR environment variables unless they are
+present in the \f[B]env_keep\f[R] list.
+The default on Linux is \f[I]/usr/bin/editor\f[R], on FreeBSD
+\f[I]/usr/vim/vi\f[R].
+.RE
 .SS Strings that can be used in a boolean context:
 .IP \[bu] 2
 apparmor_profile
@@ -899,6 +956,9 @@ Preserving the HOME environment variable has security implications since
 many programs use it when searching for configuration or data files.
 Adding HOME to env_keep may enable a user to run unrestricted commands
 via sudo and is strongly discouraged.
+Users wishing to edit files with sudo should run \f[B]sudoedit\f[R] (or
+\f[B]sudo \-e\f[R]) to get their accustomed editor configuration instead
+of invoking the editor directly.
 .RE
 .SS LOG FORMAT
 sudo\-rs logs events via syslog(3).
@@ -980,6 +1040,8 @@ against future syscalls that can do an exec() like the proposed
 And it also doesn\[cq]t protect against honest programs that
 intentionally or not allow the user to write to /proc/self/mem for the
 same reasons as that it doesn\[cq]t protect against malicious programs.
+You should always try out if \f[B]noexec\f[R] indeed prevents shell
+escapes for the programs it is intended to be used with.
 .SS Timestamp file checks
 sudo\-rs will check the ownership of its timestamp directory
 (/run/sudo/ts by default) and ignore the directory\[cq]s contents if it