@@ -366,7 +366,9 @@ parameters.
366366
367367 Chdir_Spec ::= \[aq ] CWD=directory\[aq ]
368368
369- Tag_Spec ::= (\[aq ] PASSWD:\[aq ] | \[aq ] NOPASSWD:\[aq ] | \[aq ] SETENV:\[aq ] | \[aq ] NOSETENV:\[aq ] )
369+ Tag_Spec ::= (\[aq ] PASSWD:\[aq ] | \[aq ] NOPASSWD:\[aq ] |
370+ \[aq ] SETENV:\[aq ] | \[aq ] NOSETENV:\[aq ]
371+ \[aq ] EXEC:\[aq ] | \[aq ] NOEXEC\[aq ] )
370372
371373 AppArmor_Spec ::= \[aq ] APPARMOR_PROFILE=profile\[aq ]
372374EE
@@ -493,6 +495,19 @@ NOSETENV.
493495Once a tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List,
494496inherit the tag unless it is overridden by the opposite tag (in other
495497words, PASSWD overrides NOPASSWD and NOSETENV overrides SETENV).
498+ .SS EXEC and NOEXEC
499+ On Linux systems, the NOEXEC tag can be used to prevent an executable
500+ from running further commands itself.
501+ .PP
502+ In the following example, user aaron may run /usr/bin/more and
503+ /usr/bin/vi but shell escapes will be disabled.
504+ .IP
505+ .EX
506+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
507+ EE
508+ .PP
509+ See the Preventing shell escapes section below for more details on how
510+ NOEXEC works and whether or not it suits your purpose.
496511.SS PASSWD and NOPASSWD
497512By default, sudo requires that a user authenticate before running a
498513command.
@@ -697,6 +712,16 @@ A list of all supported Defaults parameters, grouped by type, are listed
697712below.
698713.SS Boolean Flags:
699714.IP \[bu ] 2
715+ noexec
716+ .RS 2
717+ .PP
718+ If set, all commands run via sudo will behave as if the NOEXEC tag has
719+ been set, unless overridden by an EXEC tag.
720+ See the description of EXEC and NOEXEC as well as the Preventing shell
721+ escapes section at the end of this manual.
722+ This flag is off by default.
723+ .RE
724+ .IP \[bu ] 2
700725env_editor
701726.RS 2
702727.PP
@@ -937,10 +962,23 @@ Common programs that permit shell escapes include shells (obviously),
937962editors, paginators (such as \f[I] less \f[ R ]
938963programs.
939964.PP
940- sudo\- rs currently doesn\[cq ] t offer Todd Miller\[cq ] s sudo\[cq ] s
941- protection mechanisms; i.e.\ be very careful that when a user is not
942- supposed to receive shell access, that the commands that they have
943- access to does not allow escaping to the shell.
965+ On Linux, sudo\- rs has sudo\[cq ] s \f[B] noexec* functionality, based on a
966+ seccomp() filter.
967+ Programs that are run in \f[ R ]
968+ The implementation in sudo\- rs is different than in Todd Miller\[cq ] s
969+ sudo, and should also work on statically linked binaries.
970+ .PP
971+ Note that restricting shell escapes is not a panacea.
972+ Programs running as root are still capable of many potentially hazardous
973+ operations (such as changing or overwriting files) that could lead to
974+ unintended privilege escalation.
975+ NOEXEC is also not a protection against malicious programs.
976+ It doesn\[cq ] t prevent mapping memory as executable, nor does it protect
977+ against future syscalls that can do an exec() like the proposed
978+ \f[CR] io_uring \f[ R ]
979+ And it also doesn\[cq ] t protect against honest programs that
980+ intentionally or not allow the user to write to /proc/self/mem for the
981+ same reasons as that it doesn\[cq ] t protect against malicious programs.
944982.SS Timestamp file checks
945983sudo\- rs will check the ownership of its timestamp directory
946984(/run/sudo/ts by default) and ignore the directory\[cq ] s contents if it
0 commit comments