1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105
|
-------------------
What's new for version 3.30.1:
A. Better pam test in configure.
-------------------
What's new for version 3.30.0:
A. Added '-t' option, to test if a command exists, and if
so if this user may execute it at this moment.
-------------------
What's new for version 3.28.0:
A. Added '-r requiredpath' option, to allow a program to insist
that the FullPath be the same program as the requiredpath,
else it's an error.
-------------------
What's new for version 3.27.0:
A. Modified 'super -c' to exit with non-zero exit code
if there is a syntax error.
Requested by Gordon Lack, gml4410@ggr.co.uk
B. Performance enchancement: store various user/group/host/pattern
data in a hash table, so as to avoid many repeated NIS calls
when working with a large super.tab file. "The result was that
I cut the number of NIS calls made when running through an
entire file's tests (super with no args) from 4230 to 177.
This has a *big* effect on the elapsed time too."
(From Gordon Lack, gml4410@ggr.co.uk)
C. Additional syntax checking: wherever super does
brace-globbing, it explicitly checks for balanced braces.
-------------------
What's new for version 3.26.3:
A. Fix for 'super -c' when SUPERDIR has been set to other
than /usr/local/lib. (From Gordon Lack, gml4410@ggr.co.uk)
-------------------
What's new for version 3.26.2:
A. Fix for HP-UX 11i in trusted mode, from
Mike Cross <Mike.D.Cross@gsk.com>.
-------------------
What's new for version 3.26.1:
A. Fix for super variable re-definition bug.
When changing the definition of a variable,
super deallocated a string that hsearch() tried to reference.
Bug discovery and fix by Michael Steffens <michael.steffens@hp.com>.
-------------------
What's new for version 3.26.0:
A. Cumulation of 3.25.x changes.
-------------------
What's new for version 3.25.3:
A. Fixed reference to get_pam() that shouldn't be present when
building w/o pam support.
Reported by Gabor Z. Papp (gzp@papp.hu)
-------------------
What's new for version 3.25.2:
A. Fixed bug in 3.25.1...
-------------------
What's new for version 3.25.1:
A. Fixed handling of argMMM-NNN options.
Problem reported by cmoulin@simplerezo.com.
-------------------
What's new for version 3.25.0:
A. Super tries to obtain the user's authentication data early (before
it yields setuid-root privileges), and it does this even before
reading the super.tab file. If super is unable to obtain this info,
it will no longer print error messages, unless the specific command
requires user authentication.
B. Super tries to record the time of the user's authentication, which
allows it to trust the same user for some additional time w/o
re-entering authentication data. If it's unable to record the
timestamp, it doesn't generate error messages unless this particular
command has the renewtime option set (typically this is done
as a global option).
C. Cleaned up some error messages / warnings.
-------------------
What's new for version 3.24.1:
A. BUGFIX for 3.24.0 / shell patterns syntax enhancement:
The last version used this goofy pattern:
:if $PATTERNS == shell :global arg1-99="[-/:+._a-zA-Z0-9]*"
Of course, this only restricts the first character to the desired one;
ordinary shell patterns can't express the desired restrictions at all!
In order to let shell patterns do the desired kind of matching,
I've added new syntax for shell patterns: when the pattern is
[[...]] -- that is, it begins with "[[" and ends with "]]" --
then it's a special case that means each and every character in the
string must match the pattern [...]. The new rule in the super.tab
file can now be:
:if $PATTERNS == shell :global arg1-99="[[-/:+._a-zA-Z0-9]]"
:if $PATTERNS != shell :global arg1-99="^[-/:+._a-zA-Z0-9]*$$"
-------------------
What's new for version 3.24.0:
A. Changed option args and nargs to be global as well as local.
(Suggested by Henrik Strom <henrik@telenor.com>)
B. Added builtin variable PATTERNS to carry the value of the
global patterns option.
Combined with (A), your super.tab file can include these entries
for limiting what can be done without local settings:
# By default, allow only 0 or 1 argument
:global nargs=0-1
# By default, each argument must be a simple word with no
# characters that might be srecial to a shell:
:if $PATTERNS == shell :global arg1-99="[-/:+._a-zA-Z0-9]*"
:if $PATTERNS != shell :global arg1-99="^[-/:+._a-zA-Z0-9]*$$"
-------------------
What's new for version 3.23.0:
A. Fixed format string vulnerability.
(Incremented version number instead of patch number to emphasize
this change is important.)
(From Max Vozeler <max@hinterhof.net>, via Robert Luberda
<robert@debian.org>)
-------------------
What's new for version 3.22.2:
A. Better syslog handling. Instead of compile-time choice of
the rsyslog() vs syslog() routines, the program now makes the
selection at runtime. By default, the normal openlog() and
syslog() functions are used. However, if a loghost is named
(using global option rlog_host=xxxx) before any syslog message
is generated, the functions ropenlog() and rsyslog() are used instead.
-------------------
What's new for version 3.22.1:
A. Bugfix for new options euid and egid (added 3.21.0), in which one of
the id's would overwrite the other.
(From Robert Luberda <robert@debian.org>)
B. Bugfix for missing save/restore of errno, causing an incorrect
error message.
(From Robert Luberda <robert@debian.org>)
C. Bugfix: remove unwanted override of syslog facility and priority.
(From Robert Luberda <robert@debian.org>)
D. Bugfix: if your system didn't support sysinfo(SI_SYSNAME, ...),
there was a missing return statement in add_sysinfo_variables().
(From Gordon Lack, gml4410@ggr.co.uk)
E. Bugfix: Linux pw lookup didn't have fallback if /etc/shadow was missing.
(From Gordon Lack, gml4410@ggr.co.uk)
F. Long series of minor edits to remove all compiler warnings
generated by gcc -Wall.
(From Robert Luberda <robert@debian.org>)
-------------------
What's new for version 3.22.0:
A. Added flexibility to syslog facility/level setting; e.g. auth.local1
is now legal, in addition to "LOG_AUTH|LOG_LOCAL1".
B. Fixed bug that disallowed whitespace in strings such as that in A.
-------------------
What's new for version 3.21.5:
A. Fixed a minor glitch in the configure script.
-------------------
What's new for version 3.21.4:
A. Fixed install of the "barebones.tab" file.
-------------------
What's new for version 3.21.2:
A. Generalized support for passwords:
a) all encrypted password beginning "$" are now handled correctly
(hence Linux, *BSD, Solaris 9, ...)
b) extended DES (encrypted password begins "_") now handled correctly.
B. Fixd approval checks for root. Root was being given permission
to execute commands that explicitly said !root.
C. Added some notes to man page.
D. Minor improvement to error messages.
-------------------
What's new for version 3.21.0:
A. Added options euid and egid to allow setting the effective
uid and gid separately from changing the real id's. A few very old
versions of Unix don't provide the setre[ug]id functions, and
attempting to use the e{u,g}id options will cause an error.
B. Fixed reading of passwd/shadow files so that the format $n$salt$passwd
is understood on Linux systems.
C. Added FreeBSD passwd handling, again to recognize fmt $n$salt$passwd.
-------------------
What's new for version 3.20.1:
A. ICANON is no longer disabled in getpass() -- otherwise, getpass()
hung for some os's.
(From Gordon Lack, gml4410@ggr.co.uk)
B. Fixed some missing return values.
(From Michael Steffens michael.steffens@hp.com)
-------------------
What's new for version 3.20.0:
A. Typo in utils.c would cause super to use syslog level LOG_NEWS
instead of LOG_RFS, if you tried to select the latter.
-------------------
What's new for version 3.19.0:
A. SECURITY FIX: Patched syslog use error. All previous versions
allow local root exploit when syslog() use is enabled.
Workaround for earlier versions: put "syslog=n" into :global
line of the super.tab file.
-------------------
What's new for version 3.18.0:
A. Per user request, added option to force passwords to be
read from stdin.
-------------------
What's new for version 3.17.2:
A. Minor man page improvements.
-------------------
What's new for version 3.17.1:
A. Double-checks on uid and gid, to make sure they were really
changed as they should have been.
-------------------
What's new for version 3.17.0:
A. argNNN matching now accepts brace-enclosed list
(from Boleslav Bobcik, xbobcik@informatics.muni.cz)
B. If your system-supplied regex is POSIX-compatible, then posix
regular expressions are now supported; use
:global patterns=posix
to enable them. The default is case-sensitive, basic regular
expressions. To get extended regular expressions (see your
POSIX regular expression man page), use
:global patterns=posix/extended
To add ignore-case, use
:global patterns=posix/extended/icase
-------------------
What's new for version 3.16.1:
A. pam.o was listed twice in the Makefile.
(from Boleslav Bobcik, xbobcik@informatics.muni.cz)
B. Missing comment delimiters around an #ifdef comment.
(from Boleslav Bobcik, xbobcik@informatics.muni.cz)
-------------------
What's new for version 3.16.0:
This is the stable culmination of the changes in the 3.15.x enhancements.
The previous stable version was 3.14.0.
The last version to have a known security problem was 3.12.0.
In brief, the changes include the following (the version number tells
when the capability was added; check that section for more info):
A. Added PAM support. (3.15.5, 3.15.6)
C. The use of password=y|n is deprecated; it's been replaced by the
more general auth=y|n and authtype=xxx mechanism. (3.15.5)
D. **** BEHAVIOR CHANGE FOR ROOT **** The new behavior is *usually*
the same as the old behavior, but give you more control. (3.15.4)
E. Added support for shadow passwords in Digital Unix 4.x. (3.15.3)
F. Fixes for HP-UX 11.0 with tcb enabled. (3.15.0, 3.15.7)
G. Fixed an error in printing a message when super is _not_ running
setuid-root. (Hence this is not a security fix.) (3.15.2)
H. Added option to let you specify the prompt for password (3.15.2)
I. Improved description of some envvars. (3.15.2)
J. Corrected processing of "die=message" option. (3.15.2)
K. Minor readability improvements. (3.15.0)
L. Trivial changes to the format of the -h and -H outputs. (3.15.6)
-------------------
What's new for version 3.15.7:
A. Modifications to support HP-UX 11.0 with tcb: it uses crypt()
instead of bigcrypt() [the latter is used by HP-UX 10.x.
-------------------
What's new for version 3.15.6:
A. Trivial changes to the format of the -h and -H outputs.
B. Added "--disable-pam" configure option to disable PAM support,
even if compile host has PAM. Useful if the executable is
going to be used on hosts that don't have the PAM shareable libraries.
-------------------
What's new for version 3.15.5:
A. Added Linux PAM support.
To support PAM, there are new options (global or local):
auth=y|n (default=n; replaces password=y|n)
authtype=password|pam (default=password)
authprompt="<some string>"
If you want to use the same authentication method for all
the commands that require user authentication, it's convenient to
put authtype=xxx on a :global option line, and then you only
need to add "auth=y" on the lines that require options.
B. The use of password=y|n is deprecated.
To maintain backwards-compatibility, the following expressions
are equivalent:
password=y <--> auth=y authtype=password
password=n <--> auth=n
-------------------
What's new for version 3.15.4:
A. **** BEHAVIOR CHANGE FOR ROOT **** The rule for 'root' using super
has been changed! The new behavior is *usually* the same as the
old behavior, but the new rules give you more control over
root.
New behavior: super acts as if the very first pattern to match
is "root", and then applies its ordinary pattern-matching rules.
The resul is a nice simplification & clarification of the rules:
root: default allow
others: default deny
-------------------
What's new for version 3.15.3:
A. Added support for shadow passwords in Digital Unix 4.x.
-------------------
What's new for version 3.15.2:
A. Fixed an error in printing a message when super is _not_ running
setuid-root. (Hence this is not a security fix.)
B. Added option authprompt="some string", to let you specify the
prompt for password. Variable substitution is done on the
message before printing.
C. Improved description of ORIG_USER, ORIG_LOGNAME, and ORIG_HOME,
to emphasize that these values are constructed by super and
hence safe to use.
D. Corrected processing so that a "die=message" option doesn't
stop processing when in give-help mode.
E. Modified the processing of "die=message" so that the message
is printed without any surrounding foo-fah-rah: just the super.tab
message and nothing else. Variable substitution is done on the
message before printing.
-------------------
What's new for version 3.15:
A. Minor readability improvements.
B. Fix for HP-UX 11.0 with tcb enabled: the argument list of the
(undocumented but essential) getpasswd() function has changed
between 10.20 and 11.0.
-------------------
What's new for version 3.14.0:
*** NOTE ***
Super has adopted the Linux version numbering convention. That is, the
odd-numbered minor versions are development versions, and even-numbered
minor versions are stable releases (super uses version numbers in the
format major.minor.patchlevel).
This is the stable culmination of the changes in the 3.13.x enhancements.
The previous stable version was 3.12.2.
The last version to have a known security problem was 3.12.0.
In brief, the changes include the following (the version number tells
when the capability was added; check that section for more info):
A. A new file, super.init, is now processed by super! (3.13.6)
B. New command-line option, `-o file', for symlinks to
per-user commands. (3.13.6)
C. Allow 'loginname:', in addition to 'loginname:cmd' (3.13.6)
D. Added CALLER and CALL_HOME builtin variables. (3.13.10)
E. Added new builtin variables: HOST, SUPER_OWNER, SUPER_HOME. (3.13.6)
F. Added new variable IS_USERTAB. (3.13.7)
G. New super.tab option, checkvar=xxx, to require user to enter
variables. (3.13.6)
H. New super.tab command, :getenv, to import environment
variables. (3.13.6)
I. Added owner=xxx and group=yyy options to the :include
command. (3.13.6)
J. Added new global command ":die" to force immediate exit. (3.13.6)
K. Moved get_encrypted_passwd() before super drops privs. (3.13.6)
L. Modifications to support HP-UX 10.20 running with tcb. (3.13.6)
M. Patched a dumb bug -- didn't initialize -o flag to null ptr. (3.13.9)
N. Patched dumb bug in the 3.13.6/3.13.7 code. (3.13.8)
O. A variety of bugfixes. (3.13.6)
-------------------
What's new for version 3.13.10:
A. Added two built-in variables that can be helpful super.tab files:
$CALLER is the login name of the of account invoking super, and
$CALLER_HOME is the home directory of $CALLER. Sample use:
sam /usr/sbin/sam group~operator uid=0 \
env=DISPLAY \
setenv=XAUTHORITY=$CALLER_HOME/.Xauthority
Here, the "operator" group can execute 'sam' as root, and the GUI
will display at the caller's display (due to env=DISPLAY). Since
the XAUTHORITY envvar is set to the caller's .Xauthority file, this
will give the caller access to the same displays to which s/he already
has access.
-------------------
What's new for version 3.13.9:
A. Patched another dumb bug -- didn't initialize -o flag to null ptr.
-------------------
What's new for version 3.13.8:
A. Patched dumb bug in the 3.13.6/3.13.7 code -- failed to check
for null pointer.
-------------------
What's new for version 3.13.7:
A. Added new variable IS_USERTAB. This has the value "yes" if
super is processing a `user:cmd'-type command, and "no" otherwise.
The allows the super.init to act differently depending on how it
is being invoked.
-------------------
What's new for version 3.13.6:
A. A new file, super.init, is now processed by super!
It is located in the same directory as super.tab, and must be owned
by root and be world-readable. If it doesn't exist, the usual
processing of super.tab and per-user .supertab files is done.
If super.init does exist, it is processed exactly as if each super.tab
and per-user .supertab file began with:
:include /etc/super.init owner=root
(except that "/etc" is replaced with the super.tab directory.)
This allows one to have a uniform configuration file applied
to every super-executed command. Note that the configuration file
should _only_ contain entries that are appropriate for both
root-executed super commands and per-user super commands.
It is not a good idea to include commands in the super.init file;
it should preferably contain only the builtin colon-commands
(:global, :define, :if, :die, etc).
B. New command-line option, `-o file', for symlinks to per-user commands.
The `-o file' makes it possible to create symlinks to per-user
commands, analogous to the manner in which super interprets
symlinks to itself. For instance, if "xyz" is a symlink to the
super command, then invoking "xyz" is a shorthand for "super xyz".
Similarly, the `-o file' option can be used to make the following
completely equivalent:
super joe:xyz [args] (1)
xyz [args] (2)
For this method to work, "xyz" must be a symlink to the desired
.supertab file (here, ~joe/.supertab), and the .supertab file must
be made executable and begin with the line
#! /usr/bin/super -o
(Of course you should replace /usr/bin/super with the actual path to
super.) If the "#!" line would be longer than the typical Unix limit
of 32 characters, you can instead start the .supertab file with:
#! /bin/sh
# Keep this backslash -> \
exec /long/path/to/the/super/executable -o $0 ${1+"$@"}
...
(This takes advantage of the fact that super allows comments to
be backslash-continued, but the shell doesn't.)
This works as follows: if /path/to/xyz is a symlink to some
user's .supertab file, and the .supertab file begins with
"#! /path/to/super -o", then the shell will invoke super with
arguments something like
super -o /path/to/xyz [args]
Super checks that /path/to/xyz is a link to a real .supertab file,
and then always turns the last part of the path (here "xyz") into
the command to execute.
** Security Warning ** Note that the caller is trusting that the
.supertab file will actually begin `#! /path/to/super', and not
be changed to contain something like `rm *"! Of course, this
doesn't apply to the non-symlink form, `super joe:xyz'.
C. Allow 'loginname:', in addition to 'loginname:cmd'
A modification to the syntax for invoking per-user commands allows
you to invoke help listings for the per-user files. The original
syntax was restricted to something like this:
super joe:xyz
which executes command xyz from joe's .supertab file.
The new rule is that if the "xyz" part can be missing:
super joe:
or
super -H joe:
gets command listings for joe's .supertab just as plain "super" or
"super -H" gets command listings for the normal super.tab file.
D. New super.tab option, checkvar=xxx, to require user to enter variables.
The checkvar=xxx option tells super to prompt the user to enter
the value of one or more variables (here, the variable xxx).
For example, you might have a command `super shutdown' which halts
the computer. If you execute this on the wrong host there may
be some very annoyed users! The super.tab option checkvar=HOST
may be helpful here; it causes super to prompt
Super needs you to enter the HOST variable before proceeding.
Enter HOST (<Return> for reminder):
If you press <Return> or the wrong value, super re-prompts with:
Enter HOST (expecting `myhost'):
This allows you to ensure that the caller really knows the host on
which the command is executing -- a useful thing if the command will
shutdown the system! Any super.tab variable can be used in this
kind of check. Note that the value isn't anything like a secret;
it's simply intended to help avoid gross embarrassment (or worse)
by discouraging errors.
E. New super.tab command, :getenv, to import environment variables.
The :getenv command allows a super.tab file to import environment
variables into super.tab variable definitions. The environment
variables are not allowed unless the definition is restricted to
super's normal set of "safe" characters. This provides two advantages:
(a) it's a safe alternative to allowing users' environment variables
to be passed unchecked to programs, because you can do:
:getenv VAR1 VAR2
Cmd FullPath user~xyz setenv=VAR1=$VAR1,VAR2=$VAR2
...and the program will receive VAR1 and VAR2 only if they
have "safe" values, of reasonable length.
(b) It allows interesting new constructs in super.tab files.
F. Added owner=xxx and group=yyy options to the :include command.
The use is
:include FileName [owner=xxx] [group=yyy]
This allows your per-user .supertab file to include files that
are owned by some user xxx (owner=xxx) and/or are writable by group
yyy (group=yyy). This can be useful for a collection of accounts
that are operated together as a single "project" -- a variety of
accounts can share .supertab files from the trusted user xxx or
group yyy. Note: (1) The regular root-owned super.tab file can
also use this construct, but it's not a good idea. Don't do it.
(2) Beware of the transitive nature of this trust: the file owned
by xxx can in turn include a file owned by yet another user.
G. Added new builtin variables.
The new variables are:
i) HOST, the unqualified form of HOSTNAME. (Note that HOST and
HOSTNAME will be the same if the system doesn't use qualified
names for HOSTNAME.)
ii) SUPER_OWNER, the owner of the top-level super.tab file.
This is root for the default super.tab file, or the owner
of the .supertab file in a per-user command.
iii) SUPER_HOME, the home directory of $SUPER_OWNER.
H. Added new global command ":die" to force immediate exit.
The use is
:die message
The purpose is to allow a super.tab file to force an exit without
resorting to syntactically clumsy methods. For example, you can
use a line like this:
:if $HOST != myhost :die "For use on myhost only; this is $HOST!"
Without the :die command, one would have to write
:global patterns=shell
:if $HOST != myhost * /dev/null user~* die="For use on myhost only!"
...which is unnecessarily hard to read and write.
I. A variety of bugfixes.
These include: change to read password before super.tab uid=xxx
causes uid to change to non-root; propagate -1 error return after
canonicalize hostname failures; fixed generating of timestamp directory;
fixed segfault occurring when printing wildcard commands w/o any "info".
Patches from Rein Tollevik (Rein.Tollevik@si.sintef.no).
J. Moved get_encrypted_passwd() to happen before super drops privs.
This allows per-super .supertab files to use password-checking
(from Geoffrey A. Lowney, Geoffrey.A.Lowney@Boeing.com)
K. Modifications to handle HP-UX 10.20 running with tcb
(Trusted Computing Base). Patches based on code from Minh Tran
<mtran@tnl.com.au>.
-------------------
What's new for version 3.13.0 .. 3.13.5:
These versions were never formally released.
-------------------
What's new for version 3.12.2:
A. Fixed configure script for AIX.
Problem reported by Klaus Wacker (wacker@Physik.Uni-Dortmund.DE).
B. Fixed error interpreting the argv0 option, and an error implementing
it. The argv0 option was being incorrectly interpreted as an
invalid arg[MMM-]NNN option.
Problem reported by Hadmut Danisch (hadmut@danisch.de).
C. Slightly improved help info.
D. Slightly improved man page.
E. Modifications to handle shadowed passwords properly on HP-UX 10.x
and 11.x.
F. Modifications to handle shadowed passwords properly on Linux.
Problem report and bugfix from Edgar Nielsen <edgar@netearnings.com>.
-------------------
What's new for version 3.12.1:
A. Yet another buffer-overrun fix.
Problem reported by root@sekure.org (http://www.sekure.org, aka
the Brazilian Information Security Team).
Super now has very strict option-checking, as follows:
i) super now limits the length of each option passed to it (note that
this is not the same as limiting the length of arguments passed
to the commands invoked by super for the user);
ii) super now limits the total length of all options passed to it
(again, this is separate from limiting the length of arguments
passed to commands invoked by super);
iii) ensures that all its option characters are from a limited set.
Items (i) and (ii) ensure that users can't pass execessively long
strings. Item (iii) is just insurance :-)
B. When super is running in debug mode, it won't execute any commands, but
it will process user-supplied super.tab files. This makes potential
security holes, because it might be possible that nasty data can be
passed through a user-supplied super.tab file, just like there were
buffer-overruns from command-line arguments. Therefore, super will
no longer remain as root when checking a user-supplied super.tab file.
Instead, it reverts to the caller's real uid, and prints a large
explanatory message like the following:
** Since you have supplied a super.tab file that isn't the default,
** and your real uid isn't root, we're going to change back to your
** real uid for this test. That protects us against attacks via
** nasty constructions inside user-supplied super.tab files.
** Not that we don't trust you...
** Now using: ruid=545 euid=545 **
-------------------
What's new for version 3.12.0:
A. This is supposed to be a nice and stable release, reflecting mainly
the accumulated set of changes across 3.11. Those changes include
not only patches but also enough new features that I changed the
minor number to indicate that this now differs noticeably from 3.11.0.
Changes from 3.11 include:
i) the crucial buffer overrun patches;
ii) various other bugfixes;
iii) modifications to configure properly under more operating systems;
iv) the following features, added since 3.11.0:
--disable-rsyslog ...compile time switch.
-U, -G, -M ...runtime switches for checking config files.
syslog_error ...runtime configuration option.
syslog_success ...runtime configuration option.
argv0 ...runtime configuration option.
B. Fix for a typo when checking the argument to the -U flag.
Problem and fix from Benoit Speckel (Benoit.Speckel@IReS.in2p3.fr).
C. Fix for insufficient setup when using the -U and -G options.
Problem and fix from Gordon Lack (gml4410@ggr.co.uk).
-------------------
What's new for version 3.11.9:
A. Super was failing on per-user super commands (using the
~/.supertab file) because it tried to change supplementary
groups after dropping root privs.
Problem & fix from Gordon Lack (gml4410@ggr.co.uk).
B. The new compile-time switch --disable-rsyslog turns off the
use of the rsyslog() function, so that super only uses normal
syslog(). rsyslog() has been improved to use gethostname()
instead of "localhost" as a default.
C. Bugfix: additional, new envvar checking had a bug that led to
segfaults, because it passed a nil ptr to strlen().
Reported by swift@alum.mit.edu via the Debian bug-tracking system.
D. New global options syslog_error and syslog_success for customizing
syslog() output levels.
By default, if logging to syslog is enabled, super logs errors
at LOG_ERR and successful executions at LOG_INFO. The options
syslog_error=xxx
syslog_success=yyy
set the error and success codes to xxx and yyy, respectively.
Here, xxx and yyy are any of the usual syslog() priority and/or
facility codes, e.g.
syslog_error=LOG_ERR
syslog_error=LOG_LOCAL2|LOG_ERR
syslog_success="LOG_LOCAL7 | LOG_INFO"
The LOG_xxx words can be separated by whitespace and/or "|".
Super doesn't know what are sensible codes -- it's up to the
super.tab writer to choose meaningful values. For instance,
if you used the following (please don't!)
syslog_success="LOG_LOCAL1 | LOG_LOCAL7 | LOG_INFO | LOG_ERR"
then you will get all those values or'd together and passed to syslog().
E. Fixes for compiling under FreeBSD. The encryption buffer and salt
buffer were extended to 256 bytes each -- plenty long under any
current Unix, and hopefully for some time to come.
From David O'Brien <obrien@NUXI.com>
F. Patches for various glitches, such as using %ld instead of %d,
%ld% instead of %ld, etc. From David O'Brien <obrien@NUXI.com>.
-------------------
What's new for version 3.11.8:
A. Fixed segfault that arose when handling certain combinations of
globally- and locally-defined environment variables.
Problem reported by Gordon Lack (gml4410@ggr.co.uk).
-------------------
What's new for version 3.11.7:
A. CRITICAL SECURITY FIXES: two separate buffer overruns allowed local
root access. All versions between 3.9.6 and 3.11.6, inclusive,
are affected. Buffer overrun #1 was reported by Gordon Lack
(gml4410@ggr.co.uk); overrun #2 was reported by iss-xforce@iss.net.
B. Patches for BSD Net/2. Contributed by David O'Brien <obrien@NUXI.com>.
C. Related to (B), the prototyping macro __P() has been replaced by P__(),
so that it will be legitimate on all conforming standard C
implementations.
D. Patches for Solaris 2.6. (I have become convinced that Sun has an
engineer whose job title is something like Engineer in Charge of
Modifying Standard Include Files So As To Ensure That Configure
Scripts Will Break With Each Successive Solaris Release.)
E. A few more minor modifications to the documentation (trying to make
it easier to wade through).
F. Some fixes for the Makefile's install and clean rules,
from Martin Schulze (joey@Infodrom.North.DE) and
Dmitry A. Fedorov (D.A.Fedorov@inp.nsk.su).
G. Corrections to typo's in man pages, from Dmitry A. Fedorov
(D.A.Fedorov@inp.nsk.su).
H. Fix for the special per-user .supertab files: super was failing
to parse user:commands properly. Fix from Terje Eggestad
(Terje.Eggestad@novit.no).
I. Fixed super so that it won't create a core file -- this is useful
on systems w/ shadow passwords, to ensure that the shadow file
contents aren't put into a core file.
J. Added check for <sys/filio.h>. This is needed for some versions of
IRIX, which otherwise don't have FIOCLEX defined.
K. New local option argv0.
By default, super sets the first argument passed to a command
(ie argv[0]) to be the Cmd string, not the path to the command.
Thus "super doit" will set argv[0] to "doit", regardless of to the
path being invoked. This will cause problems for programs that
need a particular value of argv0. You can work around this by
placing such programs into wrapper scripts that are in turn called
from super, or you can use the local option argv0 to set the
value of argv[0]:
argv0=DesiredNameHere
As a special case, "<path>" means to use the fullpath by which super
is invoking the command.
For example,
doit /Path/To/My/Prog argv0=<path>
will execute /Path/To/My/Prog with argv[0] set to "/Path/To/My/Prog".
-------------------
What's new for version 3.11.6:
A. SECURITY FIX: super -c or super -F xxx would check any file,
e.g. /etc/shadow. This is now fixed by using access(2) to
verify that the original caller has the right to read the
specified file. Reported by Valentin Iliev <vale@aero.vmei.acad.bg>.
B. Bugfix: silly bugs in SAFE_PATH definition.
C. added -U, -G, and -M options to support additional testing
(-U uid means to act as if caller is user uid; -G gid
means to act as if caller is group gid; -M mach means to
act as if hostname==mach. Nothing is executed, but you can
see what would have happened.)
D. Added various patches from Martin Schulze (joey@infodrom.north.de),
including documentation changes, Linux shadow password support,
better hostname canonicalization.
E. Bit more documentation.
-------------------
What's new for version 3.11.5:
A. Modified configure script, hsearch.c, localsys.h, and setuid.c
so that super will auto-configure properly on AIX.
-------------------
What's new for version 3.11.4:
A. Fixed distribution: 3.11.3 didn't contain what it claimed.
-------------------
What's new for version 3.11.3:
A. Fixed configuration/compilation setup for Linux+glibc:
- doesn't declare signal();
- defines _BSD_SOURCE.
-------------------
What's new for version 3.11.2:
A. Better debug information. Verbosity adjusted to make information
presentation a little better.
-------------------
What's new for version 3.11.1:
A. New global option "lang" / bugfix.
The "lang" global option lets you set the language used for
daynames in time expressions to any locale available on your host,
e.g.
:global lang=de
would typically cause super to use German names.
This was a bugfix: super purported to support localization,
but (a) it followed a non-POSIX implementation, and
(b) it let the regular user specify the locale!
B. Bugfix: super wasn't reporting enough information to users
about execution being denied or requested command not existing.
-------------------
What's new for version 3.11.0:
A. NOTE WELL:
The default locations for the super.tab and timestamps files have
CHANGED, so that installation would work more smoothly with
Gnu configure scripts:
(a) super installs into the directory specified by
configure --exec-prefix; the default is $PREFIX/bin.
(b) super.tab installs into the directory specified by
configure --sysconfdir; the default is $PREFIX/etc.
(c) the timestamp directory is installed in the directory
specified by configure --localstatedir; the default is $PREFIX/var;
(c) the man pages are installed in subdirectories of
configure --mandir; the default is $PREFIX/man.
For example, if you use
./configure --prefix=/usr/local
...then the super executable will be /usr/local/bin/super,
the super.tab file will be /usr/local/etc/super.tab,
the timestamp directory will be /usr/local/var/superstamps,
and the man pages into /usr/local/man/...
B. New debug option:
The option "-F path-to-superfile" is an extremely useful debug
option. It lets you specify the super.tab file. For security,
no command will ever be executed. If used with a commandname,
the matched command will be shown but not other debug info.
It lets you test an entry for a super.tab file without actually
installing the file:
super [-d | -D] -F my_new_super.tab some-command
C. New debug option:
The option "-T timeofday" is another useful debug option.
It tells super to act as if the time of execution is timeofday,
where timeofday has the format hh:mm/dayname (using the
same daynames as are accepted in the super.tab file).
For security, no command will ever be executed.
This lets you test if a time condition is properly limiting
execution of a command:
super -d -F my_new_super.tab -T hh:mm/day some-command
D. New builtin command:
:if aaa op bbb rest-of-line
provides limited conditional support. Here, aaa and bbb are strings
(can be variables), op is one of "==" (equals), "!=" (does not equal),
"~" (glob matches), "!~" (does not glob-match), and the
rest-of-line is evaluated if and only if the expression is true.
Examples:
:if $UNAME_MACHINE ~ sun4* :include MySunSpecificFile
...includes MySunSpecificFile on Sun4-type machines only;
:if $UNAME_MACHINE ~ sun4* \
:if $UNAME_MACHINE != sun4c :include MySunSpecificFile
...includes MySunSpecificFile on Sun4-type machines only, excluding
Sun4c machines.
E. New builtin command:
:optinclude filename
is like the :include command, except that if filename is missing,
it's silently ignored. If you use this, be SURE not to write
later super.tab entries that depend on the presence of the file.
(I do _not_ recommend using :optinclude, because you won't be
informed if you make a sysadmin error, and delete one of the
include files.)
F. New builtin variables:
The following variables are automatically defined, so that you can
use them in :if lines (or anywhere else, of course). Examples:
:if $SI_ARCHITECTURE != alpha :include SomeFile
:include super.tab.$NIS_DOMAIN
Items that are unavailable on your system are set to "".
(Items may be unavailable because your system doesn't offer
the required function, or because your system's function doesn't
support all the specific items super tries to get.)
(a) From gethostname() or sysinfo():
HOSTNAME system's hostname. Depending on super's
configuration, the hostname returned by
the function may be modified if super
attempts to canonicalize the name.
(Use super -b to print the names and
values of all builtin variables.)
(b) From getdomainname():
NIS_DOMAIN The domain set for NIS purposes; it is not
necessarily an Internet domain.
(c) From the sysinfo() function:
SI_SYSNAME name of operating system
SI_HOSTNAME name of node
SI_RELEASE release of operating system
SI_VERSION version field of utsname
SI_MACHINE kind of machine
SI_ARCHITECTURE instruction set arch
SI_HW_SERIAL hardware serial number
SI_HW_PROVIDER hardware manufacturer
SI_SRPC_DOMAIN secure RPC domain
(d) From the uname() function:
UNAME_SYSNAME Operating system name.
UNAME_NODENAME The nodename.
UNAME_RELEASE Operating system release.
UNAME_VERSION Operating system version.
UNAME_MACHINE Machine hardware name (class).
G. New command-line option:
The -b option prints out the builtin variables, then exits.
This makes it easy to see what variable values to check for
in :if lines:
% super -b
Builtin variables:
UNAME_SYSNAME: SunOS
UNAME_VERSION: 2
...
H. Added -I. to Makefile so that compilation would succeed under
VPATH.
I. Added env=... to be a global option as well as a local option.
J. Added maxenvlen=nnn to be a global or local option; gives the maximum
allowed length of an envvar definition.
Default=1000. Negative=no limit.
K. Pretty-printing: improved the formatting under super -d and super -H.
L. Added option maxlen=[mmm,]nnn (local or global). Arguments are
restricted to be a maximum of mmm characters long individually
(including trailing null), and nnn characters total.
The default limits are 1000 and 10000, respectively.
Values < 0 mean no limits; unlimited argument length can be
configured using:
:global maxlen=-1,-1
M. Fixed missing initializations for some flags when super is invoked
from a symlink.
Reported by Jeff W. Stewart (jws@anaconda.cc.purdue.edu).
N. Fixed SAFE_PATH initialization.
Reported by Lawrence Lowe (lsl@hep.ph.bham.ac.uk) and
Gordon Lack (gml4410@ggr.co.uk).
O. Bugfix: if the nice increment was set to a negative value, and the
program was to be run non-setuid-root, the nice increment was changed
to be applied _before_ the setuid/setgid operations. (Negative
nice increments can't be except while running as root, of course.)
P. Bugfix: fixed envvar setting so that HOME, USER, and LOGNAME are set
correctly when uid=NNN or u_g=NNN are numeric. For example,
uid=0 had caused the USER envvar to be "0".
Q. Bugfix: super -D core dumped. Reason: super was passing an integer
to a debug message, at a place where a string was expected.
(Reported by swift@alum.mit.edu.)
R. Tried to make man pages, especially the super.1 page, more clear.
S. Changed the -h option to only give a usage listing. Thus
super -h ...usage
super (no args) ...list available commands, tersely.
super -H ...list available commands, expansively.
-------------------
What's new for version 3.10.0b6:
A. Instead of closing descriptors >2 right away, the close-on-exec
flag is instead used for machines with this feature. For IRIX 5
(and others?), this is a bugfix, not just a general improvement:
Gordon Lack wrote ``Irix NIS seems to "cache" a UDP connexion
on a file-descriptor, and super closes this before execing''.
Bugfix/improvement courtesy of Gordon Lack (gml4410@ggr.co.uk).
-------------------
What's new for version 3.10.0:
** If you are familiar with super version <=3.7.2, but haven't used
** a more recent version, please read the changelist back through 3.8.0!
** There have been MANY enhancements since 3.7.2.
A. EASIER INSTALLATION: configuration is now handled by a configure
script. This reduces the number of items you have to hand-adjust
from 20 to none at all (if you like the defaults).
B. SECURITY FIX: Until version 3.9.7, super never did anything to
change the supplementary groups list. This is not a security problem
if you are adding privileges (such as switching to root), but it
is a potential problem if you are switching to a different user and/or
a different group.
Solution: this version of super adds the following new semantics:
If you use u+g=foo, then the user is set to foo and the group is
set to foo's login group (as in earlier versions), and the
supplementary groups are set to foo's supplementary groups list
(new feature). Otherwise, the supplementary groups list is deleted.
See also the new options groups=a,b,... and addgroups=a,b,...
The problem was reported and a workaround supplied by
Morten Rolland (Morten.Rolland@si.sintef.no).
C. BUGFIX: Super had assumed that there would only be one ":global_option"
line. If there were multiple :global_option instances, and logfile=xxx
was used before the last :global_option instance, super would
create multiple logging processes. Worse, interactions with password
checking could lead to super's running a command without getting
the user's password (when password=y).
The bug was reported by Richard Czech (Richard.Czech@gmd.de)
D. PER-USER SUPER.TAB FILES:
Super now allows ordinary users to supply their own super.tab files.
This lets users give well-controlled setuid/setgid access to their
programs: the user who offers the program gets the assurance of
safe IFS settings, safe environment variable settings, etc; and the
user who executes the program knows that it will execute under
the uid of the offering user.
o The user-supplied super file is .supertab, in the home directory
of the user, and must be owned and writable only by the owner.
o Joe user's supplied command "foo" is invoked by typing
super joe:foo
Super will act as follows:
i. immediately changes its uid, gid, and supplementary groups
to be those of the owner of the super.tab file (joe);
ii. close all descriptors except for stdin, stdout, and stderr;
iii. follow its usual rules for processing super.tab files,
except that any options that require setuid() or setgid()
will fail since super is running as an ordinary user.
E. EASIER LISTS: in the past, super permitted csh-style
brace-expansion for valid-user patterns. It has also allowed
comma-separated lists for some options (e.g. fd=n1,n2,...).
These forms have been synthesized into a single format: anywhere
a list makes sense, either comma-separated or brace-expansion
is permitted. (The implementation is easy: the list is wrapped
in braces, and then brace-expansion is done.)
F. NEW OPTION
groups=a,b,... supplementary group list is a,b,c
groups= supplementary group list is empty
causes super to set the supplementary groups to the named list,
before exec'ing the command.
G. NEW OPTION
addgroups=a,b,...
causes super to add the named groups to the supplementary set
before exec'ing the command. (Note: the supplementary set is
intialized to be empty unless the option u+g=foo is used, so
addgroups=a,b,... usually has the same affect as groups=a,b,...
Alternatively, groups=<caller> addgroups=a,b,... will set the
groups' to the caller's login groups, then add a,b,... to the list.)
H. NEW OPTION
cd=SomePath
causes super to change directory to SomePath before executing
the command. This can be global or local; the local overrides
the global setting.
I. NEW OPTION
rlog_host=hostname
tells super which host's syslog daemon is to receive log messages
when option syslog=y is enabled. Default=localhost.
J. NEW OPTION
gethostbyname=y|n
tells super to enable/disable hostname lookup using gethostbyname().
Default: enabled (if you have gethostbyname()).
K. CHANGE TO NETGROUP HANDLING: hostnames beginning with ``+'' are
_always_ treated as NIS netgroup names -- that is, @+xyz means
that anyone at a host in netgroup xyz can execute the command.
If your system doesn't have innetgr(), patterns beginning with ``+''
will not ever match any hostname. (Previously, interpreting
``+'' as a special character was enabled as compile-time option.)
L. CHANGE TO GETHOSTBYNAME() USAGE: if you have gethostbyname(), it
gets compiled in and will be enabled by default; use global option
gethostbyname=n to disable. (Previously, you had to define
USE_GETHOSTBYNAME to compile it in, and there was no switch
to turn it off.)
M. CHANGE TO SYSLOG() USAGE: we always compile the rsyslog() function
from Jean-luc Szpyrka, so you can always send syslog output to either
a remote or local host. The new option rlog_host=xxxxx specifies
the host that receives the messages; the default is "localhost" --
i.e. same behavior as plain syslog(). (Previously, neither
syslog() nor rsyslog() use was compiled in unless USE_SYSLOG
was defined.)
N. SPECIAL NAMES: Two name have been added that you can use as an
argument to any of the options owner=xxx, uid=xxx, gid=xxx,
u+g=xxx, groups=xxx, addgroups=xxx, umask=xxx.
These names are
<owner> means owner of the file to be executed
(or owner's group, whichever is appropriate
in the context);
<caller> means the owner or group of the user calling super.
The angle brackets are literally part of the name. (Exception:
umask=<owner> makes no sense and isn't defined.)
Example:
gid=Foo uid=<caller>
would change the group only, but leave the uid unchanged -- this is
something you could not formerly do in super.
O. Updated man pages.
P. Security enhancement: the default umask is no longer inherited
from the caller; instead it is set to 022. However, you can
set it to the caller's umask by using the option
umask=<caller>
Q. Dead code elimination: a branch of code made a call to the
unsafe (on some systems) function getlogin(). This branch of
code was never invoked, and has now been completely eliminated.
-------------------
What's new for version 3.9.7:
A. Super 3.9.6 installed the "setuid" program as setuid-root.
This is a severe security hole.
Version 3.9.7 removes the setuid-root entry from the Makefile.
-------------------
What's new for version 3.9.6:
A. Important bugfix for version 3.9. Super had its internal structure
overhauled for version 3.9. Unfortunately, one important error was
introduced: the super.tab options
uid=xxx
group=xxx
u_g=xxx
were not properly reset from one entry to the next. This version
fixes that error.
B. A new -c option: causes super to check the syntax of a super.tab
file, but not actually execute anything. Its use:
super -c [superfile]
When you modify a super.tab file, you should use super -c to
check the file's overall syntax, and also use super -d cmd
for each modified command cmd, to verify that the details of
the invoked command (args, uid, gid, umask, etc) are what
you wanted to do.
C. A new -f option: this is a "just the facts, ma'm" help mode:
it prints lines like:
CmdPattern FullPath [leading args]
CmdPattern FullPath [leading args]
...
which allows scripts to make lists of commands the user may execute.
D. A new super.tab option has been added:
print="msg"
causes the message to be printed just before exec'ing the
command.
E. Better man page information.
F. Replaced DIE=msg with die=msg. (Retaining DIE=msg as obsolete form.)
-------------------
What's new for version 3.9.5:
A. Patches to 3.9 for Digital UNIX,
from Stephen Carney (carney@gvc.dec.com).
-------------------
What's new for version 3.9.4:
A. Bugfix for yet another silly error if invoked via symlink in
version 3.9.2. Error pointed out and fixed by Rein Tollevik
(Rein.Tollevik@si.sintef.no).
B. Syslog messages were always logged at priority SYSLOG_PRIORITY.
Error found and fixed by Rein Tollevik (Rein.Tollevik@si.sintef.no).
C. If the preprocessor symbol SUNOS5 is defined, then the symbol SVR4
is also defined (if not already done) in super.h. One ifdef'd
section of code was changed to look at SVR4 instead of SUNOS5;
hopefully this will be an improvement for other SVR4-based systems.
-------------------
What's new for version 3.9.3:
A. Wrong processing if invoked without any arguments, or if invoked
via symlink. Error pointed out and initial fix by Gerry Singleton
(Gerry.Singleton@Canada.Sun.COM).
-------------------
What's new for version 3.9.2:
A. Makefile entries and a few #includes needed for TI SYS V 3.3,
from Oyvind Gjerstad (ogj@it.tollpost.no).
-------------------
What's new for version 3.9.1:
A. Left some commas out of an #ifdef'd initialization array.
Bugfix from Oyvind Gjerstad (ogj@it.tollpost.no).
B. Fixed: variable expansion happening inside comments, reported by
Oyvind Gjerstad (ogj@it.tollpost.no).
-------------------
What's new for version 3.9.0:
** If you are familiar with super version <=3.7.2, make sure you **
** read the changes in 3.8.0! There have been MANY enhancements **
** made since 3.7.2. **
This version consolidates all of the changes done in beta tests
of 3.8, and added enough new items that I had to change the version
number to 3.9 (without pausing for a non-beta version of 3.8).
The improvements have come thick and fast, but that will now stop
and only corrections will be done to v3.9 for some time to come.
The visible changes are:
A. The super.tab control line format has been generalized.
The old syntax and semantics remain a valid subset -- old
super.tab files will continue to work as expected.
Super now takes the following approach to selecting a command to
execute. For each control line in the super.tab file,
super requires that:
1. The user's typed command must match a control-line command;
2. The user's name/group/host must match one of the user/group/host
entries;
3. The current time and day must match a time entry (if any are
given);
Otherwise, super "falls through" and tries the next control line.
The user/group/host and time entries are called _conditions_
that must be matched.
_Options_ on the control line are handled very differently from
_conditions_. After conditions are met and a line is nominally
selected for execution, all options must be satisfied, or super
quits without executing the command and without trying further
control lines in the super.tab file.
This distinction between conditions and options is easy to use
in practice: basically, super searches for a line that matches
a command, user and time of day. When the line is found, super
will execute the command if the options -- such as a required
password or restrictions on command arguments -- are satisfied;
otherwise, it stops.
There are three important differences between conditions and options.
1. If conditions aren't matched, super will "fall through" and
look at the next line. In contrast, when options are
checked, super will quit if the options aren't satisfied.
2. Conditions can be "negated", that is, !condition~pattern
means that if the pattern is matched, the user is
_rejected_ from using this line. Options can't be negated.
3. Many similar conditions be applied, and the last-matching
condition is used. For example, the list of user-conditions
:develop !joeblow
says that anybody in group "develop" can use the command,
but then rejects joeblow, even if he is in the develop group.
If an option can appear more than once on a line, all
instances of the option must be satisfied, not just the
last-matching instance.
As part of the syntax generalization, user patterns may now begin
with "user~":
user~:develop !user~joeblow
Options and conditions can be interleaved.
B. time~pat is a new condition that has to be met before the line
is accepted for execution. See next item for sample uses.
All time patterns on a line must be matched or super will continue
to the next control line. For example,
time~{8:00-12:00,13:00-17:00} !time~{sat,sun}
or
time~{8:00-12:00,13:00-17:00}/{mon,tue,wed,thu,fri}
restricts a command to being used during typical office hours
on weekdays.
C. DIE=msg is a new option that can be used in a command line
to force super to exit (and print msg) if the rest of the
command line is successfully matched. Here are a few examples
that also illustrate use of the new :define command.
:define RestrictedCommands ...
:define weekdays {mon,tues,wed,thurs,fri}
:define BadHours time~0-08:30/$weekdays \
time~17:30-24:00/$weekdays \
time~{sat,sun}
$RestrictedCommands $BadHours \
DIE="You can't use this command outside of office hours."
or
:define RestrictedCommands ...
:define officeHours {8:30-12:30,1:30-17:30}/{mo,tu,we,th,fr}
$RestrictedCommands !time~$officeHours DIE="hahaha"
Without the DIE option, super will try to execute the restricted
commands during the restricted hours.
D. gethostbyname() is now called both with and without a trailing dot
in the hostname. If both forms succeed, the longer returned name
is kept, except that any trailing dot is deleted.
E. nice=nnn changes the ``nice'' level of the executed command
by an amount nnn from the default level. (Positive increments
reduce the command's priority; negative increments increase it.)
F. umask=nnn (local or global option) makes commands run with the
specified umask. Useful if you want to help ensure that files
are created with restricted access permissions.
G. :include filename allows a super.tab file to include other files.
The filename must either be an absolute path or is interpreted
relative to the directory containing the super.tab file, and the
same restrictions are put on the file ownership and permissions
as for the top-level super.tab file. The number of nested includes
is limited only by the number of allowed open files.
Use with caution!
H. The new local option argMMM-NNN=SSS or argNNN=SSS (where MMM and
NNN are positive integers, and SSS is a string) means that the
MMM-NNN'th user-entered arguments must match pattern SSS.
The pattern SSS must be enclosed in quotes if it contains
whitespace. Note that this doesn't _require_ MMM-NNN arguments;
it only says what those arguments must look like, if entered.
I. Updated and corrected super.5 man page.
J. Fixed "mail" option. It can be used as either a global or local
option.
-------------------
What's new for version 3.8.0:
(The first 5 items are substantive visible changes/enhancements!
Please read them!)
A. The rule for processing backslash-newline-whitespace (indicating
continued lines) IS MODIFIED. THE NEW RULE IS:
- if it follows a letter, digit, or underscore, replace the
sequence with a single space.
- otherwise, it is eliminated entirely.
Therefore, you can type
Cmd File user1\
user2\
user3
and it is equivalent to
Cmd File user1 user2 user3
But typing
Cmd File {user1,\
user2,\
user3}
is equivalent to
Cmd File {user1,user2,user3}
B. Variables are now supported! You can type
:define okusers {joe,jane,tom,sally}
The above could also have been written
:define okusers {joe,\
jane,\
tom,\
sally}
and then use
Cmd FullPath $okusers
with the obvious result. (The variable name may be enclosed
in parentheses to insulate it from the characters which follow.)
Read the man page super.5 before proceeding to use variables!
C. New global option syntax:
:global globaloptions...
or
:global_options globaloptions...
The old syntax:
/ / globaloptions
is still supported, but its use is discouraged.
D. Multiple commands/filenames are now allowed on one line. Now you
can type
Cmd1::FullPath1 Cmd2::FullPath2 [...] ok-user-pats
This can be useful for treating a group of commands as a unit:
:define Common_cmds Cmd1::FullPath1 \
Cmd2::FullPath2 \
Cmd3::FullPath3
:define okusers {\
:operators,\
joe,jane,tom,sally}
$Common_cmds $okusers
E. In general, a colon in a Cmd part of a line is now reserved
to super, and must not be used as part of the Cmd name.
This has been done to support the :define and :global commands,
the Cmd::File syntax, and provide space for future development.
F. The super.tab file can now be owned by root or nobody.
This change is to support networked accounts.
G. Substantial modifications to hostname matching to improve
handling of netgroups.
(From Steve Robbins -- steve@cim.mcgill.ca)
H. Added Makefile entry Max + header #ifdef's for SGI v5.3
(from Max Buchheit, buchheit@ccrs.emr.ca).
I. Fixed comparison between char and NULL.
Added Makefile adjustments for Solaris 2.4 (SunOS 5.4).
J. Fixed an error related to an appended dot on hostnames.
(from Geoffrey A. Lowney, Geoffrey.A.Lowney@Boeing.com)
K. If compiled with __STDC__ defined, prototypes are used.
L. Disabled "mail" global option. Nobody was using it, and it wasn't
implemented right anyway... maybe that's why nobody used it :-).
M. Disallowed relative pathnames unless global option relative_path
is set. This is to prevent admins from accidentally making a
stupid error.
N. Disallowed slash in groupnames unless global option group_slash
is set. This lets us find formatting errors more easily -- namely,
using Cmd:File instead of Cmd::File.
-------------------
What's new for version 3.7.4:
A. Added setenv=var=xxx option. This option defines environment
variable var to have value xxx, and adds it to the environment
variables that are kept when the command is executed.
Can be used multiple times to add definitions for multiple variables.
Note that "setenv=DISPLAY" is syntactically invalid (missing the
`=' after the variable name), and that "setenv=DISPLAY="
sets DISPLAY to the null string.
(Recall that you can also use the option "env=var1,var2,..."
to keep a list of user-defined environment variables.)
B. Improved error reporting.
-------------------
What's new for version 3.7.3:
A. *** NOTE WELL *** Changed processing of FullPathNames with quoted
arguments: the quotes are now stripped (it was an error that they
weren't). For example, the super.tab entry
doit "/usr/bin/xxx -o1 -o2 -xrm 'a b c'" willie
allows user willie to type
super doit
and to execute /usr/bin/xxx with arglist
argv[0]: doit
argv[1]: -o1
argv[2]: -o2
argv[3]: -xrm
argv[4]: a b c
Previous versions of super would pass argv[4] as 'a b c', including
the single quotes.
B. Added #ifdef to define LOG_USER and LOG_ERR if they aren't
defined in <syslog.h>.
C. When logging successful super uses, added #ifdef so that the
message priority isn't set unless USE_SYSLOG is defined.
D. Added Makefile entry for Ultrix 4.3 (from Christoph Geelen,
geelen@rzulx1.mpie-duesseldorf.mpg.de).
E. Added Makefile entry for UnixWare 2.0 (from Pete Holsberg,
pjh@tecoma.mccc.edu).
F. Added Makefile entry and super.c patches for Digital UNIX V3.2
(formerly DEC OSF/1); from Stephen Carney, carney@gvc.dec.com.
-------------------
What's new for version 3.7.2:
A. Added owner=xxx option so that super won't run a program
unless it's owned by xxx.
-------------------
What's new for version 3.7.1:
A. Modified error msg for clarity.
B. If super.tab isn't owned by root, then:
+ if real uid is root, bail out: don't run at all.
+ if real uid isn't root, run as real uid (can be useful
for testing).
-------------------
What's new for version 3.7.0:
A. Changed hostname comparisons to be case-insensitive.
(From Steve Robbins -- steve@cim.mcgill.ca)
B. New capability: wildcard commands.
In previous versions of super, entries in the super.tab file
looked like:
CmdName FullPathName PermittedUsers
This is now supplanted by a new format, which is a superset
of the previous one (note that all existing super.tab files
remain valid):
CmdPattern FullPathName-with-optional-"*" PermittedUsers
There are two new features here:
1) The former CmdName string is now interpreted as a pattern
(with csh-style brace expansion, so that it can
actually stand for a variety of commands).
2) If there is an asterisk in FullPathName, it is replaced
by the user's cmd.
In the usual situation, in which CmdPattern is still just a plain
name without wildcards, the user (a) types "super cmd";
(b) the cmd is matched against CmdPattern;
(c) the user checked to be a PermittedUser, etc;
(d) FullPathName is then executed. As long as CmdPattern is
just made up of letters, digits, and underscore, and
FullPathName has no asterisk, the effect will be exactly
as super has always acted.
If you put special pattern-matching characters into the CmdPattern,
you simply give more ways a user can execute the same FullPathName.
This isn't yet very exciting, and in fact isn't a good idea at
all. The power of using patterns in the CmdPattern string comes
when FullPathName includes an asterisk. In that case, the asterisk
is replaced with the user's "cmd" string to form the actual
command to exec. For instance, a SysV-based host might have
an entry in the super.tab file that looks like:
/usr/bin/{lp,lpstat,disable,enable,cancel} * :operators
This would allow anybody in the "operators" group to have root access
to the line printer commands. For instance, if the user typed:
super /usr/bin/disable some_printer
then the FullPathName == "*" would be replaced by /usr/bin/disable,
and become the command to exec.
More conveniently, the super.tab file could have a line like:
{lp,lpstat,disable,enable,cancel} /usr/bin/* :operators
In this case, the user can type
super disable some_printer
The asterisk is replaced by "disable" to form the command
/usr/bin/disable.
If you _completely_ trust some users, but want logging of all
actions, you could use:
/* * ReallyReallyTrustedUsers
(if the global option patterns=shell has been set) or
/.* * ReallyReallyTrustedUsers
(the default case: patterns=regex).
The user can now execute any command. Note that the pattern
begins with a slash, to ensure that the cmd must be an
absolute path -- this helps avoid accidental execs of the
wrong program.
Of course, if you were really going to give everything away as shown
above, you'd probably want to exclude any public-area workstations,
require the trusted users to periodically give their passwords,
and set the real uid=root (instead of just the effective uid),
so the entry might be modified to read:
/* * TrustedUsers !{PatternsOfPublicWorstations} \
password=y timeout=5 uid=0
(if the global option patterns=shell has been set).
(These changes were inspired by Aaron Schuman, schuman@sgi.com)
-------------------
What's new for version 3.6.1:
A. Added support for shadow passwords on HP-UX 9.x.
-------------------
What's new for version 3.6.0:
A. Changed super's logging to offer networked syslog messages:
all syslog messages can be sent to a single host.
B. Provided bugfix with -V option (super could coredump otherwise).
(These changes provided by Jean-luc Szpyrka, jls@sophia.inria.fr)
-------------------
What's new for version 3.5.2:
A. Bugfix: the full path of the executed command was inserted
as argv[1] in the output arguments, when it didn't belong there
at all.
B. Bugfix: log messages for _successful_ commands weren't
being newline-terminated.
(These bugs reported by Olof Backing, obg@nada.kth.se)
-------------------
What's new for version 3.5.1:
A. Added better copyright + licensing info.
B. Did some code cleanup (getting rid of unused variables, adding
declaration of wait(), etc).
C. After logging a super call to the logfile, failed exec's might
not be printed on the screen (although they were
logged in the logfile).
-------------------
What's new for version 3.5:
A. Added pattern negation to super.tab:
!pat
says to disallow a user who matches the pattern.
Until now, you could only give permission to users that
matched, not take it away. Patterns are scanned left-to-right,
and the allow/disallow depends on the last pattern that matches.
This lets you do things like
cmd /Full/Path :goodguys !jan
to mean allow anybody in group goodguys, but then disallows
user jan, even if jan is in goodguys.
B. Added user/group/host patterns to the global settings:
/ / [global opts] pat pat ... <> pat pat ...
User/group/host patterns to the left of "<>" are processed
_before_ the per-command patterns; user/group/host patterns
to the right of "<>" are processed _after_ the per-command
patterns. If "<>" is missing, all patterns are processed after
the user patterns.
For example,
/ / jan <> !@+badhosts
says that user jan can execute any command (unless a per-command
pattern explicitly disallows jan from executing a particular
command), but under no circumstances will a user on any host in
netgroup ``badhosts'' be allowed to execute any command.
(Thus jan can execute any command, but only from hosts _not_
in ``badhosts''.)
(These changes were inspired by Jean-luc Szpyrka,
jls@sophia.inria.fr .)
C. Added special handling of hostnames: If a host is using
DNS names, and the hostname isn't matched in the super.tab
file, it's possible that the reason is simply that gethostname()
returns a name with fewer or more components of the fully-qualified
domain name (fqdn) than is in the hostname pattern in super.tab.
For example, gethostname() might return "w.x.y.z", but the
hostname pattern might be simply "w". Until now, super wouldn't
consider this a successful match.
If you enable the new feature USE_GETHOSTBYNAME, then
if the hostname doesn't match the pattern directly, super will
determine the fqdn, and then compare ever-shorter parts against
the pattern. For instance, given the hostname "ab.cd.ef.gh",
super will test "ab.cd.ef.gh", then "ab.cd.ef", then "ab.cd",
and finally "ab". Warning: using this option may reduce
security a bit - your host may query a nameserver on another
host to obtain the FQDN, and that nameserver could conceivably
have been subverted and then return incorrect hostnames.
(Idea from Dave Curry, davy@ecn.purdue.edu).
D. Fixed a bug in creating timestamp files. Basically, unless
the global option timestampuid=0 was set, one frequently got
a message "Timestamp creation failed" and then couldn't
run a command requiring a password.
(Bug reported by Brian Huntley,
bhuntley%tsegw.tse.com@spectre.uunet.ca)
E. Changed super's logging to include the arguments passed to
the command.
(Patch from Dave Curry, davy@ecn.purdue.edu).
F. An error in the str_val() function allowed some typos in
option names to pass unnoticed. Files with properly typed
option names were not affected.
G. Modified some error messages that were not printing accurate
information about why access was being denied.
H. Bugfix: comments in super.tab are supposed to only go up to
newline, but instead they ran to the end of an input block.
I. Ported to SCO 3.2v4.
(Changes from Keith Menard, menard@gateway.wtc.com)
J. Fixed error in processing backslashes in super.tab lines
(backslash-newline was being processed correctly; others left
super in an infinite loop).
K. Stripped down the strqtok function that splits input lines
of text.
-------------------
What's new for version 3.4.9:
A. Added #ifdef's and Makefile entries for
Clix 3.1 r.7.1.3 (Intergraph)
contributed by David Sandmann (das@ipro15.aaa.com).
B. Added #ifdef'd code to implement scripts that start with
"#! interpreter" on OS's which don't support it directly.
-------------------
What's new for version 3.4.8:
Minor bugfixes:
A. _Successful_ executions of commands were not being logged by
syslog unless they were also being logged to a (non-syslog) file.
B. There were formatting errors and other minor mistakes in
the super.5 man page.
C. Changed the example in README and the super.1 man page regarding
how a program can super itself, so that it will work on all
Bourne shell variations (the argument to "test" had to be
protected against empty strings.)
-------------------
What's new for version 3.4.7:
A. Bugfix for patterns like
uuu:ggg and uuu:
...valid user is denied access. Bug report & fix came from
Karen L Dickerson (kld@mudshark.sunquest.com).
-------------------
What's new for version 3.4.6:
A. Bugfix for sites that don't compile with USE_NETGROUP but
do specify a hostname. Bug reported by
Adam P. Harris (apharris@mcs.com).
-------------------
What's new for version 3.4.5:
A. Improved parsing for arguments that super supplies to commands.
Previously, only whitespace would separate arguments. Version
3.4.5 parses the FullPathName with recognition of embedded
quotes and backslashes.
For example, suppose the super.tab file contains a line like
cmd "FullPath -a -b 2\ 3 -xrm 'r s t \
u v w' ..." SuperOptions... validusers...
The "FullPath..." string (containing the arguments -a, -b, ...)
... is parsed using Bourne-shell-like rules for backslashes
and quotes, and the line is parsed as
argv[0] FullPath
argv[1] -a
argv[2] -b
argv[3] 2 3
argv[4] -xrm
argv[5] r s t u v w
(Use "super -d cmd" to check that your args are being parsed
as expected before you unleash a new command on your users.)
-------------------
What's new for version 3.4.4:
A. The timestamp file of user@host.name.dom is now by default
stored in
TIMESTAMP_DIR/hostname/user
with the old behavior (TIMESTAMP_DIR/user) being an option
controlled with global option timestampbyhost=y|n.
The timestampuid=xxx option has been added to allow timestamp
files to be created under a particular uid.
This allows for a cross-mounted timestamp directory on hosts
that map NFS root accesses to nobody, but still keeps the
password entries distinct on different hosts.
B. TIMESTAMP_DIR is now documented in the Makefile, so that it
is easily configured at compile time.
-------------------
What's new for version 3.4.3:
A. Option -H has been added to give the long-winded help information
that has been the only thing printed until now.
The -h option now prints a short help listing:
Command Comments
------- --------
cmd1 help info for cmd1
cmd2 help info for cmd2
...
-------------------
What's new for version 3.4.2:
A. If "xyz" is a symlink to super, then
% xyz args...
is treated by super just like
% super xyz args...
Super detects such symlinks by the rule that argv[0] must
match "*/super" or "super"; otherwise, it's assumed to be
a symlink. Therefore, a symlink named "super" won't work --
super won't recognize it's being invoked via symlink.
-------------------
What's new for version 3.4.1:
A. When printing debug info, there was misformatted output
of any extra file descriptors being held open. (The
problem only occurred in 3.4.0, not earlier versions.)
-------------------
What's new for version 3.4:
A. Added nargs=[mmm-]nnn to limit user-entered args.
-------------------
What's new for version 3.3.2:
A. Allow "@hostname", without any user or groupname part.
-------------------
What's new for version 3.3.1:
A. Fixed SunOS 5.x to use "getspnam()" when looking up passwords.
-------------------
What's new for version 3.3:
A. Added mail="....." global option.
B. Fixed goofy error in parsing password=n.
C. Added syslog=y|n option.
-------------------
What's new for version 3.2:
A. Added options password=y|n, timeout=n, renewtime=y|n to require
passwords on specific commands (or all commands).
B. A bugfix: if the super.tab file tried to pass options to the
executable command, the exec would fail.
-------------------
What's new for version 3.1:
A. Added global option loguid=xxx to allow the logfile to be opened
under a uid other than root. This allows the logfile to be
shared across a network over which root doesn't have write access.
-------------------
What's new for version 3.0:
A. Command logging -- you can specify a file to receive a log
of super uses and attempts.
B. More environment variables -- for each entry, the super.tab file
can specify environment variables that should be passed to
the command instead of discarded. You simply add entries like
env=TZ,TAPE
to the super.tab file, to keep TZ and TAPE in addition to
the default list. Of course one has to use this with
caution.
C. Set uid/gid -- for each entry, the super.tab file can specify
the uid and/or gid (the default is to only change the effective
uid to root). To use this, you add entries like
uid=xxx gid=yyy
to the super.tab file, or u+g=xxx to set the uid
to xxx and the gid to xxx's login gid.
As a supplement to the setuid/setgid ability, super defines
some extra environment variables so that the invoked command
can know the username and home directory of the user who
invoked the command, as well as that of the uid under which
the command is executing.
D. Open file descriptors -- for each entry, the super.tab file
can specify a list of file descriptors that should not be
closed (in addition to the default 0,1,2).
E. Initial arguments -- for each entry, the super.tab file can
specify a set of initial arguments that are put into argv[]
ahead of the arguments the user typed on the command line.
F. super -h now only prints the commands that may be executed by the
user; and the super.tab file can specify a line of explanatory
text to be printed with each command.
G. A bugfix: The TERM environment variable can now contain "-+_.:/"
in addition to [a-zA-Z0-9].
H. The super.tab file can be configured with either Bourne-shell style
or regex (ed-style) valid-user patterns; the default is regex.
-------------------
What's new for version 2.0:
A. A couple of bugfixes. (These fixes were first introduced
in version 1.2.)
B. You can restrict commands to particular users on particular
hosts. This allows one "super.tab" file to serve many hosts.
C. Entries in "super.tab" can now span multiple lines. Helpful
when one file serves many users + hosts.
D. csh-style brace-expansion: super's pattern-matching previously
was done with the BSD 4.x regex routines. This is now extended
allow csh-style braces. For instance, to allow users
pam and sammy, executing from hosts alpha and beta, you can
use an entry like {pam,sammy}@{alpha,beta}
|