summaryrefslogtreecommitdiff
path: root/usr.bin/sudo/TODO
blob: 12b5603ad866ea740ade5655153402ea04987fb4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
TODO list (most will be addressed in sudo 2.0)

01) Redo parsing to be more like op(8) with true command aliases where
    can specify uid, gid(s) and part/all of the environment.

02) Add a SHELLS reserved word that checks against /etc/shells.

03) Make the sudoers file accessible via NIS, Hesiod, and maybe NetInfo.

04) Add a -h (?) flag to sudo for a history mechanism.

05) Add an option to set LD_LIBRARY_PATH?

06) Add Prog_Alias facility (Prog_Alias VI = /usr/secure/bin/vi +args).

07) check for <net/errno.h> in configure and include it in sudo.c if it exists.

08) Add generic STREAMS support for getting interfaces and netmasks.

09) Add support for "safe scripts" by checking for shell script
    cookie (first two bytes are "#!") and execing the shell outselves
    after doing the stat to guard against spoofing.  This should avoid
    the race condition caused by going through namei() twice...

10) Overhaul testsudoers to use things from parse.o so we don't reimplement
    things.

11) Make runas_user a struct "runas" with user and group components.
    (maybe uid and gid too???)

12) Add -g group/gid option.

13) Should be able to mix Cmnd_Alias's and command args.  Ie:
	pete   ALL=PASSWD [A-z]*,!PASSWD root
    where PASSWD was defined to be /usr/bin/passwd.
    This requires the arg parsing to happen in the yacc grammar.
    At the very least, commands and args have to become separate
    tokens in the lexer.

14) Add a per-tty restriction?  Ie: only can run foo from /dev/console.

15) Add test for how to read ether interfaces in configure script

16) An option to make "sudo -s" use the target user's shell might be nice
    (and more like su).  Overlaps with the upcoming -i option.

17) Add configure option to enable old behavior of visudo (O_EXCL)?
    --without-sudoers-lock?

18) Profile sudo again (is the yacc grammar optimal?)

19) Zero out encrypted passwords after use.  Use an Exit function or
    some such (have to hook in to emalloc() and friends).
    Hard (impossible?) to be thorough w/ atexit/on_exit.

20) Make 'sudo -l user' if run as root do a "sudo -l" output for the specified
    user.

21) Use strtol() and strtoul(), not atoi()

23) Look into %e, %p, %k in parse.lex

23) Make syslog stuff work on vanilla ultrix

24) Implement date_format and log_format options.

25) Add support for: Default:user@host

26) Do login-style -sh hack for sudo -s? (new option or do it always?)

27) Make visudo rcs-aware

28) Add support for parsing multiple sudoers files.  Basically make
    _PATH_SUDOERS be a colon-separated list of pathname like EDITOR.
    Requires _PATH_SUDOERS_TMP chages (perhaps "%s.tmp").

29) Add -i (simulate initial login) option as per 946 +sudo
    (requires two-pass parser).  Also add "default_path" Defaults option
    to go with it.  (See MINUS_I.patch)

30) Some people want to be able to specify a special password in sudoers
    in addition or instead of the normal one.  The best argument for
    this so far is to be able to use separate passwords for the
    target users that are not the passwd file ones.

31) Add support for trusted users.  E.g. allow user to run a certain
    command regardless of what dir it is in if it is owned by the
    trusted user.

32) Add mechanism to choose logfile based on RunasUser

33) Split the parser into two stages.  The first parse checks for
    syntax and sets the Defaults options and sets up the
    data structures to check a user.  The second stage does
    the actual user check.

34) Add a flag similar to '-l' but that spits out sudo commands in
    a format suitable for cut & paste (requires parser overhaul first).

35) Someone wants a recursive version of the dir specifier.  Ie:
    SOME_MODIFIER:/usr/local/ to allow anything under /usr/local to be run.

36) An option to set the shell to the target user would make sense.
    See other target user-related issues above.

37) Add an option (-D) to dump the defaults after the sudoers file
    has been parsed.  Should only be available to root and should
    allow a -u user modifier.

38) For sudo 1.7 wipe out the environment by default.

39) Allow /etc/sudoers to be a symlink but require the parent dir to
    be root-owned and not writable by anything else.  Should really
    traverse the tree to the root doing this.

40) Improve interfaces.c STREAMS code (see ntpd's ntp_io.c for hints)

41) Wildcard support for user and group names? (netgroup too?)

42) If root_sudo is off, still allow sudo -u to non-root users?

43) Add configure option to id user based on euid not ruid?

44) Split $EDITOR/$VISUAL in visudo into an argument vector based on whitespace

45) Use proper links in .pod files