mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-31 22:35:10 +00:00
Code Issues Releases Wiki Activity

regen

Browse Source
This commit is contained in:
Todd C. Miller
2014-02-15 15:18:34 -07:00
parent a9cfe4fc44
commit 0ec92dae81
13 changed files with 419 additions and 454 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
doc/sudo.cat
View File

@@ -582,4 +582,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details. complete details.
Sudo 1.8.10 December 8, 2013 Sudo 1.8.10 Sudo 1.8.10 February 15, 2014 Sudo 1.8.10

2
doc/sudo.conf.cat
View File

@@ -391,4 +391,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details. complete details.
Sudo 1.8.9 January 22, 2014 Sudo 1.8.9 Sudo 1.8.10 January 22, 2014 Sudo 1.8.10

36
doc/sudo.conf.man.in
View File

@@ -57,13 +57,13 @@ and the
plugin. plugin.
.PP .PP
The pound sign The pound sign
(`#') (\(oq#\(cq)
is used to indicate a comment. is used to indicate a comment.
Both the comment character and any text after it, up to the end of Both the comment character and any text after it, up to the end of
the line, are ignored. the line, are ignored.
.PP .PP
Long lines can be continued with a backslash Long lines can be continued with a backslash
(`\e') (\(oq\e\(cq)
as the last character on the line. as the last character on the line.
Note that leading white space is removed from the beginning of lines Note that leading white space is removed from the beginning of lines
even when the continuation character is used. even when the continuation character is used.
@@ -79,7 +79,7 @@ are silently ignored.
The The
\fBsudo.conf\fR \fBsudo.conf\fR
file is always parsed in the file is always parsed in the
``\fRC\fR'' \(lq\fRC\fR\(rq
locale. locale.
.SS "Plugin configuration" .SS "Plugin configuration"
\fBsudo\fR \fBsudo\fR
@@ -269,17 +269,17 @@ itself are disabled by default.
To aid in debugging To aid in debugging
\fBsudo\fR \fBsudo\fR
crashes, you may wish to re-enable core dumps by setting crashes, you may wish to re-enable core dumps by setting
``disable_coredump'' \(lqdisable_coredump\(rq
to false in to false in
\fBsudo.conf\fR \fBsudo.conf\fR
as follows: as follows:
.RS
.nf .nf
.sp .sp
.RS 6n .RS 16n
Set disable_coredump false Set disable_coredump false
.RE .RE
.fi .fi
.RS 10n
.sp .sp
Note that most operating systems disable core dumps from setuid programs, Note that most operating systems disable core dumps from setuid programs,
including including
@@ -297,9 +297,7 @@ command is used to configure core dump behavior.
This setting is only available in This setting is only available in
\fBsudo\fR \fBsudo\fR
version 1.8.4 and higher. version 1.8.4 and higher.
.PP
.RE .RE
.PD 0
.TP 10n .TP 10n
group_source group_source
\fBsudo\fR \fBsudo\fR
@@ -310,9 +308,10 @@ with NFS).
On systems with the On systems with the
getconf(1) getconf(1)
utility, running: utility, running:
.RS 6n .RS 16n
getconf NGROUPS_MAX getconf NGROUPS_MAX
.RE .RE
.RS 10n
will return the maximum number of groups. will return the maximum number of groups.
.sp .sp
However, it is still possible to be a member of a larger number of However, it is still possible to be a member of a larger number of
@@ -333,15 +332,13 @@ setting allows the administrator to change this default behavior.
Supported values for Supported values for
\fIgroup_source\fR \fIgroup_source\fR
are: are:
.RS
.PD
.TP 10n .TP 10n
static static
Use the static group list that the kernel returns. Use the static group list that the kernel returns.
Retrieving the group list this way is very fast but it is subject Retrieving the group list this way is very fast but it is subject
to an upper limit as described above. to an upper limit as described above.
It is It is
``static'' \(lqstatic\(rq
in that it does not reflect changes to the group database made in that it does not reflect changes to the group database made
after the user logs in. after the user logs in.
This was the default behavior prior to This was the default behavior prior to
@@ -351,7 +348,7 @@ This was the default behavior prior to
dynamic dynamic
Always query the group database directly. Always query the group database directly.
It is It is
``dynamic'' \(lqdynamic\(rq
in that changes made to the group database after the user logs in in that changes made to the group database after the user logs in
will be reflected in the group list. will be reflected in the group list.
On some systems, querying the group database for all of a user's On some systems, querying the group database for all of a user's
@@ -376,7 +373,7 @@ For example, to cause
to only use the kernel's static list of groups for the user: to only use the kernel's static list of groups for the user:
.nf .nf
.sp .sp
.RS 6n .RS 16n
Set group_source static Set group_source static
.RE .RE
.fi .fi
@@ -384,9 +381,7 @@ Set group_source static
This setting is only available in This setting is only available in
\fBsudo\fR \fBsudo\fR
version 1.8.7 and higher. version 1.8.7 and higher.
.PP
.RE .RE
.PD 0
.TP 10n .TP 10n
max_groups max_groups
The maximum number of user groups to retrieve from the group database. The maximum number of user groups to retrieve from the group database.
@@ -404,7 +399,6 @@ do not indicate an error when there is a lack of space.
This setting is only available in This setting is only available in
\fBsudo\fR \fBsudo\fR
version 1.8.7 and higher. version 1.8.7 and higher.
.PD
.TP 10n .TP 10n
probe_interfaces probe_interfaces
By default, By default,
@@ -416,13 +410,13 @@ without having to query DNS. On Linux systems with a large number
of virtual interfaces, this may take a non-negligible amount of time. of virtual interfaces, this may take a non-negligible amount of time.
If IP-based matching is not required, network interface probing If IP-based matching is not required, network interface probing
can be disabled as follows: can be disabled as follows:
.RS
.nf .nf
.sp .sp
.RS 6n .RS 16n
Set probe_interfaces false Set probe_interfaces false
.RE .RE
.fi .fi
.RS 10n
.sp .sp
This setting is only available in This setting is only available in
\fBsudo\fR \fBsudo\fR
@@ -450,7 +444,7 @@ plugin is
\fIsubsystem\fR@\fIpriority\fR \fIsubsystem\fR@\fIpriority\fR
but a plugin is free to use a different format so long as it does but a plugin is free to use a different format so long as it does
not include a comma not include a comma
(`\&,'). (\(oq\&,\(cq).
.PP .PP
For example: For example:
.nf .nf
@@ -659,7 +653,7 @@ search the archives.
.SH "DISCLAIMER" .SH "DISCLAIMER"
\fBsudo\fR \fBsudo\fR
is provided is provided
``AS IS'' \(lqAS IS\(rq
and any express or implied warranties, including, but not limited and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed. particular purpose are disclaimed.

62
doc/sudo.man.in
View File

@@ -1,7 +1,7 @@
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in .\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in
.\" .\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013 .\" Copyright (c) 1994-1996, 1998-2005, 2007-2014
.\" Todd C. Miller <Todd.Miller@courtesan.com> .\" Todd C. Miller <Todd.Miller@courtesan.com>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.TH "SUDO" "@mansectsu@" "December 8, 2013" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .TH "SUDO" "@mansectsu@" "February 15, 2014" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -31,7 +31,7 @@
.SH "SYNOPSIS" .SH "SYNOPSIS"
.HP 5n .HP 5n
\fBsudo\fR \fBsudo\fR
\fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-V\fR \fB\-h\fR\ |\ \fB\-K\fR\ |\ \fB\-k\fR\ |\ \fB\-V\fR
.PD 0 .PD 0
.HP 5n .HP 5n
\fBsudo\fR \fBsudo\fR
@@ -170,21 +170,19 @@ sudo.conf(@mansectform@)
contains a line specifying the askpass program, that value will be contains a line specifying the askpass program, that value will be
used. used.
For example: For example:
.RS
.nf .nf
.sp .sp
.RS 4n .RS 16n
# Path to askpass helper program # Path to askpass helper program
Path askpass /usr/X11R6/bin/ssh-askpass Path askpass /usr/X11R6/bin/ssh-askpass
.RE .RE
.fi .fi
.RS 12n
.sp .sp
If no askpass program is available, If no askpass program is available,
\fBsudo\fR \fBsudo\fR
will exit with an error. will exit with an error.
.PP
.RE .RE
.PD 0
.TP 12n .TP 12n
\fB\-a\fR \fItype\fR, \fB\--auth-type\fR=\fItype\fR \fB\-a\fR \fItype\fR, \fB\--auth-type\fR=\fItype\fR
Use the specified BSD authentication Use the specified BSD authentication
@@ -193,11 +191,10 @@ when validating the user, if allowed by
\fI/etc/login.conf\fR. \fI/etc/login.conf\fR.
The system administrator may specify a list of sudo-specific The system administrator may specify a list of sudo-specific
authentication methods by adding an authentication methods by adding an
``auth-sudo'' \(lqauth-sudo\(rq
entry in entry in
\fI/etc/login.conf\fR. \fI/etc/login.conf\fR.
This option is only available on systems that support BSD authentication. This option is only available on systems that support BSD authentication.
.PD
.TP 12n .TP 12n
\fB\-b\fR, \fB\--background\fR \fB\-b\fR, \fB\--background\fR
Run the given command in the background. Run the given command in the background.
@@ -234,7 +231,7 @@ The
argument can be either a class name as defined in argument can be either a class name as defined in
\fI/etc/login.conf\fR, \fI/etc/login.conf\fR,
or a single or a single
`\-' \(oq\-\(cq
character. character.
If If
\fIclass\fR \fIclass\fR
@@ -262,7 +259,7 @@ In lieu of a path name, the string "sudoedit" is used when consulting
the security policy. the security policy.
If the user is authorized by the policy, the following steps are If the user is authorized by the policy, the following steps are
taken: taken:
.RS .RS 13n
.TP 5n .TP 5n
1. 1.
Temporary copies are made of the files to be edited with the owner Temporary copies are made of the files to be edited with the owner
@@ -292,7 +289,9 @@ option is used.
3. 3.
If they have been modified, the temporary files are copied back to If they have been modified, the temporary files are copied back to
their original location and the temporary versions are removed. their original location and the temporary versions are removed.
.PP .RE
.RS 12n
.sp
If the specified file does not exist, it will be created. If the specified file does not exist, it will be created.
Note that unlike most commands run by Note that unlike most commands run by
\fIsudo\fR, \fIsudo\fR,
@@ -302,9 +301,7 @@ If, for some reason,
is unable to update a file with its edited version, the user will is unable to update a file with its edited version, the user will
receive a warning and the edited copy will remain in a temporary receive a warning and the edited copy will remain in a temporary
file. file.
.PP
.RE .RE
.PD 0
.TP 12n .TP 12n
\fB\-g\fR \fIgroup\fR, \fB\--group\fR=\fIgroup\fR \fB\-g\fR \fIgroup\fR, \fB\--group\fR=\fIgroup\fR
Run the command with the primary group set to Run the command with the primary group set to
@@ -316,20 +313,19 @@ The
may be either a group name or a numeric group ID may be either a group name or a numeric group ID
(GID) (GID)
prefixed with the prefixed with the
`#' \(oq#\(cq
character (e.g. character (e.g.
\fR#0\fR \fR#0\fR
for GID 0). for GID 0).
When running a command as a GID, many shells require that the When running a command as a GID, many shells require that the
`#' \(oq#\(cq
be escaped with a backslash be escaped with a backslash
(`\e'). (\(oq\e\(cq).
If no If no
\fB\-u\fR \fB\-u\fR
option is specified, the command will be run as the invoking user. option is specified, the command will be run as the invoking user.
In either case, the primary group will be set to In either case, the primary group will be set to
\fIgroup\fR. \fIgroup\fR.
.PD
.TP 12n .TP 12n
\fB\-H\fR, \fB\--set-home\fR \fB\-H\fR, \fB\--set-home\fR
Request that the security policy set the Request that the security policy set the
@@ -451,11 +447,13 @@ the target user.
\fB\-p\fR \fIprompt\fR, \fB\--prompt\fR=\fIprompt\fR \fB\-p\fR \fIprompt\fR, \fB\--prompt\fR=\fIprompt\fR
Use a custom password prompt with optional escape sequences. Use a custom password prompt with optional escape sequences.
The following percent The following percent
(`%') (\(oq%\(cq)
escape sequences are supported by the escape sequences are supported by the
\fIsudoers\fR \fIsudoers\fR
policy: policy:
.RS .PP
.RS 12n
.PD 0
.TP 4n .TP 4n
\fR%H\fR \fR%H\fR
expanded to the host name including the domain name (on if the expanded to the host name including the domain name (on if the
@@ -463,6 +461,7 @@ machine's host name is fully qualified or the
\fIfqdn\fR \fIfqdn\fR
option is set in option is set in
sudoers(@mansectform@)) sudoers(@mansectform@))
.PD
.TP 4n .TP 4n
\fR%h\fR \fR%h\fR
expanded to the local host name without the domain name expanded to the local host name without the domain name
@@ -488,9 +487,9 @@ expanded to the invoking user's login name
.TP 4n .TP 4n
\fR%%\fR \fR%%\fR
two consecutive two consecutive
`%' \(oq%\(cq
characters are collapsed into a single characters are collapsed into a single
`%' \(oq%\(cq
character character
.PP .PP
The custom prompt will override the system password prompt on systems that The custom prompt will override the system password prompt on systems that
@@ -498,15 +497,12 @@ support PAM unless the
\fIpassprompt_override\fR \fIpassprompt_override\fR
flag is disabled in flag is disabled in
\fIsudoers\fR. \fIsudoers\fR.
.PP
.RE .RE
.PD 0
.TP 12n .TP 12n
\fB\-r\fR \fIrole\fR, \fB\--role\fR=\fIrole\fR \fB\-r\fR \fIrole\fR, \fB\--role\fR=\fIrole\fR
Run the command with an SELinux security context that includes Run the command with an SELinux security context that includes
the specified the specified
\fIrole\fR. \fIrole\fR.
.PD
.TP 12n .TP 12n
\fB\-S\fR, \fB\--stdin\fR \fB\-S\fR, \fB\--stdin\fR
Write the prompt to the standard error and read the password from the Write the prompt to the standard error and read the password from the
@@ -554,14 +550,14 @@ The
may be either a user name or a numeric user ID may be either a user name or a numeric user ID
(UID) (UID)
prefixed with the prefixed with the
`#' \(oq#\(cq
character (e.g. character (e.g.
\fR#0\fR \fR#0\fR
for UID 0). for UID 0).
When running commands as a UID, many shells require that the When running commands as a UID, many shells require that the
`#' \(oq#\(cq
be escaped with a backslash be escaped with a backslash
(`\e'). (\(oq\e\(cq).
Some security policies may restrict UIDs Some security policies may restrict UIDs
to those listed in the password database. to those listed in the password database.
The The
@@ -686,7 +682,7 @@ process waits until the command has completed, then passes the
command's exit status to the security policy's close function and exits. command's exit status to the security policy's close function and exits.
If an I/O logging plugin is configured or if the security policy If an I/O logging plugin is configured or if the security policy
explicitly requests it, a new pseudo-terminal explicitly requests it, a new pseudo-terminal
(``pty'') (\(lqpty\(rq)
is created and a second is created and a second
\fBsudo\fR \fBsudo\fR
process is used to relay job control signals between the user's process is used to relay job control signals between the user's
@@ -694,7 +690,7 @@ existing pty and the new pty the command is being run in.
This extra process makes it possible to, for example, suspend This extra process makes it possible to, for example, suspend
and resume the command. and resume the command.
Without it, the command would be in what POSIX terms an Without it, the command would be in what POSIX terms an
``orphaned process group'' \(lqorphaned process group\(rq
and it would not receive any job control signals. and it would not receive any job control signals.
As a special case, if the policy plugin does not define a close As a special case, if the policy plugin does not define a close
function and no pty is required, function and no pty is required,
@@ -840,7 +836,7 @@ This should not happen under normal circumstances.
The most common reason for The most common reason for
stat(2) stat(2)
to return to return
``permission denied'' \(lqpermission denied\(rq
is if you are running an automounter and one of the directories in is if you are running an automounter and one of the directories in
your your
\fRPATH\fR \fRPATH\fR
@@ -894,7 +890,7 @@ re-enabled for the command that is run).
To aid in debugging To aid in debugging
\fBsudo\fR \fBsudo\fR
crashes, you may wish to re-enable core dumps by setting crashes, you may wish to re-enable core dumps by setting
``disable_coredump'' \(lqdisable_coredump\(rq
to false in the to false in the
sudo.conf(@mansectform@) sudo.conf(@mansectform@)
file as follows: file as follows:
@@ -1146,7 +1142,7 @@ search the archives.
.SH "DISCLAIMER" .SH "DISCLAIMER"
\fBsudo\fR \fBsudo\fR
is provided is provided
``AS IS'' \(lqAS IS\(rq
and any express or implied warranties, including, but not limited and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed. particular purpose are disclaimed.

2
doc/sudo_plugin.cat
View File

@@ -1464,4 +1464,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details. complete details.
Sudo 1.8.9 December 20, 2013 Sudo 1.8.9 Sudo 1.8.10 December 20, 2013 Sudo 1.8.10

278
doc/sudo_plugin.man.in
View File

@@ -111,15 +111,15 @@ to determine the API version the plugin was
built against. built against.
.TP 6n .TP 6n
open open
.RS
.nf .nf
.RS 0n .RS 6n
int (*open)(unsigned int version, sudo_conv_t conversation, int (*open)(unsigned int version, sudo_conv_t conversation,
sudo_printf_t plugin_printf, char * const settings[], sudo_printf_t plugin_printf, char * const settings[],
char * const user_info[], char * const user_env[], char * const user_info[], char * const user_env[],
char * const plugin_options[]); char * const plugin_options[]);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
Returns 1 on success, 0 on failure, \-1 if a general error occurred, Returns 1 on success, 0 on failure, \-1 if a general error occurred,
or \-2 if there was a usage error. or \-2 if there was a usage error.
@@ -160,7 +160,7 @@ settings
A vector of user-supplied A vector of user-supplied
\fBsudo\fR \fBsudo\fR
settings in the form of settings in the form of
``name=value'' \(lqname=value\(rq
strings. strings.
The vector is terminated by a The vector is terminated by a
\fRNULL\fR \fRNULL\fR
@@ -175,20 +175,23 @@ When parsing
the plugin should split on the the plugin should split on the
\fBfirst\fR \fBfirst\fR
equal sign equal sign
(`=') (\(oq=\(cq)
since the since the
\fIname\fR \fIname\fR
field will never include one field will never include one
itself but the itself but the
\fIvalue\fR \fIvalue\fR
might. might.
.RS .PP
.RS 6n
.PD 0
.TP 6n .TP 6n
bsdauth_type=string bsdauth_type=string
Authentication type, if specified by the Authentication type, if specified by the
\fB\-a\fR \fB\-a\fR
flag, to use on flag, to use on
systems where BSD authentication is supported. systems where BSD authentication is supported.
.PD
.TP 6n .TP 6n
closefrom=number closefrom=number
If specified, the user has requested via the If specified, the user has requested via the
@@ -219,7 +222,7 @@ plugin is
\fIsubsystem\fR@\fIpriority\fR \fIsubsystem\fR@\fIpriority\fR
but the plugin is free to use a different but the plugin is free to use a different
format so long as it does not include a comma format so long as it does not include a comma
(`,\&'). (\(oq,\&\(cq).
There is not currently a way to specify a set of debug flags specific There is not currently a way to specify a set of debug flags specific
to the plugin--the flags are shared by to the plugin--the flags are shared by
\fBsudo\fR \fBsudo\fR
@@ -275,13 +278,13 @@ sudo.conf(@mansectform@).
network_addrs=list network_addrs=list
A space-separated list of IP network addresses and netmasks in the A space-separated list of IP network addresses and netmasks in the
form form
``addr/netmask'', \(lqaddr/netmask\(rq,
e.g.\& e.g.\&
``192.168.1.2/255.255.255.0''. \(lq192.168.1.2/255.255.255.0\(rq.
The address and netmask pairs may be either IPv4 or IPv6, depending on The address and netmask pairs may be either IPv4 or IPv6, depending on
what the operating system supports. what the operating system supports.
If the address contains a colon If the address contains a colon
(`:\&'), (\(oq:\&\(cq),
it is an IPv6 address, else it is IPv4. it is an IPv6 address, else it is IPv4.
.TP 6n .TP 6n
noninteractive=bool noninteractive=bool
@@ -316,9 +319,9 @@ based on the runas user.
.TP 6n .TP 6n
progname=string progname=string
The command name that sudo was run as, typically The command name that sudo was run as, typically
``sudo'' \(lqsudo\(rq
or or
``sudoedit''. \(lqsudoedit\(rq.
.TP 6n .TP 6n
prompt=string prompt=string
The prompt to use when requesting a password, if specified via The prompt to use when requesting a password, if specified via
@@ -392,13 +395,11 @@ section.
.PP .PP
Additional settings may be added in the future so the plugin should Additional settings may be added in the future so the plugin should
silently ignore settings that it does not recognize. silently ignore settings that it does not recognize.
.PP
.RE .RE
.PD 0
.TP 6n .TP 6n
user_info user_info
A vector of information about the user running the command in the form of A vector of information about the user running the command in the form of
``name=value'' \(lqname=value\(rq
strings. strings.
The vector is terminated by a The vector is terminated by a
\fRNULL\fR \fRNULL\fR
@@ -409,19 +410,21 @@ When parsing
the plugin should split on the the plugin should split on the
\fBfirst\fR \fBfirst\fR
equal sign equal sign
(`=') (\(oq=\(cq)
since the since the
\fIname\fR \fIname\fR
field will never include one field will never include one
itself but the itself but the
\fIvalue\fR \fIvalue\fR
might. might.
.RS .PP
.PD .RS 6n
.PD 0
.TP 6n .TP 6n
cols=int cols=int
The number of columns the user's terminal supports. The number of columns the user's terminal supports.
If there is no terminal device available, a default value of 80 is used. If there is no terminal device available, a default value of 80 is used.
.PD
.TP 6n .TP 6n
cwd=string cwd=string
The user's current working directory. The user's current working directory.
@@ -517,7 +520,7 @@ tty=string
The path to the user's terminal device. The path to the user's terminal device.
If the user has no terminal device associated with the session, If the user has no terminal device associated with the session,
the value will be empty, as in the value will be empty, as in
``\fRtty=\fR''. \(lq\fRtty=\fR\(rq.
.TP 6n .TP 6n
uid=uid_t uid=uid_t
The real user ID of the user invoking The real user ID of the user invoking
@@ -526,14 +529,15 @@ The real user ID of the user invoking
user=string user=string
The name of the user invoking The name of the user invoking
\fBsudo\fR. \fBsudo\fR.
.PD 0
.PP .PP
.RE .RE
.PD 0 .PD
.TP 6n .TP 6n
user_env user_env
The user's environment in the form of a The user's environment in the form of a
\fRNULL\fR-terminated vector of \fRNULL\fR-terminated vector of
``name=value'' \(lqname=value\(rq
strings. strings.
.sp .sp
When parsing When parsing
@@ -541,26 +545,26 @@ When parsing
the plugin should split on the the plugin should split on the
\fBfirst\fR \fBfirst\fR
equal sign equal sign
(`=') (\(oq=\(cq)
since the since the
\fIname\fR \fIname\fR
field will never include one field will never include one
itself but the itself but the
\fIvalue\fR \fIvalue\fR
might. might.
.PD .PD 0
.PP .PP
.RE .RE
.PD 0 .PD
.TP 6n .TP 6n
close close
.br .br
.RS
.nf .nf
.RS 0n .RS 6n
void (*close)(int exit_status, int error); void (*close)(int exit_status, int error);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBclose\fR() \fBclose\fR()
@@ -569,7 +573,6 @@ function is called when the command being run by
finishes. finishes.
.sp .sp
The function arguments are as follows: The function arguments are as follows:
.PD
.TP 6n .TP 6n
exit_status exit_status
The command's exit status, as returned by the The command's exit status, as returned by the
@@ -610,17 +613,15 @@ list, the
\fBsudo\fR \fBsudo\fR
front end may execute the command directly instead of running front end may execute the command directly instead of running
it as a child process. it as a child process.
.PP
.RE .RE
.PD 0
.TP 6n .TP 6n
show_version show_version
.RS
.nf .nf
.RS 0n .RS 6n
int (*show_version)(int verbose); int (*show_version)(int verbose);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBshow_version\fR() \fBshow_version\fR()
@@ -637,20 +638,17 @@ or
function using function using
\fRSUDO_CONV_INFO_MSG\fR. \fRSUDO_CONV_INFO_MSG\fR.
If the user requests detailed version information, the verbose flag will be set. If the user requests detailed version information, the verbose flag will be set.
.PD
.PP
.RE .RE
.PD 0
.TP 6n .TP 6n
check_policy check_policy
.RS
.nf .nf
.RS 0n .RS 6n
int (*check_policy)(int argc, char * const argv[] int (*check_policy)(int argc, char * const argv[]
char *env_add[], char **command_info[], char *env_add[], char **command_info[],
char **argv_out[], char **user_env_out[]); char **argv_out[], char **user_env_out[]);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBcheck_policy\fR() \fBcheck_policy\fR()
@@ -692,10 +690,10 @@ into
\fIargv_out\fR, \fIargv_out\fR,
separated from the separated from the
editor and its arguments by a editor and its arguments by a
``\fR--\fR'' \(lq\fR--\fR\(rq
element. element.
The The
``\fR--\fR'' \(lq\fR--\fR\(rq
will will
be removed by be removed by
\fBsudo\fR \fBsudo\fR
@@ -726,7 +724,6 @@ function with
to present additional error information to the user. to present additional error information to the user.
.sp .sp
The function arguments are as follows: The function arguments are as follows:
.PD
.TP 6n .TP 6n
argc argc
The number of elements in The number of elements in
@@ -749,7 +746,7 @@ Additional environment variables specified by the user on the command
line in the form of a line in the form of a
\fRNULL\fR-terminated \fRNULL\fR-terminated
vector of vector of
``name=value'' \(lqname=value\(rq
strings. strings.
The plugin may reject the command if one or more variables The plugin may reject the command if one or more variables
are not allowed to be set, or it may silently ignore such variables. are not allowed to be set, or it may silently ignore such variables.
@@ -759,7 +756,7 @@ When parsing
the plugin should split on the the plugin should split on the
\fBfirst\fR \fBfirst\fR
equal sign equal sign
(`=') (\(oq=\(cq)
since the since the
\fIname\fR \fIname\fR
field will never include one field will never include one
@@ -769,7 +766,7 @@ might.
.TP 6n .TP 6n
command_info command_info
Information about the command being run in the form of Information about the command being run in the form of
``name=value'' \(lqname=value\(rq
strings. strings.
These values are used by These values are used by
\fBsudo\fR \fBsudo\fR
@@ -781,10 +778,13 @@ which must be terminated with a
pointer. pointer.
The following values are recognized by The following values are recognized by
\fBsudo\fR: \fBsudo\fR:
.RS .PP
.RS 6n
.PD 0
.TP 6n .TP 6n
chroot=string chroot=string
The root directory to use when running the command. The root directory to use when running the command.
.PD
.TP 6n .TP 6n
closefrom=number closefrom=number
If specified, If specified,
@@ -1006,9 +1006,7 @@ will base the new entry on
the invoking user's existing entry. the invoking user's existing entry.
.PP .PP
Unsupported values will be ignored. Unsupported values will be ignored.
.PP
.RE .RE
.PD 0
.TP 6n .TP 6n
argv_out argv_out
The The
@@ -1017,25 +1015,25 @@ argument vector to pass to the
execve(2) execve(2)
system call when executing the command. system call when executing the command.
The plugin is responsible for allocating and populating the vector. The plugin is responsible for allocating and populating the vector.
.PD
.TP 6n .TP 6n
user_env_out user_env_out
The The
\fRNULL\fR-terminated \fRNULL\fR-terminated
environment vector to use when executing the command. environment vector to use when executing the command.
The plugin is responsible for allocating and populating the vector. The plugin is responsible for allocating and populating the vector.
.PD 0
.PP .PP
.RE .RE
.PD 0 .PD
.TP 6n .TP 6n
list list
.RS
.nf .nf
.RS 0n .RS 6n
int (*list)(int verbose, const char *list_user, int (*list)(int verbose, const char *list_user,
int argc, char * const argv[]); int argc, char * const argv[]);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
List available privileges for the invoking user. List available privileges for the invoking user.
Returns 1 on success, 0 on failure and \-1 on error. Returns 1 on success, 0 on failure and \-1 on error.
@@ -1054,7 +1052,6 @@ or
\fBplugin_printf\fR() \fBplugin_printf\fR()
function using function using
\fRSUDO_CONV_INFO_MSG\fR, \fRSUDO_CONV_INFO_MSG\fR,
.PD
.TP 6n .TP 6n
verbose verbose
Flag indicating whether to list in verbose mode or not. Flag indicating whether to list in verbose mode or not.
@@ -1083,17 +1080,18 @@ execve(2)
system call. system call.
If the command is permitted by the policy, the fully-qualified path If the command is permitted by the policy, the fully-qualified path
to the command should be displayed along with any command line arguments. to the command should be displayed along with any command line arguments.
.PD 0
.PP .PP
.RE .RE
.PD 0 .PD
.TP 6n .TP 6n
validate validate
.RS
.nf .nf
.RS 0n .RS 6n
int (*validate)(void); int (*validate)(void);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBvalidate\fR() \fBvalidate\fR()
@@ -1123,18 +1121,15 @@ function with
\fRSUDO_CONF_ERROR_MSG\fR \fRSUDO_CONF_ERROR_MSG\fR
to present additional to present additional
error information to the user. error information to the user.
.PD
.PP
.RE .RE
.PD 0
.TP 6n .TP 6n
invalidate invalidate
.RS
.nf .nf
.RS 0n .RS 6n
void (*invalidate)(int remove); void (*invalidate)(int remove);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBinvalidate\fR() \fBinvalidate\fR()
@@ -1161,18 +1156,15 @@ The
function should be function should be
\fRNULL\fR \fRNULL\fR
if the plugin does not support credential caching. if the plugin does not support credential caching.
.PD
.PP
.RE .RE
.PD 0
.TP 6n .TP 6n
init_session init_session
.RS
.nf .nf
.RS 0n .RS 6n
int (*init_session)(struct passwd *pwd, char **user_envp[); int (*init_session)(struct passwd *pwd, char **user_envp[);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBinit_session\fR() \fBinit_session\fR()
@@ -1205,7 +1197,7 @@ argument points to the environment the command will
run in, in the form of a run in, in the form of a
\fRNULL\fR-terminated \fRNULL\fR-terminated
vector of vector of
``name=value'' \(lqname=value\(rq
strings. strings.
This is the same string passed back to the front end via This is the same string passed back to the front end via
the Policy Plugin's the Policy Plugin's
@@ -1241,19 +1233,16 @@ function with
\fRSUDO_CONF_ERROR_MSG\fR \fRSUDO_CONF_ERROR_MSG\fR
to present additional to present additional
error information to the user. error information to the user.
.PD
.PP
.RE .RE
.PD 0
.TP 6n .TP 6n
register_hooks register_hooks
.RS
.nf .nf
.RS 0n .RS 6n
void (*register_hooks)(int version, void (*register_hooks)(int version,
int (*register_hook)(struct sudo_hook *hook)); int (*register_hook)(struct sudo_hook *hook));
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBregister_hooks\fR() \fBregister_hooks\fR()
@@ -1296,19 +1285,16 @@ front end doesn't support API
version 1.2 or higher, version 1.2 or higher,
\fRregister_hooks\fR \fRregister_hooks\fR
will not be called. will not be called.
.PD
.PP
.RE .RE
.PD 0
.TP 6n .TP 6n
deregister_hooks deregister_hooks
.RS
.nf .nf
.RS 0n .RS 6n
void (*deregister_hooks)(int version, void (*deregister_hooks)(int version,
int (*deregister_hook)(struct sudo_hook *hook)); int (*deregister_hook)(struct sudo_hook *hook));
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBderegister_hooks\fR() \fBderegister_hooks\fR()
@@ -1353,7 +1339,6 @@ version 1.2 or higher,
\fRderegister_hooks\fR \fRderegister_hooks\fR
will not be called. will not be called.
.RE .RE
.PD
.PP .PP
\fIPolicy Plugin Version Macros\fR \fIPolicy Plugin Version Macros\fR
.nf .nf
@@ -1454,15 +1439,15 @@ to determine the API version the plugin was
built against. built against.
.TP 6n .TP 6n
open open
.RS
.nf .nf
.RS 0n .RS 6n
int (*open)(unsigned int version, sudo_conv_t conversation, int (*open)(unsigned int version, sudo_conv_t conversation,
sudo_printf_t plugin_printf, char * const settings[], sudo_printf_t plugin_printf, char * const settings[],
char * const user_info[], int argc, char * const argv[], char * const user_info[], int argc, char * const argv[],
char * const user_env[], char * const plugin_options[]); char * const user_env[], char * const plugin_options[]);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBopen\fR() \fBopen\fR()
@@ -1532,7 +1517,7 @@ settings
A vector of user-supplied A vector of user-supplied
\fBsudo\fR \fBsudo\fR
settings in the form of settings in the form of
``name=value'' \(lqname=value\(rq
strings. strings.
The vector is terminated by a The vector is terminated by a
\fRNULL\fR \fRNULL\fR
@@ -1547,7 +1532,7 @@ When parsing
the plugin should split on the the plugin should split on the
\fBfirst\fR \fBfirst\fR
equal sign equal sign
(`=') (\(oq=\(cq)
since the since the
\fIname\fR \fIname\fR
field will never include one field will never include one
@@ -1561,7 +1546,7 @@ section for a list of all possible settings.
.TP 6n .TP 6n
user_info user_info
A vector of information about the user running the command in the form of A vector of information about the user running the command in the form of
``name=value'' \(lqname=value\(rq
strings. strings.
The vector is terminated by a The vector is terminated by a
\fRNULL\fR \fRNULL\fR
@@ -1572,7 +1557,7 @@ When parsing
the plugin should split on the the plugin should split on the
\fBfirst\fR \fBfirst\fR
equal sign equal sign
(`=') (\(oq=\(cq)
since the since the
\fIname\fR \fIname\fR
field will never include one field will never include one
@@ -1603,7 +1588,7 @@ user_env
The user's environment in the form of a The user's environment in the form of a
\fRNULL\fR-terminated \fRNULL\fR-terminated
vector of vector of
``name=value'' \(lqname=value\(rq
strings. strings.
.sp .sp
When parsing When parsing
@@ -1611,7 +1596,7 @@ When parsing
the plugin should split on the the plugin should split on the
\fBfirst\fR \fBfirst\fR
equal sign equal sign
(`=') (\(oq=\(cq)
since the since the
\fIname\fR \fIname\fR
field will never include one field will never include one
@@ -1644,18 +1629,19 @@ by the
front end before using front end before using
\fIplugin_options\fR. \fIplugin_options\fR.
Failure to do so may result in a crash. Failure to do so may result in a crash.
.PD 0
.PP .PP
.RE .RE
.PD 0 .PD
.TP 6n .TP 6n
close close
.br .br
.RS
.nf .nf
.RS 0n .RS 6n
void (*close)(int exit_status, int error); void (*close)(int exit_status, int error);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBclose\fR() \fBclose\fR()
@@ -1664,7 +1650,6 @@ function is called when the command being run by
finishes. finishes.
.sp .sp
The function arguments are as follows: The function arguments are as follows:
.PD
.TP 6n .TP 6n
exit_status exit_status
The command's exit status, as returned by the The command's exit status, as returned by the
@@ -1686,17 +1671,18 @@ system call.
If the command was successfully executed, the value of If the command was successfully executed, the value of
\fRerror\fR \fRerror\fR
is 0. is 0.
.PD 0
.PP .PP
.RE .RE
.PD 0 .PD
.TP 6n .TP 6n
show_version show_version
.RS
.nf .nf
.RS 0n .RS 6n
int (*show_version)(int verbose); int (*show_version)(int verbose);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBshow_version\fR() \fBshow_version\fR()
@@ -1713,18 +1699,15 @@ or
function using function using
\fRSUDO_CONV_INFO_MSG\fR. \fRSUDO_CONV_INFO_MSG\fR.
If the user requests detailed version information, the verbose flag will be set. If the user requests detailed version information, the verbose flag will be set.
.PD
.PP
.RE .RE
.PD 0
.TP 6n .TP 6n
log_ttyin log_ttyin
.RS
.nf .nf
.RS 0n .RS 6n
int (*log_ttyin)(const char *buf, unsigned int len); int (*log_ttyin)(const char *buf, unsigned int len);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBlog_ttyin\fR() \fBlog_ttyin\fR()
@@ -1736,7 +1719,6 @@ Returns 1 if the data should be passed to the command, 0 if the data
is rejected (which will terminate the command) or \-1 if an error occurred. is rejected (which will terminate the command) or \-1 if an error occurred.
.sp .sp
The function arguments are as follows: The function arguments are as follows:
.PD
.TP 6n .TP 6n
buf buf
The buffer containing user input. The buffer containing user input.
@@ -1745,17 +1727,18 @@ len
The length of The length of
\fIbuf\fR \fIbuf\fR
in bytes. in bytes.
.PD 0
.PP .PP
.RE .RE
.PD 0 .PD
.TP 6n .TP 6n
log_ttyout log_ttyout
.RS
.nf .nf
.RS 0n .RS 6n
int (*log_ttyout)(const char *buf, unsigned int len); int (*log_ttyout)(const char *buf, unsigned int len);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBlog_ttyout\fR() \fBlog_ttyout\fR()
@@ -1767,7 +1750,6 @@ Returns 1 if the data should be passed to the user, 0 if the data is rejected
(which will terminate the command) or \-1 if an error occurred. (which will terminate the command) or \-1 if an error occurred.
.sp .sp
The function arguments are as follows: The function arguments are as follows:
.PD
.TP 6n .TP 6n
buf buf
The buffer containing command output. The buffer containing command output.
@@ -1776,17 +1758,18 @@ len
The length of The length of
\fIbuf\fR \fIbuf\fR
in bytes. in bytes.
.PD 0
.PP .PP
.RE .RE
.PD 0 .PD
.TP 6n .TP 6n
log_stdin log_stdin
.RS
.nf .nf
.RS 0n .RS 6n
int (*log_stdin)(const char *buf, unsigned int len); int (*log_stdin)(const char *buf, unsigned int len);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBlog_stdin\fR() \fBlog_stdin\fR()
@@ -1800,7 +1783,6 @@ Returns 1 if the data should be passed to the command, 0 if the data is
rejected (which will terminate the command) or \-1 if an error occurred. rejected (which will terminate the command) or \-1 if an error occurred.
.sp .sp
The function arguments are as follows: The function arguments are as follows:
.PD
.TP 6n .TP 6n
buf buf
The buffer containing user input. The buffer containing user input.
@@ -1809,17 +1791,18 @@ len
The length of The length of
\fIbuf\fR \fIbuf\fR
in bytes. in bytes.
.PD 0
.PP .PP
.RE .RE
.PD 0 .PD
.TP 6n .TP 6n
log_stdout log_stdout
.RS
.nf .nf
.RS 0n .RS 6n
int (*log_stdout)(const char *buf, unsigned int len); int (*log_stdout)(const char *buf, unsigned int len);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBlog_stdout\fR() \fBlog_stdout\fR()
@@ -1833,7 +1816,6 @@ Returns 1 if the data should be passed to the user, 0 if the data is
rejected (which will terminate the command) or \-1 if an error occurred. rejected (which will terminate the command) or \-1 if an error occurred.
.sp .sp
The function arguments are as follows: The function arguments are as follows:
.PD
.TP 6n .TP 6n
buf buf
The buffer containing command output. The buffer containing command output.
@@ -1842,17 +1824,18 @@ len
The length of The length of
\fIbuf\fR \fIbuf\fR
in bytes. in bytes.
.PD 0
.PP .PP
.RE .RE
.PD 0 .PD
.TP 6n .TP 6n
log_stderr log_stderr
.RS
.nf .nf
.RS 0n .RS 6n
int (*log_stderr)(const char *buf, unsigned int len); int (*log_stderr)(const char *buf, unsigned int len);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBlog_stderr\fR() \fBlog_stderr\fR()
@@ -1866,7 +1849,6 @@ Returns 1 if the data should be passed to the user, 0 if the data is
rejected (which will terminate the command) or \-1 if an error occurred. rejected (which will terminate the command) or \-1 if an error occurred.
.sp .sp
The function arguments are as follows: The function arguments are as follows:
.PD
.TP 6n .TP 6n
buf buf
The buffer containing command output. The buffer containing command output.
@@ -1875,16 +1857,16 @@ len
The length of The length of
\fIbuf\fR \fIbuf\fR
in bytes. in bytes.
.PD 0
.PP .PP
.RE .RE
.PD 0 .PD
.TP 6n .TP 6n
register_hooks register_hooks
See the See the
\fIPolicy plugin API\fR \fIPolicy plugin API\fR
section for a description of section for a description of
\fRregister_hooks\fR. \fRregister_hooks\fR.
.PD
.TP 6n .TP 6n
deregister_hooks deregister_hooks
See the See the
@@ -1991,7 +1973,9 @@ hook_type
The The
\fRhook_type\fR \fRhook_type\fR
field may be one of the following supported hook types: field may be one of the following supported hook types:
.RS .PP
.RS 6n
.PD 0
.TP 6n .TP 6n
\fRSUDO_HOOK_SETENV\fR \fRSUDO_HOOK_SETENV\fR
The C library The C library
@@ -2002,20 +1986,19 @@ The
\fRhook_fn\fR \fRhook_fn\fR
field should field should
be a function that matches the following typedef: be a function that matches the following typedef:
.RS
.nf .nf
.sp .sp
.RS 0n .RS 6n
typedef int (*sudo_hook_fn_setenv_t)(const char *name, typedef int (*sudo_hook_fn_setenv_t)(const char *name,
const char *value, int overwrite, void *closure); const char *value, int overwrite, void *closure);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
If the registered hook does not match the typedef the results are If the registered hook does not match the typedef the results are
unspecified. unspecified.
.PP
.RE .RE
.PD 0 .PD
.TP 6n .TP 6n
\fRSUDO_HOOK_UNSETENV\fR \fRSUDO_HOOK_UNSETENV\fR
The C library The C library
@@ -2026,18 +2009,13 @@ The
\fRhook_fn\fR \fRhook_fn\fR
field should field should
be a function that matches the following typedef: be a function that matches the following typedef:
.RS
.nf .nf
.sp .sp
.RS 0n .RS 6n
typedef int (*sudo_hook_fn_unsetenv_t)(const char *name, typedef int (*sudo_hook_fn_unsetenv_t)(const char *name,
void *closure); void *closure);
.RE .RE
.fi .fi
.PD
.PP
.RE
.PD 0
.TP 6n .TP 6n
\fRSUDO_HOOK_GETENV\fR \fRSUDO_HOOK_GETENV\fR
The C library The C library
@@ -2048,21 +2026,18 @@ The
\fRhook_fn\fR \fRhook_fn\fR
field should field should
be a function that matches the following typedef: be a function that matches the following typedef:
.RS
.nf .nf
.sp .sp
.RS 0n .RS 6n
typedef int (*sudo_hook_fn_getenv_t)(const char *name, typedef int (*sudo_hook_fn_getenv_t)(const char *name,
char **value, void *closure); char **value, void *closure);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
If the registered hook does not match the typedef the results are If the registered hook does not match the typedef the results are
unspecified. unspecified.
.PD
.PP
.RE .RE
.PD 0
.TP 6n .TP 6n
\fRSUDO_HOOK_PUTENV\fR \fRSUDO_HOOK_PUTENV\fR
The C library The C library
@@ -2073,22 +2048,22 @@ The
\fRhook_fn\fR \fRhook_fn\fR
field should field should
be a function that matches the following typedef: be a function that matches the following typedef:
.RS
.nf .nf
.sp .sp
.RS 0n .RS 6n
typedef int (*sudo_hook_fn_putenv_t)(char *string, typedef int (*sudo_hook_fn_putenv_t)(char *string,
void *closure); void *closure);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
If the registered hook does not match the typedef the results are If the registered hook does not match the typedef the results are
unspecified. unspecified.
.RE .RE
.PD .PD 0
.PP .PP
.RE .RE
.PD 0 .PD
.TP 6n .TP 6n
hook_fn hook_fn
sudo_hook_fn_t hook_fn; sudo_hook_fn_t hook_fn;
@@ -2109,11 +2084,13 @@ is passed as the last function parameter.
This can be used to pass arbitrary data to the plugin's hook implementation. This can be used to pass arbitrary data to the plugin's hook implementation.
.sp .sp
The function return value may be one of the following: The function return value may be one of the following:
.RS .PP
.PD .RS 6n
.PD 0
.TP 6n .TP 6n
\fRSUDO_HOOK_RET_ERROR\fR \fRSUDO_HOOK_RET_ERROR\fR
The hook function encountered an error. The hook function encountered an error.
.PD
.TP 6n .TP 6n
\fRSUDO_HOOK_RET_NEXT\fR \fRSUDO_HOOK_RET_NEXT\fR
The hook completed without error, go on to the next hook (including The hook completed without error, go on to the next hook (including
@@ -2133,7 +2110,10 @@ hook that operates on a private copy of
the environment but leaves the environment but leaves
\fRenviron\fR \fRenviron\fR
unchanged. unchanged.
.PD 0
.PP
.RE .RE
.PD
.PP .PP
Note that it is very easy to create an infinite loop when hooking Note that it is very easy to create an infinite loop when hooking
C library functions. C library functions.
@@ -2197,11 +2177,11 @@ to the policy plugin.
A plugin may also accept a A plugin may also accept a
\fIrunas_user\fR \fIrunas_user\fR
in the form of in the form of
``user@hostname'' \(lquser@hostname\(rq
which will work with older versions of which will work with older versions of
\fBsudo\fR. \fBsudo\fR.
It is anticipated that remote commands will be supported by executing a It is anticipated that remote commands will be supported by executing a
``helper'' \(lqhelper\(rq
program. program.
The policy plugin should setup the execution environment such that the The policy plugin should setup the execution environment such that the
\fBsudo\fR \fBsudo\fR
@@ -2397,13 +2377,13 @@ to determine the API version the group plugin
was built against. was built against.
.TP 6n .TP 6n
init init
.RS
.nf .nf
.RS 0n .RS 6n
int (*init)(int version, sudo_printf_t plugin_printf, int (*init)(int version, sudo_printf_t plugin_printf,
char *const argv[]); char *const argv[]);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBinit\fR() \fBinit\fR()
@@ -2446,17 +2426,18 @@ If no arguments were given,
\fIargv\fR \fIargv\fR
will be will be
\fRNULL\fR. \fRNULL\fR.
.PD 0
.PP .PP
.RE .RE
.PD 0 .PD
.TP 6n .TP 6n
cleanup cleanup
.RS
.nf .nf
.RS 0n .RS 6n
void (*cleanup)(); void (*cleanup)();
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBcleanup\fR() \fBcleanup\fR()
@@ -2465,20 +2446,17 @@ function is called when
has finished its has finished its
group checks. group checks.
The plugin should free any memory it has allocated and close open file handles. The plugin should free any memory it has allocated and close open file handles.
.PD
.PP
.RE .RE
.PD 0
.TP 6n .TP 6n
query query
.br .br
.RS
.nf .nf
.RS 0n .RS 6n
int (*query)(const char *user, const char *group, int (*query)(const char *user, const char *group,
const struct passwd *pwd); const struct passwd *pwd);
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The The
\fBquery\fR() \fBquery\fR()
@@ -2488,7 +2466,6 @@ is a member of
\fIgroup\fR. \fIgroup\fR.
.sp .sp
The function arguments are as follows: The function arguments are as follows:
.PD
.TP 6n .TP 6n
user user
The name of the user being looked up in the external group database. The name of the user being looked up in the external group database.
@@ -2508,7 +2485,10 @@ present in the password database,
\fIpwd\fR \fIpwd\fR
will be will be
\fRNULL\fR. \fRNULL\fR.
.PD 0
.PP
.RE .RE
.PD
.PP .PP
\fIGroup API Version Macros\fR \fIGroup API Version Macros\fR
.nf .nf
@@ -2627,7 +2607,7 @@ search the archives.
.SH "DISCLAIMER" .SH "DISCLAIMER"
\fBsudo\fR \fBsudo\fR
is provided is provided
``AS IS'' \(lqAS IS\(rq
and any express or implied warranties, including, but not limited and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed. particular purpose are disclaimed.

2
doc/sudoers.cat
View File

@@ -2329,4 +2329,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details. complete details.
Sudo 1.8.10 February 7, 2014 Sudo 1.8.10 Sudo 1.8.10 February 15, 2014 Sudo 1.8.10

77
doc/sudoers.ldap.man.in
View File

@@ -138,17 +138,17 @@ It consists of the following attributes:
.TP 6n .TP 6n
\fBsudoUser\fR \fBsudoUser\fR
A user name, user ID (prefixed with A user name, user ID (prefixed with
`#'), \(oq#\(cq),
Unix group name or ID (prefixed with Unix group name or ID (prefixed with
`%' \(oq%\(cq
or or
`%#' \(oq%#\(cq
respectively), user netgroup (prefixed with respectively), user netgroup (prefixed with
`+'), \(oq+\(cq),
or non-Unix group name or ID (prefixed with or non-Unix group name or ID (prefixed with
`%:' \(oq%:\(cq
or or
`%:#' \(oq%:#\(cq
respectively). respectively).
Non-Unix group support is only available when an appropriate Non-Unix group support is only available when an appropriate
\fIgroup_plugin\fR \fIgroup_plugin\fR
@@ -159,7 +159,7 @@ object.
.TP 6n .TP 6n
\fBsudoHost\fR \fBsudoHost\fR
A host name, IP address, IP network, or host netgroup (prefixed with a A host name, IP address, IP network, or host netgroup (prefixed with a
`+'). \(oq+\(cq).
The special value The special value
\fRALL\fR \fRALL\fR
will match any host. will match any host.
@@ -168,11 +168,11 @@ will match any host.
A fully-qualified Unix command name with optional command line arguments, A fully-qualified Unix command name with optional command line arguments,
potentially including globbing characters (aka wild cards). potentially including globbing characters (aka wild cards).
If a command name is preceded by an exclamation point, If a command name is preceded by an exclamation point,
`\&!', \(oq\&!\(cq,
the user will be prohibited from running that command. the user will be prohibited from running that command.
.sp .sp
The built-in command The built-in command
``\fRsudoedit\fR'' \(lq\fRsudoedit\fR\(rq
is used to permit a user to run is used to permit a user to run
\fBsudo\fR \fBsudo\fR
with the with the
@@ -181,7 +181,7 @@ option (or as
\fBsudoedit\fR). \fBsudoedit\fR).
It may take command line arguments just as a normal command does. It may take command line arguments just as a normal command does.
Note that Note that
``\fRsudoedit\fR'' \(lq\fRsudoedit\fR\(rq
is a command built into is a command built into
\fBsudo\fR \fBsudo\fR
itself and must be specified in without a leading path. itself and must be specified in without a leading path.
@@ -197,39 +197,36 @@ This may be useful in situations where the user invoking
has write access to the command or its parent directory. has write access to the command or its parent directory.
The following digest formats are supported: sha224, sha256, sha384 and sha512. The following digest formats are supported: sha224, sha256, sha384 and sha512.
The digest name must be followed by a colon The digest name must be followed by a colon
(`:\&') (\(oq:\&\(cq)
and then the actual digest, in either hex or base64 format. and then the actual digest, in either hex or base64 format.
For example, given the following value for sudoCommand: For example, given the following value for sudoCommand:
.RS
.nf .nf
.sp .sp
.RS 4n .RS 10n
sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
.RE .RE
.fi .fi
.RS 6n
.sp .sp
The user may only run The user may only run
\fI/bin/ls\fR \fI/bin/ls\fR
if its sha224 digest matches the specified value. if its sha224 digest matches the specified value.
Command digests are only supported by version 1.8.7 or higher. Command digests are only supported by version 1.8.7 or higher.
.PP
.RE .RE
.PD 0
.TP 6n .TP 6n
\fBsudoOption\fR \fBsudoOption\fR
Identical in function to the global options described above, but Identical in function to the global options described above, but
specific to the specific to the
\fRsudoRole\fR \fRsudoRole\fR
in which it resides. in which it resides.
.PD
.TP 6n .TP 6n
\fBsudoRunAsUser\fR \fBsudoRunAsUser\fR
A user name or uid (prefixed with A user name or uid (prefixed with
`#') \(oq#\(cq)
that commands may be run as or a Unix group (prefixed with a that commands may be run as or a Unix group (prefixed with a
`%') \(oq%\(cq)
or user netgroup (prefixed with a or user netgroup (prefixed with a
`+') \(oq+\(cq)
that contains a list of users that commands may be run as. that contains a list of users that commands may be run as.
The special value The special value
\fRALL\fR \fRALL\fR
@@ -249,7 +246,7 @@ attribute instead.
.TP 6n .TP 6n
\fBsudoRunAsGroup\fR \fBsudoRunAsGroup\fR
A Unix group or gid (prefixed with A Unix group or gid (prefixed with
`#') \(oq#\(cq)
that commands may be run as. that commands may be run as.
The special value The special value
\fRALL\fR \fRALL\fR
@@ -323,7 +320,7 @@ If multiple entries match, the entry with the highest
\fRsudoOrder\fR \fRsudoOrder\fR
attribute is chosen. attribute is chosen.
This corresponds to the This corresponds to the
``last match'' \(lqlast match\(rq
behavior of the sudoers file. behavior of the sudoers file.
If the If the
\fRsudoOrder\fR \fRsudoOrder\fR
@@ -514,12 +511,12 @@ Configuration options are listed below in upper case but are parsed
in a case-independent manner. in a case-independent manner.
.PP .PP
The pound sign The pound sign
(`#') (\(oq#\(cq)
is used to indicate a comment. is used to indicate a comment.
Both the comment character and any text after it, up to the end of Both the comment character and any text after it, up to the end of
the line, are ignored. the line, are ignored.
Long lines can be continued with a backslash Long lines can be continued with a backslash
(`\e') (\(oq\e\(cq)
as the last character on the line. as the last character on the line.
Note that leading white space is removed from the beginning of lines Note that leading white space is removed from the beginning of lines
even when the continuation character is used. even when the continuation character is used.
@@ -567,7 +564,7 @@ parameter specifies a white space-delimited list of LDAP servers to connect to.
Each host may include an optional Each host may include an optional
\fIport\fR \fIport\fR
separated by a colon separated by a colon
(`:\&'). (\(oq:\&\(cq).
The The
\fBHOST\fR \fBHOST\fR
parameter is deprecated in favor of the parameter is deprecated in favor of the
@@ -672,7 +669,7 @@ parameter is deprecated and will be removed in a future release.
The same information is now logged via the The same information is now logged via the
\fBsudo\fR \fBsudo\fR
debugging framework using the debugging framework using the
``ldap'' \(lqldap\(rq
subsystem at priorities subsystem at priorities
\fIdiag\fR \fIdiag\fR
and and
@@ -797,10 +794,13 @@ This option is only supported by the OpenLDAP libraries.
The path to a file containing the client certificate which can The path to a file containing the client certificate which can
be used to authenticate the client to the LDAP server. be used to authenticate the client to the LDAP server.
The certificate type depends on the LDAP libraries used. The certificate type depends on the LDAP libraries used.
.RS .PP
.RS 6n
.PD 0
.TP 6n .TP 6n
OpenLDAP: OpenLDAP:
\fRtls_cert /etc/ssl/client_cert.pem\fR \fRtls_cert /etc/ssl/client_cert.pem\fR
.PD
.TP 6n .TP 6n
Netscape-derived: Netscape-derived:
\fRtls_cert /var/ldap/cert7.db\fR \fRtls_cert /var/ldap/cert7.db\fR
@@ -812,9 +812,10 @@ contains both keys and certificates.
.sp .sp
When using Netscape-derived libraries, this file may also contain When using Netscape-derived libraries, this file may also contain
Certificate Authority certificates. Certificate Authority certificates.
.PD 0
.PP .PP
.RE .RE
.PD 0 .PD
.TP 6n .TP 6n
\fBTLS_KEY\fR \fIfile name\fR \fBTLS_KEY\fR \fIfile name\fR
The path to a file containing the private key which matches the The path to a file containing the private key which matches the
@@ -822,11 +823,13 @@ certificate specified by
\fBTLS_CERT\fR. \fBTLS_CERT\fR.
The private key must not be password-protected. The private key must not be password-protected.
The key type depends on the LDAP libraries used. The key type depends on the LDAP libraries used.
.RS .PP
.PD .RS 6n
.PD 0
.TP 6n .TP 6n
OpenLDAP: OpenLDAP:
\fRtls_key /etc/ssl/client_key.pem\fR \fRtls_key /etc/ssl/client_key.pem\fR
.PD
.TP 6n .TP 6n
Netscape-derived: Netscape-derived:
\fRtls_key /var/ldap/key3.db\fR \fRtls_key /var/ldap/key3.db\fR
@@ -835,12 +838,10 @@ Tivoli Directory Server:
\fRtls_key /usr/ldap/ldapkey.kdb\fR \fRtls_key /usr/ldap/ldapkey.kdb\fR
.PD 0 .PD 0
.PP .PP
.PD
When using Tivoli LDAP libraries, this file may also contain When using Tivoli LDAP libraries, this file may also contain
Certificate Authority and client certificates and may be encrypted. Certificate Authority and client certificates and may be encrypted.
.PP
.RE .RE
.PD 0 .PD
.TP 6n .TP 6n
\fBTLS_KEYPW\fR \fIsecret\fR \fBTLS_KEYPW\fR \fIsecret\fR
The The
@@ -849,9 +850,9 @@ contains the password used to decrypt the key database on clients
using the Tivoli Directory Server LDAP library. using the Tivoli Directory Server LDAP library.
This should be a simple string without quotes. This should be a simple string without quotes.
The password may not include the comment character The password may not include the comment character
(`#') (\(oq#\(cq)
and escaping of special characters with a backslash and escaping of special characters with a backslash
(`\e') (\(oq\e\(cq)
is not supported. is not supported.
If this option is used, If this option is used,
\fI@ldap_conf@\fR \fI@ldap_conf@\fR
@@ -884,7 +885,6 @@ The
utility can be used to manage the key database and create a utility can be used to manage the key database and create a
\fIstash file\fR. \fIstash file\fR.
This option is only supported by the Tivoli LDAP libraries. This option is only supported by the Tivoli LDAP libraries.
.PD
.TP 6n .TP 6n
\fBTLS_RANDFILE\fR \fIfile name\fR \fBTLS_RANDFILE\fR \fIfile name\fR
The The
@@ -967,14 +967,17 @@ does
not stop searching after the first match and later matches take not stop searching after the first match and later matches take
precedence over earlier ones. precedence over earlier ones.
The following sources are recognized: The following sources are recognized:
.PP
.RS 4n
.PD 0
.TP 10n .TP 10n
files files
read sudoers from read sudoers from
\fI@sysconfdir@/sudoers\fR \fI@sysconfdir@/sudoers\fR
.PD 0
.TP 10n .TP 10n
ldap ldap
read sudoers from LDAP read sudoers from LDAP
.RE
.PD .PD
.PP .PP
In addition, the entry In addition, the entry
@@ -1311,7 +1314,7 @@ search the archives.
.SH "DISCLAIMER" .SH "DISCLAIMER"
\fBsudo\fR \fBsudo\fR
is provided is provided
``AS IS'' \(lqAS IS\(rq
and any express or implied warranties, including, but not limited and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed. particular purpose are disclaimed.

338
doc/sudoers.man.in
View File

File diff suppressed because it is too large Load Diff

2
doc/sudoreplay.cat
View File

@@ -265,4 +265,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details. complete details.
Sudo 1.8.9 October 28, 2013 Sudo 1.8.9 Sudo 1.8.10 February 15, 2014 Sudo 1.8.10

40
doc/sudoreplay.man.in
View File

@@ -1,7 +1,7 @@
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudoreplay.mdoc.in .\" IT IS GENERATED AUTOMATICALLY FROM sudoreplay.mdoc.in
.\" .\"
.\" Copyright (c) 2009-2013 Todd C. Miller <Todd.Miller@courtesan.com> .\" Copyright (c) 2009-2014 Todd C. Miller <Todd.Miller@courtesan.com>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.TH "SUDOREPLAY" "@mansectsu@" "October 28, 2013" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .TH "SUDOREPLAY" "@mansectsu@" "February 15, 2014" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -36,7 +36,7 @@ ID
[\fB\-h\fR] [\fB\-h\fR]
[\fB\-d\fR\ \fIdir\fR] [\fB\-d\fR\ \fIdir\fR]
\fB\-l\fR \fB\-l\fR
[search expression] [search\ expression]
.SH "DESCRIPTION" .SH "DESCRIPTION"
\fBsudoreplay\fR \fBsudoreplay\fR
plays back or lists the output logs created by plays back or lists the output logs created by
@@ -82,16 +82,16 @@ In replay mode, if the standard output has not been redirected,
\fBsudoreplay\fR \fBsudoreplay\fR
will act on the following keys: will act on the following keys:
.TP 14n .TP 14n
`\fR\en\fR' or `\fR\er\fR' \(oq\fR\en\fR\(cq or \(oq\fR\er\fR\(cq
Skip to the next replay event; useful for long pauses. Skip to the next replay event; useful for long pauses.
.TP 14n .TP 14n
`\fR\ \fR' (space) \(oq\fR\ \fR\(cq (space)
Pause output; press any key to resume. Pause output; press any key to resume.
.TP 14n .TP 14n
`<' \(oq<\(cq
Reduce the playback speed by one half. Reduce the playback speed by one half.
.TP 14n .TP 14n
`>' \(oq>\(cq
Double the playback speed. Double the playback speed.
.PP .PP
The options are as follows: The options are as follows:
@@ -120,7 +120,7 @@ Display a short help message to the standard output and exit.
.TP 12n .TP 12n
\fB\-l\fR, \fB\--list\fR [\fIsearch expression\fR] \fB\-l\fR, \fB\--list\fR [\fIsearch expression\fR]
Enable Enable
``list mode''. \(lqlist mode\(rq.
In this mode, In this mode,
\fBsudoreplay\fR \fBsudoreplay\fR
will list available sessions in a format similar to the will list available sessions in a format similar to the
@@ -130,7 +130,9 @@ If a
\fIsearch expression\fR \fIsearch expression\fR
is specified, it will be used to restrict the IDs that are displayed. is specified, it will be used to restrict the IDs that are displayed.
An expression is composed of the following predicates: An expression is composed of the following predicates:
.RS .PP
.RS 12n
.PD 0
.TP 8n .TP 8n
command \fIpattern\fR command \fIpattern\fR
Evaluates to true if the command run matches Evaluates to true if the command run matches
@@ -139,6 +141,7 @@ On systems with POSIX regular expression support, the pattern may
be an extended regular expression. be an extended regular expression.
On systems without POSIX regular expression support, a simple sub-string On systems without POSIX regular expression support, a simple sub-string
match is performed instead. match is performed instead.
.PD
.TP 8n .TP 8n
cwd \fIdirectory\fR cwd \fIdirectory\fR
Evaluates to true if the command was run with the specified current Evaluates to true if the command was run with the specified current
@@ -200,9 +203,9 @@ Predicates may be combined using
and and
\fI\&!\fR \fI\&!\fR
operators as well as operators as well as
`\&(' \(oq\&(\(cq
and and
`\&)' \(oq\&)\(cq
grouping (note that parentheses must generally be escaped from the shell). grouping (note that parentheses must generally be escaped from the shell).
The The
\fIand\fR \fIand\fR
@@ -210,9 +213,7 @@ operator is optional, adjacent predicates have an implied
\fIand\fR \fIand\fR
unless separated by an unless separated by an
\fIor\fR. \fIor\fR.
.PP
.RE .RE
.PD 0
.TP 12n .TP 12n
\fB\-m\fR, \fB\--max-wait\fR \fImax_wait\fR \fB\-m\fR, \fB\--max-wait\fR \fImax_wait\fR
Specify an upper bound on how long to wait between key presses or output data. Specify an upper bound on how long to wait between key presses or output data.
@@ -229,7 +230,6 @@ will limit these pauses to at most
seconds. seconds.
The value may be specified as a floating point number, e.g.\& The value may be specified as a floating point number, e.g.\&
\fI2.5\fR. \fI2.5\fR.
.PD
.TP 12n .TP 12n
\fB\-s\fR, \fB\--speed\fR \fIspeed_factor\fR \fB\-s\fR, \fB\--speed\fR \fIspeed_factor\fR
This option causes This option causes
@@ -291,13 +291,13 @@ yesterday
next Friday next Friday
The first second of the Friday in the next (upcoming) week. The first second of the Friday in the next (upcoming) week.
Not to be confused with Not to be confused with
``this friday'' \(lqthis friday\(rq
which would match the friday of the current week. which would match the friday of the current week.
.TP 8n .TP 8n
last week last week
The current time but 7 days ago. The current time but 7 days ago.
This is equivalent to This is equivalent to
``a week ago''. \(lqa week ago\(rq.
.TP 8n .TP 8n
a fortnight ago a fortnight ago
The current time but 14 days ago. The current time but 14 days ago.
@@ -319,13 +319,13 @@ The current time but 14 days ago.
.PP .PP
Note that relative time specifications do not always work as expected. Note that relative time specifications do not always work as expected.
For example, the For example, the
``next'' \(lqnext\(rq
qualifier is intended to be used in conjunction with a day such as qualifier is intended to be used in conjunction with a day such as
``next Monday''. \(lqnext Monday\(rq.
When used with units of weeks, months, years, etc When used with units of weeks, months, years, etc
the result will be one more than expected. the result will be one more than expected.
For example, For example,
``next week'' \(lqnext week\(rq
will result in a time exactly two weeks from now, which is probably will result in a time exactly two weeks from now, which is probably
not what was intended. not what was intended.
This will be addressed in a future version of This will be addressed in a future version of
@@ -417,7 +417,7 @@ search the archives.
.SH "DISCLAIMER" .SH "DISCLAIMER"
\fBsudoreplay\fR \fBsudoreplay\fR
is provided is provided
``AS IS'' \(lqAS IS\(rq
and any express or implied warranties, including, but not limited and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed. particular purpose are disclaimed.

4
doc/visudo.cat
View File

@@ -26,7 +26,7 @@ DDEESSCCRRIIPPTTIIOONN
vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the
changes if there is a syntax error. Upon finding an error, vviissuuddoo will changes if there is a syntax error. Upon finding an error, vviissuuddoo will
print a message stating the line number(s) where the error occurred and print a message stating the line number(s) where the error occurred and
the user will receive the ``What now?'' prompt. At this point the user the user will receive the ``What now?'' prompt. At this point the user
may enter `e' to re-edit the _s_u_d_o_e_r_s file, `x' to exit without saving the may enter `e' to re-edit the _s_u_d_o_e_r_s file, `x' to exit without saving the
changes, or `Q' to quit and save changes. The `Q' option should be used changes, or `Q' to quit and save changes. The `Q' option should be used
with extreme care because if vviissuuddoo believes there to be a parse error, with extreme care because if vviissuuddoo believes there to be a parse error,
@@ -156,4 +156,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details. complete details.
Sudo 1.8.9 December 16, 2013 Sudo 1.8.9 Sudo 1.8.10 February 15, 2014 Sudo 1.8.10

28
doc/visudo.man.in
View File

@@ -1,7 +1,7 @@
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM visudo.mdoc.in .\" IT IS GENERATED AUTOMATICALLY FROM visudo.mdoc.in
.\" .\"
.\" Copyright (c) 1996,1998-2005, 2007-2013 .\" Copyright (c) 1996,1998-2005, 2007-2014
.\" Todd C. Miller <Todd.Miller@courtesan.com> .\" Todd C. Miller <Todd.Miller@courtesan.com>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.TH "VISUDO" "@mansectsu@" "December 16, 2013" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .TH "VISUDO" "@mansectsu@" "February 15, 2014" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -94,19 +94,19 @@ Upon finding an error,
\fBvisudo\fR \fBvisudo\fR
will print a message stating the line number(s) will print a message stating the line number(s)
where the error occurred and the user will receive the where the error occurred and the user will receive the
``What now?'' \(lqWhat now?\(rq
prompt. prompt.
At this point the user may enter At this point the user may enter
`e' \(oqe\(cq
to re-edit the to re-edit the
\fIsudoers\fR \fIsudoers\fR
file, file,
`x' \(oqx\(cq
to exit without saving the changes, or to exit without saving the changes, or
`Q' \(oqQ\(cq
to quit and save changes. to quit and save changes.
The The
`Q' \(oqQ\(cq
option should be used with extreme care because if option should be used with extreme care because if
\fBvisudo\fR \fBvisudo\fR
believes there to be a parse error, so will believes there to be a parse error, so will
@@ -116,7 +116,7 @@ will be able to
\fBsudo\fR \fBsudo\fR
again until the error is fixed. again until the error is fixed.
If If
`e' \(oqe\(cq
is typed to edit the is typed to edit the
\fIsudoers\fR \fIsudoers\fR
file after a parse error has been detected, the cursor will be placed on file after a parse error has been detected, the cursor will be placed on
@@ -158,14 +158,14 @@ instead of the default,
The lock file used is the specified The lock file used is the specified
\fIsudoers\fR \fIsudoers\fR
file with file with
``\.tmp'' \(lq\.tmp\(rq
appended to it. appended to it.
In In
\fIcheck-only\fR \fIcheck-only\fR
mode only, the argument to mode only, the argument to
\fB\-f\fR \fB\-f\fR
may be may be
`-', \(oq-\(cq,
indicating that indicating that
\fIsudoers\fR \fIsudoers\fR
will be read from the standard input. will be read from the standard input.
@@ -195,7 +195,7 @@ will consider this a parse error.
Note that it is not possible to differentiate between an Note that it is not possible to differentiate between an
alias and a host name or user name that consists solely of uppercase alias and a host name or user name that consists solely of uppercase
letters, digits, and the underscore letters, digits, and the underscore
(`_') (\(oq_\(cq)
character. character.
.TP 12n .TP 12n
\fB\-V\fR, \fB\--version\fR \fB\-V\fR, \fB\--version\fR
@@ -213,7 +213,7 @@ in JSON format and write it to
If If
\fIfile\fR \fIfile\fR
is is
`-', \(oq-\(cq,
the exported the exported
\fIsudoers\fR \fIsudoers\fR
policy will to be written to the standard output. policy will to be written to the standard output.
@@ -271,7 +271,7 @@ Your user ID does not appear in the system passwd file.
Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
or you have a user or host name listed that consists solely of or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore uppercase letters, digits, and the underscore
(`_') (\(oq_\(cq)
character. character.
In the latter case, you can ignore the warnings In the latter case, you can ignore the warnings
(\fBsudo\fR (\fBsudo\fR
@@ -333,7 +333,7 @@ search the archives.
.SH "DISCLAIMER" .SH "DISCLAIMER"
\fBvisudo\fR \fBvisudo\fR
is provided is provided
``AS IS'' \(lqAS IS\(rq
and any express or implied warranties, including, but not limited and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed. particular purpose are disclaimed.