mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 01:49:11 +00:00
Code Issues Releases Wiki Activity

regen

Browse Source
This commit is contained in:
Todd C. Miller 2004-09-06 20:46:28 +00:00
parent eb49afe6c8
commit 1e0f96b912
6 changed files with 477 additions and 304 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

246
sudo.cat
View File

@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.6.8 August 17, 2004 1 1.6.8 September 6, 2004 1
@ -127,7 +127,7 @@ OOPPTTIIOONNSS
1.6.8 August 17, 2004 2 1.6.8 September 6, 2004 2
@ -178,22 +178,22 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
receive a warning and the edited copy will remain in a receive a warning and the edited copy will remain in a
temporary file. temporary file.
Please note that the editor used must make its changes
to the original file (really the original inode). If
the editor makes changes to a temporary file and then
just renames this to the original file name it will
not work with ssuuddooeeddiitt.
-h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage mes­ -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage mes­
sage and exit. sage and exit.
-i The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell -i The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell
specified in the passwd(4) entry of the user that the specified in the passwd(4) entry of the user that the
command is being run as. The command name argument command is being run as. The command name argument
given to the shell begins with a - to tell the shell
to run as a login shell. ssuuddoo attempts to change to
that user's home directory before running the shell.
It also initializes the environment, leaving _T_E_R_M
unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and
_P_A_T_H, and unsetting all other environment variables.
1.6.8 August 17, 2004 3 1.6.8 September 6, 2004 3
@ -202,6 +202,12 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
given to the shell begins with a - to tell the shell
to run as a login shell. ssuuddoo attempts to change to
that user's home directory before running the shell.
It also initializes the environment, leaving _T_E_R_M
unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and
_P_A_T_H, and unsetting all other environment variables.
Note that because the shell to use is determined Note that because the shell to use is determined
before the _s_u_d_o_e_r_s file is parsed, a _r_u_n_a_s___d_e_f_a_u_l_t before the _s_u_d_o_e_r_s file is parsed, a _r_u_n_a_s___d_e_f_a_u_l_t
setting in _s_u_d_o_e_r_s will specify the user to run the setting in _s_u_d_o_e_r_s will specify the user to run the
@ -250,16 +256,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
the password database. the password database.
-v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update
the user's timestamp, prompting for the user's pass­
word if necessary. This extends the ssuuddoo timeout for
another 5 minutes (or whatever the timeout is set to
in _s_u_d_o_e_r_s) but does not run a command.
-- The ---- flag indicates that ssuuddoo should stop processing
1.6.8 August 17, 2004 4 1.6.8 September 6, 2004 4
@ -268,6 +268,12 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
the user's timestamp, prompting for the user's pass­
word if necessary. This extends the ssuuddoo timeout for
another 5 minutes (or whatever the timeout is set to
in _s_u_d_o_e_r_s) but does not run a command.
-- The ---- flag indicates that ssuuddoo should stop processing
command line arguments. It is most useful in conjunc­ command line arguments. It is most useful in conjunc­
tion with the --ss flag. tion with the --ss flag.
@ -316,16 +322,10 @@ SSEECCUURRIITTYY NNOOTTEESS
that ssuuddoo executes. that ssuuddoo executes.
For security reasons, if your OS supports shared libraries For security reasons, if your OS supports shared libraries
and does not disable user-defined library search paths for
setuid programs (most do), you should either use a linker
option that disables this behavior or link ssuuddoo stati­
cally.
ssuuddoo will check the ownership of its timestamp directory
1.6.8 August 17, 2004 5 1.6.8 September 6, 2004 5
@ -334,6 +334,12 @@ SSEECCUURRIITTYY NNOOTTEESS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
and does not disable user-defined library search paths for
setuid programs (most do), you should either use a linker
option that disables this behavior or link ssuuddoo stati­
cally.
ssuuddoo will check the ownership of its timestamp directory
(_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con­ (_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con­
tents if it is not owned by root and only writable by tents if it is not owned by root and only writable by
root. On systems that allow non-root users to give away root. On systems that allow non-root users to give away
@ -369,45 +375,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
verify that the command does not inadvertently give the verify that the command does not inadvertently give the
user an effective root shell. user an effective root shell.
EEXXAAMMPPLLEESS
Note: the following examples assume suitable sudoers(4)
entries.
To get a file listing of an unreadable directory:
$ sudo ls /usr/local/protected
To list the home directory of user yazza on a machine
where the file system holding ~yazza is not exported as
root:
$ sudo -u yazza ls ~yazza
To edit the _i_n_d_e_x_._h_t_m_l file as user www:
$ sudo -u www vi ~www/htdocs/index.html
To shutdown a machine:
1.6.8 August 17, 2004 6
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
$ sudo shutdown -r +15 "quick reboot"
To make a usage listing of the directories in the /home
partition. Note that this runs the commands in a sub-
shell to make the cd and file redirection work.
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
EENNVVIIRROONNMMEENNTT EENNVVIIRROONNMMEENNTT
ssuuddoo utilizes the following environment variables: ssuuddoo utilizes the following environment variables:
@ -421,6 +388,18 @@ EENNVVIIRROONNMMEENNTT
PATH Set to a sane value if sudo was configured with PATH Set to a sane value if sudo was configured with
the --with-secure-path option the --with-secure-path option
1.6.8 September 6, 2004 6
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SHELL Used to determine shell to run with -s option SHELL Used to determine shell to run with -s option
SUDO_PROMPT Used as the default password prompt SUDO_PROMPT Used as the default password prompt
@ -444,6 +423,49 @@ FFIILLEESS
/etc/sudoers List of who can run what /etc/sudoers List of who can run what
/var/run/sudo Directory containing timestamps /var/run/sudo Directory containing timestamps
EEXXAAMMPPLLEESS
Note: the following examples assume suitable sudoers(4)
entries.
To get a file listing of an unreadable directory:
$ sudo ls /usr/local/protected
To list the home directory of user yazza on a machine
where the file system holding ~yazza is not exported as
root:
$ sudo -u yazza ls ~yazza
To edit the _i_n_d_e_x_._h_t_m_l file as user www:
$ sudo -u www vi ~www/htdocs/index.html
To shutdown a machine:
$ sudo shutdown -r +15 "quick reboot"
To make a usage listing of the directories in the /home
partition. Note that this runs the commands in a sub-
shell to make the cd and file redirection work.
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
SSEEEE AALLSSOO
_g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), sudoers(4),
passwd(4), visudo(1m)
1.6.8 September 6, 2004 7
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
AAUUTTHHOORRSS AAUUTTHHOORRSS
Many people have worked on ssuuddoo over the years; this ver­ Many people have worked on ssuuddoo over the years; this ver­
sion consists of code written primarily by: sion consists of code written primarily by:
@ -455,28 +477,6 @@ AAUUTTHHOORRSS
http://www.sudo.ws/sudo/history.html for a short history http://www.sudo.ws/sudo/history.html for a short history
of ssuuddoo. of ssuuddoo.
1.6.8 August 17, 2004 7
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
BBUUGGSS
If you feel you have found a bug in sudo, please submit a
bug report at http://www.sudo.ws/sudo/bugs/
DDIISSCCLLAAIIMMEERR
SSuuddoo is provided ``AS IS'' and any express or implied war­
ranties, including, but not limited to, the implied war­
ranties of merchantability and fitness for a particular
purpose are disclaimed. See the LICENSE file distributed
with ssuuddoo for complete details.
CCAAVVEEAATTSS CCAAVVEEAATTSS
There is no easy way to prevent a user from gaining a root There is no easy way to prevent a user from gaining a root
shell if that user is allowed to run arbitrary commands shell if that user is allowed to run arbitrary commands
@ -502,12 +502,41 @@ CCAAVVEEAATTSS
Running shell scripts via ssuuddoo can expose the same kernel Running shell scripts via ssuuddoo can expose the same kernel
bugs that make setuid shell scripts unsafe on some operat­ bugs that make setuid shell scripts unsafe on some operat­
ing systems (if your OS supports the /dev/fd/ directory, ing systems (if your OS has a /dev/fd/ directory, setuid
setuid shell scripts are generally safe). shell scripts are generally safe).
SSEEEE AALLSSOO BBUUGGSS
_g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), sudoers(4), If you feel you have found a bug in ssuuddoo, please submit a
passwd(4), visudo(1m) bug report at http://www.sudo.ws/sudo/bugs/
SSUUPPPPOORRTT
Commercial support is available for ssuuddoo, see
http://www.sudo.ws/sudo/support.html for details.
Limited free support is available via the sudo-users mail­
ing list, see http://www.sudo.ws/mail­
man/listinfo/sudo-users to subscribe or search the
archives.
DDIISSCCLLAAIIMMEERR
SSuuddoo is provided ``AS IS'' and any express or implied
1.6.8 September 6, 2004 8
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
warranties, including, but not limited to, the implied
warranties of merchantability and fitness for a particular
purpose are disclaimed. See the LICENSE file distributed
with ssuuddoo or http://www.sudo.ws/sudo/license.html for com­
plete details.
@ -523,6 +552,43 @@ SSEEEE AALLSSOO
1.6.8 August 17, 2004 8
1.6.8 September 6, 2004 9

123
sudo.man.in
View File

@ -149,7 +149,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDO @mansectsu@" .IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "August 17, 2004" "1.6.8" "MAINTENANCE COMMANDS" .TH SUDO @mansectsu@ "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
sudo, sudoedit \- execute a command as another user sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS" .SH "SYNOPSIS"
@ -299,6 +299,11 @@ the invoking user's environment unmodified. If, for some reason,
\&\fBsudo\fR is unable to update a file with its edited version, the \&\fBsudo\fR is unable to update a file with its edited version, the
user will receive a warning and the edited copy will remain in a user will receive a warning and the edited copy will remain in a
temporary file. temporary file.
.Sp
Please note that the editor used must make its changes to the
original file (really the original inode). If the editor makes
changes to a temporary file and then just renames this to the
original file name it will not work with \fBsudoedit\fR.
.RE .RE
.IP "\-h" 4 .IP "\-h" 4
.IX Item "-h" .IX Item "-h"
@ -460,42 +465,6 @@ commands that offer shell escapes (including most editors). Because
of this, care must be taken when giving users access to commands of this, care must be taken when giving users access to commands
via \fBsudo\fR to verify that the command does not inadvertently give via \fBsudo\fR to verify that the command does not inadvertently give
the user an effective root shell. the user an effective root shell.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Note: the following examples assume suitable sudoers(@mansectform@) entries.
.PP
To get a file listing of an unreadable directory:
.PP
.Vb 1
\& $ sudo ls /usr/local/protected
.Ve
.PP
To list the home directory of user yazza on a machine where the
file system holding ~yazza is not exported as root:
.PP
.Vb 1
\& $ sudo -u yazza ls ~yazza
.Ve
.PP
To edit the \fIindex.html\fR file as user www:
.PP
.Vb 1
\& $ sudo -u www vi ~www/htdocs/index.html
.Ve
.PP
To shutdown a machine:
.PP
.Vb 1
\& $ sudo shutdown -r +15 "quick reboot"
.Ve
.PP
To make a usage listing of the directories in the /home
partition. Note that this runs the commands in a sub-shell
to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
.PP
.Vb 1
\& $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
.Ve
.SH "ENVIRONMENT" .SH "ENVIRONMENT"
.IX Header "ENVIRONMENT" .IX Header "ENVIRONMENT"
\&\fBsudo\fR utilizes the following environment variables: \&\fBsudo\fR utilizes the following environment variables:
@ -558,6 +527,46 @@ to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
\& @sysconfdir@/sudoers List of who can run what \& @sysconfdir@/sudoers List of who can run what
\& @timedir@ Directory containing timestamps \& @timedir@ Directory containing timestamps
.Ve .Ve
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Note: the following examples assume suitable sudoers(@mansectform@) entries.
.PP
To get a file listing of an unreadable directory:
.PP
.Vb 1
\& $ sudo ls /usr/local/protected
.Ve
.PP
To list the home directory of user yazza on a machine where the
file system holding ~yazza is not exported as root:
.PP
.Vb 1
\& $ sudo -u yazza ls ~yazza
.Ve
.PP
To edit the \fIindex.html\fR file as user www:
.PP
.Vb 1
\& $ sudo -u www vi ~www/htdocs/index.html
.Ve
.PP
To shutdown a machine:
.PP
.Vb 1
\& $ sudo shutdown -r +15 "quick reboot"
.Ve
.PP
To make a usage listing of the directories in the /home
partition. Note that this runs the commands in a sub-shell
to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
.PP
.Vb 1
\& $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), \fIlogin_cap\fR\|(3), sudoers(@mansectform@),
passwd(@mansectform@), visudo(@mansectsu@)
.SH "AUTHORS" .SH "AUTHORS"
.IX Header "AUTHORS" .IX Header "AUTHORS"
Many people have worked on \fBsudo\fR over the years; this Many people have worked on \fBsudo\fR over the years; this
@ -571,16 +580,6 @@ version consists of code written primarily by:
See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit
http://www.sudo.ws/sudo/history.html for a short history http://www.sudo.ws/sudo/history.html for a short history
of \fBsudo\fR. of \fBsudo\fR.
.SH "BUGS"
.IX Header "BUGS"
If you feel you have found a bug in sudo, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
.SH "DISCLAIMER"
.IX Header "DISCLAIMER"
\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed.
See the \s-1LICENSE\s0 file distributed with \fBsudo\fR for complete details.
.SH "CAVEATS" .SH "CAVEATS"
.IX Header "CAVEATS" .IX Header "CAVEATS"
There is no easy way to prevent a user from gaining a root shell There is no easy way to prevent a user from gaining a root shell
@ -604,11 +603,25 @@ If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from
creating their own program that gives them a root shell regardless creating their own program that gives them a root shell regardless
of any '!' elements in the user specification. of any '!' elements in the user specification.
.PP .PP
Running shell scripts via \fBsudo\fR can expose the same kernel bugs Running shell scripts via \fBsudo\fR can expose the same kernel bugs that
that make setuid shell scripts unsafe on some operating systems make setuid shell scripts unsafe on some operating systems (if your \s-1OS\s0
(if your \s-1OS\s0 supports the /dev/fd/ directory, setuid shell scripts has a /dev/fd/ directory, setuid shell scripts are generally safe).
are generally safe). .SH "BUGS"
.SH "SEE ALSO" .IX Header "BUGS"
.IX Header "SEE ALSO" If you feel you have found a bug in \fBsudo\fR, please submit a bug report
\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), \fIlogin_cap\fR\|(3), sudoers(@mansectform@), at http://www.sudo.ws/sudo/bugs/
passwd(@mansectform@), visudo(@mansectsu@) .SH "SUPPORT"
.IX Header "SUPPORT"
Commercial support is available for \fBsudo\fR, see
http://www.sudo.ws/sudo/support.html for details.
.PP
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
search the archives.
.SH "DISCLAIMER"
.IX Header "DISCLAIMER"
\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
for complete details.

222
sudoers.cat
View File

@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.6.8 August 6, 2004 1 1.6.8 September 6, 2004 1
@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 August 6, 2004 2 1.6.8 September 6, 2004 2
@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 August 6, 2004 3 1.6.8 September 6, 2004 3
@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 August 6, 2004 4 1.6.8 September 6, 2004 4
@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 August 6, 2004 5 1.6.8 September 6, 2004 5
@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 August 6, 2004 6 1.6.8 September 6, 2004 6
@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 August 6, 2004 7 1.6.8 September 6, 2004 7
@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 August 6, 2004 8 1.6.8 September 6, 2004 8
@ -589,7 +589,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 August 6, 2004 9 1.6.8 September 6, 2004 9
@ -655,7 +655,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 August 6, 2004 10 1.6.8 September 6, 2004 10
@ -721,7 +721,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 August 6, 2004 11 1.6.8 September 6, 2004 11
@ -787,7 +787,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 August 6, 2004 12 1.6.8 September 6, 2004 12
@ -853,7 +853,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 August 6, 2004 13 1.6.8 September 6, 2004 13
@ -919,7 +919,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 August 6, 2004 14 1.6.8 September 6, 2004 14
@ -985,7 +985,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 August 6, 2004 15 1.6.8 September 6, 2004 15
@ -1051,7 +1051,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.6.8 August 6, 2004 16 1.6.8 September 6, 2004 16
@ -1103,21 +1103,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
('\') when used as part of a word (e.g. a username or ('\') when used as part of a word (e.g. a username or
hostname): '@', '!', '=', ':', ',', '(', ')', '\'. hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
FFIILLEESS
/etc/sudoers List of who can run what
/etc/group Local groups file
/etc/netgroup List of network groups
EEXXAAMMPPLLEESS EEXXAAMMPPLLEESS
Since the _s_u_d_o_e_r_s file is parsed in a single pass, order Since the _s_u_d_o_e_r_s file is parsed in a single pass, order
is important. In general, you should structure _s_u_d_o_e_r_s is important. In general, you should structure _s_u_d_o_e_r_s
such that the Host_Alias, User_Alias, and Cmnd_Alias spec­ such that the Host_Alias, User_Alias, and Cmnd_Alias spec­
ifications come first, followed by any Default_Entry ifications come first, followed by any Default_Entry
lines, and finally the Runas_Alias and user specifica­ lines, and finally the Runas_Alias and user
tions. The basic rule of thumb is you cannot reference an
Alias that has not already been defined.
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of
these are a bit contrived. First, we define our _a_l_i_a_s_e_s:
1.6.8 August 6, 2004 17 1.6.8 September 6, 2004 17
@ -1126,6 +1126,12 @@ EEXXAAMMPPLLEESS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
specifications. The basic rule of thumb is you cannot
reference an Alias that has not already been defined.
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of
these are a bit contrived. First, we define our _a_l_i_a_s_e_s:
# User alias specification # User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl User_Alias PARTTIMERS = bostley, jwfox, crawl
@ -1169,6 +1175,23 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
the year in each log line since the log entries will be the year in each log line since the log entries will be
kept around for several years. kept around for several years.
1.6.8 September 6, 2004 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
# Override built-in defaults # Override built-in defaults
Defaults syslog=auth Defaults syslog=auth
Defaults>root !set_logname Defaults>root !set_logname
@ -1179,19 +1202,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually deter­ The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually deter­
mines who may run what. mines who may run what.
1.6.8 August 6, 2004 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
root ALL = (ALL) ALL root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL %wheel ALL = (ALL) ALL
@ -1237,6 +1247,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
1.6.8 September 6, 2004 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The user ppeettee is allowed to change anyone's password The user ppeettee is allowed to change anyone's password
except for root on the _H_P_P_A machines. Note that this except for root on the _H_P_P_A machines. Note that this
assumes _p_a_s_s_w_d(1) does not take multiple usernames on the assumes _p_a_s_s_w_d(1) does not take multiple usernames on the
@ -1246,18 +1267,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The user bboobb may run anything on the _S_P_A_R_C and _S_G_I The user bboobb may run anything on the _S_P_A_R_C and _S_G_I
machines as any user listed in the _O_P Runas_Alias (rroooott machines as any user listed in the _O_P Runas_Alias (rroooott
1.6.8 August 6, 2004 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
and ooppeerraattoorr). and ooppeerraattoorr).
jim +biglab = ALL jim +biglab = ALL
@ -1304,6 +1313,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
On his personal workstation, valkyrie, mmaatttt needs to be On his personal workstation, valkyrie, mmaatttt needs to be
able to kill hung processes. able to kill hung processes.
1.6.8 September 6, 2004 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias
@ -1313,17 +1333,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1.6.8 August 6, 2004 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Any user may mount or unmount a CD-ROM on the machines in Any user may mount or unmount a CD-ROM on the machines in
the CDROM Host_Alias (orion, perseus, hercules) without the CDROM Host_Alias (orion, perseus, hercules) without
entering a password. This is a bit tedious for users to entering a password. This is a bit tedious for users to
@ -1369,6 +1378,18 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
sudo -V | grep "dummy exec" sudo -V | grep "dummy exec"
1.6.8 September 6, 2004 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
If the resulting output contains a line that begins with: If the resulting output contains a line that begins with:
File containing dummy exec functions: File containing dummy exec functions:
@ -1378,18 +1399,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
return an error. Unfortunately, there is no foolproof way return an error. Unfortunately, there is no foolproof way
to know whether or not _n_o_e_x_e_c will work at compile-time. to know whether or not _n_o_e_x_e_c will work at compile-time.
_N_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX, _N_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX,
1.6.8 August 6, 2004 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known nnoott to Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known nnoott to
work on AIX and UnixWare. _N_o_e_x_e_c is expected to work on work on AIX and UnixWare. _N_o_e_x_e_c is expected to work on
most operating systems that support the LD_PRELOAD envi­ most operating systems that support the LD_PRELOAD envi­
@ -1418,6 +1427,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
tion. In the specific case of an editor, a safer approach tion. In the specific case of an editor, a safer approach
is to give the user permission to run ssuuddooeeddiitt. is to give the user permission to run ssuuddooeeddiitt.
SSEEEE AALLSSOO
_r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), sudo(1m), visudo(1m)
CCAAVVEEAATTSS CCAAVVEEAATTSS
The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo
command which locks the file and does grammatical check­ command which locks the file and does grammatical check­
@ -1431,13 +1443,39 @@ CCAAVVEEAATTSS
hostname be fully qualified as returned by the hostname hostname be fully qualified as returned by the hostname
command or use the _f_q_d_n option in _s_u_d_o_e_r_s. command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
FFIILLEESS
/etc/sudoers List of who can run what
/etc/group Local groups file
/etc/netgroup List of network groups
SSEEEE AALLSSOO
_r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), sudo(1m), visudo(1m)
1.6.8 September 6, 2004 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
BBUUGGSS
If you feel you have found a bug in ssuuddoo, please submit a
bug report at http://www.sudo.ws/sudo/bugs/
SSUUPPPPOORRTT
Commercial support is available for ssuuddoo, see
http://www.sudo.ws/sudo/support.html for details.
Limited free support is available via the sudo-users mail­
ing list, see http://www.sudo.ws/mail­
man/listinfo/sudo-users to subscribe or search the
archives.
DDIISSCCLLAAIIMMEERR
SSuuddoo is provided ``AS IS'' and any express or implied war­
ranties, including, but not limited to, the implied war­
ranties of merchantability and fitness for a particular
purpose are disclaimed. See the LICENSE file distributed
with ssuuddoo or http://www.sudo.ws/sudo/license.html for com­
plete details.
@ -1447,6 +1485,34 @@ SSEEEE AALLSSOO
1.6.8 August 6, 2004 22
1.6.8 September 6, 2004 23

41
sudoers.man.in
View File

@ -149,7 +149,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDOERS @mansectform@" .IX Title "SUDOERS @mansectform@"
.TH SUDOERS @mansectform@ "August 6, 2004" "1.6.8" "MAINTENANCE COMMANDS" .TH SUDOERS @mansectform@ "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
sudoers \- list of which users may execute what sudoers \- list of which users may execute what
.SH "DESCRIPTION" .SH "DESCRIPTION"
@ -1069,6 +1069,13 @@ characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
The following characters must be escaped with a backslash ('\e') when The following characters must be escaped with a backslash ('\e') when
used as part of a word (e.g. a username or hostname): used as part of a word (e.g. a username or hostname):
\&'@', '!', '=', ':', ',', '(', ')', '\e'. \&'@', '!', '=', ':', ',', '(', ')', '\e'.
.SH "FILES"
.IX Header "FILES"
.Vb 3
\& @sysconfdir@/sudoers List of who can run what
\& /etc/group Local groups file
\& /etc/netgroup List of network groups
.Ve
.SH "EXAMPLES" .SH "EXAMPLES"
.IX Header "EXAMPLES" .IX Header "EXAMPLES"
Since the \fIsudoers\fR file is parsed in a single pass, order is Since the \fIsudoers\fR file is parsed in a single pass, order is
@ -1366,6 +1373,9 @@ as root are still capable of many potentially hazardous operations
(such as changing or overwriting files) that could lead to unintended (such as changing or overwriting files) that could lead to unintended
privilege escalation. In the specific case of an editor, a safer privilege escalation. In the specific case of an editor, a safer
approach is to give the user permission to run \fBsudoedit\fR. approach is to give the user permission to run \fBsudoedit\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(@mansectsu@), visudo(@mansectsu@)
.SH "CAVEATS" .SH "CAVEATS"
.IX Header "CAVEATS" .IX Header "CAVEATS"
The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
@ -1378,13 +1388,22 @@ store fully qualified hostnames in the netgroup (as is usually the
case), you either need to have the machine's hostname be fully qualified case), you either need to have the machine's hostname be fully qualified
as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
\&\fIsudoers\fR. \&\fIsudoers\fR.
.SH "FILES" .SH "BUGS"
.IX Header "FILES" .IX Header "BUGS"
.Vb 3 If you feel you have found a bug in \fBsudo\fR, please submit a bug report
\& @sysconfdir@/sudoers List of who can run what at http://www.sudo.ws/sudo/bugs/
\& /etc/group Local groups file .SH "SUPPORT"
\& /etc/netgroup List of network groups .IX Header "SUPPORT"
.Ve Commercial support is available for \fBsudo\fR, see
.SH "SEE ALSO" http://www.sudo.ws/sudo/support.html for details.
.IX Header "SEE ALSO" .PP
\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(@mansectsu@), visudo(@mansectsu@) Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
search the archives.
.SH "DISCLAIMER"
.IX Header "DISCLAIMER"
\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
for complete details.

78
visudo.cat
View File

@ -61,7 +61,7 @@ OOPPTTIIOONNSS
1.6.8 June 8, 2004 1 1.6.8 September 6, 2004 1
@ -88,7 +88,18 @@ VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
-V The --VV (version) option causes vviissuuddoo to print its -V The --VV (version) option causes vviissuuddoo to print its
version number and exit. version number and exit.
EERRRROORRSS EENNVVIIRROONNMMEENNTT
The following environment variables are used only if
vviissuuddoo was configured with the _-_-_w_i_t_h_-_e_n_v_-_e_d_i_t_o_r option:
VISUAL Invoked by visudo as the editor to use
EDITOR Used by visudo if VISUAL is not set
FFIILLEESS
/etc/sudoers List of who can run what
/etc/sudoers.tmp Lock file for visudo
DDIIAAGGNNOOSSTTIICCSS
sudoers file busy, try again later. sudoers file busy, try again later.
Someone else is currently editing the _s_u_d_o_e_r_s file. Someone else is currently editing the _s_u_d_o_e_r_s file.
@ -113,21 +124,10 @@ EERRRROORRSS
used. This means that entries prior to the used. This means that entries prior to the
_r_u_n_a_s___d_e_f_a_u_l_t setting will match based on the default _r_u_n_a_s___d_e_f_a_u_l_t setting will match based on the default
value of _r_u_n_a_s___d_e_f_a_u_l_t (root) whereas entries aafftteerr value of _r_u_n_a_s___d_e_f_a_u_l_t (root) whereas entries aafftteerr
the _r_u_n_a_s___d_e_f_a_u_l_t setting will match based on the new
value. This is usually unintentional and in most
cases the <runas_default> setting should be placed
before any Runas_Alias or User specifications. In --ss
(strict) mode this is an error, not a warning.
EENNVVIIRROONNMMEENNTT
The following environment variables are used only if
vviissuuddoo was configured with the _-_-_w_i_t_h_-_e_n_v_-_e_d_i_t_o_r option:
1.6.8 September 6, 2004 2
1.6.8 June 8, 2004 2
@ -136,12 +136,14 @@ EENNVVIIRROONNMMEENNTT
VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
VISUAL Invoked by visudo as the editor to use the _r_u_n_a_s___d_e_f_a_u_l_t setting will match based on the new
EDITOR Used by visudo if VISUAL is not set value. This is usually unintentional and in most
cases the <runas_default> setting should be placed
before any Runas_Alias or User specifications. In --ss
(strict) mode this is an error, not a warning.
FFIILLEESS SSEEEE AALLSSOO
/etc/sudoers List of who can run what _v_i(1), sudoers(4), sudo(1m), vipw(1m)
/etc/sudoers.tmp Lock file for visudo
AAUUTTHHOORR AAUUTTHHOORR
Many people have worked on _s_u_d_o over the years; this ver­ Many people have worked on _s_u_d_o over the years; this ver­
@ -152,23 +154,30 @@ AAUUTTHHOORR
See the HISTORY file in the sudo distribution or visit See the HISTORY file in the sudo distribution or visit
http://www.sudo.ws/sudo/history.html for more details. http://www.sudo.ws/sudo/history.html for more details.
CCAAVVEEAATTSS
There is no easy way to prevent a user from gaining a root
shell if the editor used by vviissuuddoo allows shell escapes.
BBUUGGSS BBUUGGSS
If you feel you have found a bug in sudo, please submit a If you feel you have found a bug in vviissuuddoo, please submit
bug report at http://www.sudo.ws/sudo/bugs/ a bug report at http://www.sudo.ws/sudo/bugs/
SSUUPPPPOORRTT
Commercial support is available for ssuuddoo, see
http://www.sudo.ws/sudo/support.html for details.
Limited free support is available via the sudo-users mail­
ing list, see http://www.sudo.ws/mail­
man/listinfo/sudo-users to subscribe or search the
archives.
DDIISSCCLLAAIIMMEERR DDIISSCCLLAAIIMMEERR
VViissuuddoo is provided ``AS IS'' and any express or implied VViissuuddoo is provided ``AS IS'' and any express or implied
warranties, including, but not limited to, the implied warranties, including, but not limited to, the implied
warranties of merchantability and fitness for a particular warranties of merchantability and fitness for a particular
purpose are disclaimed. See the LICENSE file distributed purpose are disclaimed. See the LICENSE file distributed
with ssuuddoo for complete details. with ssuuddoo or http://www.sudo.ws/sudo/license.html for com­
plete details.
CCAAVVEEAATTSS
There is no easy way to prevent a user from gaining a root
shell if the editor used by vviissuuddoo allows shell escapes.
SSEEEE AALLSSOO
_v_i(1), sudoers(4), sudo(1m), vipw(1m)
@ -184,15 +193,6 @@ SSEEEE AALLSSOO
1.6.8 September 6, 2004 3
1.6.8 June 8, 2004 3

71
visudo.man.in
View File

@ -149,7 +149,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "VISUDO @mansectsu@" .IX Title "VISUDO @mansectsu@"
.TH VISUDO @mansectsu@ "June 8, 2004" "1.6.8" "MAINTENANCE COMMANDS" .TH VISUDO @mansectsu@ "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
visudo \- edit the sudoers file visudo \- edit the sudoers file
.SH "SYNOPSIS" .SH "SYNOPSIS"
@ -221,8 +221,23 @@ letters, digits, and the underscore ('_') character.
.IX Item "-V" .IX Item "-V"
The \fB\-V\fR (version) option causes \fBvisudo\fR to print its version number The \fB\-V\fR (version) option causes \fBvisudo\fR to print its version number
and exit. and exit.
.SH "ERRORS" .SH "ENVIRONMENT"
.IX Header "ERRORS" .IX Header "ENVIRONMENT"
The following environment variables are used only if \fBvisudo\fR
was configured with the \fI\-\-with\-env\-editor\fR option:
.PP
.Vb 2
\& VISUAL Invoked by visudo as the editor to use
\& EDITOR Used by visudo if VISUAL is not set
.Ve
.SH "FILES"
.IX Header "FILES"
.Vb 2
\& @sysconfdir@/sudoers List of who can run what
\& @sysconfdir@/sudoers.tmp Lock file for visudo
.Ve
.SH "DIAGNOSTICS"
.IX Header "DIAGNOSTICS"
.IP "sudoers file busy, try again later." 4 .IP "sudoers file busy, try again later." 4
.IX Item "sudoers file busy, try again later." .IX Item "sudoers file busy, try again later."
Someone else is currently editing the \fIsudoers\fR file. Someone else is currently editing the \fIsudoers\fR file.
@ -251,21 +266,9 @@ value. This is usually unintentional and in most cases the
<runas_default> setting should be placed before any \f(CW\*(C`Runas_Alias\*(C'\fR <runas_default> setting should be placed before any \f(CW\*(C`Runas_Alias\*(C'\fR
or User specifications. In \fB\-s\fR (strict) mode this is an error, or User specifications. In \fB\-s\fR (strict) mode this is an error,
not a warning. not a warning.
.SH "ENVIRONMENT" .SH "SEE ALSO"
.IX Header "ENVIRONMENT" .IX Header "SEE ALSO"
The following environment variables are used only if \fBvisudo\fR \&\fIvi\fR\|(1), sudoers(@mansectform@), sudo(@mansectsu@), vipw(@mansectsu@)
was configured with the \fI\-\-with\-env\-editor\fR option:
.PP
.Vb 2
\& VISUAL Invoked by visudo as the editor to use
\& EDITOR Used by visudo if VISUAL is not set
.Ve
.SH "FILES"
.IX Header "FILES"
.Vb 2
\& @sysconfdir@/sudoers List of who can run what
\& @sysconfdir@/sudoers.tmp Lock file for visudo
.Ve
.SH "AUTHOR" .SH "AUTHOR"
.IX Header "AUTHOR" .IX Header "AUTHOR"
Many people have worked on \fIsudo\fR over the years; this version of Many people have worked on \fIsudo\fR over the years; this version of
@ -277,20 +280,26 @@ Many people have worked on \fIsudo\fR over the years; this version of
.PP .PP
See the \s-1HISTORY\s0 file in the sudo distribution or visit See the \s-1HISTORY\s0 file in the sudo distribution or visit
http://www.sudo.ws/sudo/history.html for more details. http://www.sudo.ws/sudo/history.html for more details.
.SH "BUGS"
.IX Header "BUGS"
If you feel you have found a bug in sudo, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
.SH "DISCLAIMER"
.IX Header "DISCLAIMER"
\&\fBVisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed.
See the \s-1LICENSE\s0 file distributed with \fBsudo\fR for complete details.
.SH "CAVEATS" .SH "CAVEATS"
.IX Header "CAVEATS" .IX Header "CAVEATS"
There is no easy way to prevent a user from gaining a root shell if There is no easy way to prevent a user from gaining a root shell if
the editor used by \fBvisudo\fR allows shell escapes. the editor used by \fBvisudo\fR allows shell escapes.
.SH "SEE ALSO" .SH "BUGS"
.IX Header "SEE ALSO" .IX Header "BUGS"
\&\fIvi\fR\|(1), sudoers(@mansectform@), sudo(@mansectsu@), vipw(@mansectsu@) If you feel you have found a bug in \fBvisudo\fR, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
.IX Header "SUPPORT"
Commercial support is available for \fBsudo\fR, see
http://www.sudo.ws/sudo/support.html for details.
.PP
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
search the archives.
.SH "DISCLAIMER"
.IX Header "DISCLAIMER"
\&\fBVisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
for complete details.