mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 18:08:23 +00:00
Code Issues Releases Wiki Activity

Regen for sudo 1.8.6

Browse Source
This commit is contained in:
Todd C. Miller 2012-06-29 16:11:27 -04:00
parent 80502c3bcf
commit 2e36b1ef2b
12 changed files with 81 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/sudo.cat
View File

@ -624,4 +624,4 @@ DDIISSCCLLAAIIMMEERR
1.8.5 March 15, 2012 SUDO(1m) 1.8.6 June 29, 2012 SUDO(1m)

2
doc/sudo.man.in
View File

@ -149,7 +149,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDO @mansectsu@" .IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "March 15, 2012" "1.8.5" "MAINTENANCE COMMANDS" .TH SUDO @mansectsu@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents. .\" way too many mistakes in technical documents.
.if n .ad l .if n .ad l

2
doc/sudo_plugin.cat
View File

@ -1355,4 +1355,4 @@ DDIISSCCLLAAIIMMEERR
1.8.5 April 23, 2012 SUDO_PLUGIN(1m) 1.8.6 June 29, 2012 SUDO_PLUGIN(1m)

2
doc/sudo_plugin.man.in
View File

@ -139,7 +139,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDO_PLUGIN @mansectsu@" .IX Title "SUDO_PLUGIN @mansectsu@"
.TH SUDO_PLUGIN @mansectsu@ "April 23, 2012" "1.8.5" "MAINTENANCE COMMANDS" .TH SUDO_PLUGIN @mansectsu@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents. .\" way too many mistakes in technical documents.
.if n .ad l .if n .ad l

8
doc/sudoers.cat
View File

@ -210,11 +210,11 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
below). For instance, the QAS AD plugin supports the following below). For instance, the QAS AD plugin supports the following
formats: formats:
o Group in the same domain: "Group Name" o Group in the same domain: "%:Group Name"
o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN" o Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" o Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
Note that quotes around group names are optional. Unquoted strings Note that quotes around group names are optional. Unquoted strings
must use a backslash (\) to escape spaces and special characters. See must use a backslash (\) to escape spaces and special characters. See
@ -1814,4 +1814,4 @@ DDIISSCCLLAAIIMMEERR
1.8.5 March 28, 2012 SUDOERS(4) 1.8.6 June 29, 2012 SUDOERS(4)

39
doc/sudoers.ldap.cat
View File

@ -254,7 +254,7 @@ DDEESSCCRRIIPPTTIIOONN
Typically, this file is shared amongst different LDAP-aware clients. Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo
parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from
those described in the _l_d_a_p_._c_o_n_f(4) manual. those described in the system's _l_d_a_p_._c_o_n_f(4) manual.
Also note that on systems using the OpenLDAP libraries, default values Also note that on systems using the OpenLDAP libraries, default values
specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are
@ -273,9 +273,9 @@ DDEESSCCRRIIPPTTIIOONN
ssuuddoo will connect to llooccaallhhoosstt. Multiple UURRII lines are treated ssuuddoo will connect to llooccaallhhoosstt. Multiple UURRII lines are treated
identically to a UURRII line containing multiple entries. Only identically to a UURRII line containing multiple entries. Only
systems using the OpenSSL libraries support the mixing of ldap:// systems using the OpenSSL libraries support the mixing of ldap://
and ldaps:// URIs. The Netscape-derived libraries used on most and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP
commercial versions of Unix are only capable of supporting one or libraries used on most commercial versions of Unix are only capable
the other. of supporting one or the other.
HHOOSSTT name[:port] ... HHOOSSTT name[:port] ...
If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace- If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace-
@ -379,7 +379,8 @@ DDEESSCCRRIIPPTTIIOONN
the check creates an opportunity for man-in-the-middle attacks the check creates an opportunity for man-in-the-middle attacks
since the server's identity will not be authenticated. If since the server's identity will not be authenticated. If
possible, the CA's certificate should be installed locally so it possible, the CA's certificate should be installed locally so it
can be verified. can be verified. This option is not supported by the Tivoli
Directory Server LDAP libraries.
TTLLSS__CCAACCEERRTT file name TTLLSS__CCAACCEERRTT file name
An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility. An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility.
@ -410,6 +411,10 @@ DDEESSCCRRIIPPTTIIOONN
Netscape-derived: Netscape-derived:
tls_cert /var/ldap/cert7.db tls_cert /var/ldap/cert7.db
Tivoli Directory Server:
Unused, the key database specified by TTLLSS__KKEEYY contains both
keys and certificates.
When using Netscape-derived libraries, this file may also contain When using Netscape-derived libraries, this file may also contain
Certificate Authority certificates. Certificate Authority certificates.
@ -425,6 +430,23 @@ DDEESSCCRRIIPPTTIIOONN
Netscape-derived: Netscape-derived:
tls_key /var/ldap/key3.db tls_key /var/ldap/key3.db
Tivoli Directory Server:
tls_cert /usr/ldap/ldapkey.kdb
When using Tivoli LDAP libraries, this file may also contain
Certificate Authority and client certificates and may be encrypted.
TTLLSS__KKEEYYPPWW secret
The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key
database on clients using the Tivoli Directory Server LDAP library.
If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it
exists. The _s_t_a_s_h _f_i_l_e must have the same path as the file
specified by TTLLSS__KKEEYY, but use a .sth file extension instead of
.kdb, e.g. ldapkey.sth. The default ldapkey.kdb that ships with
Tivoli Directory Server is encrypted with the password
ssl_password. This option is only supported by the Tivoli LDAP
libraries.
TTLLSS__RRAANNDDFFIILLEE file name TTLLSS__RRAANNDDFFIILLEE file name
The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source
for systems that lack a random device. It is generally used in for systems that lack a random device. It is generally used in
@ -434,8 +456,9 @@ DDEESSCCRRIIPPTTIIOONN
TTLLSS__CCIIPPHHEERRSS cipher list TTLLSS__CCIIPPHHEERRSS cipher list
The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which
encryption algorithms may be used for TLS (SSL) connections. See encryption algorithms may be used for TLS (SSL) connections. See
the OpenSSL manual for a list of valid ciphers. This option is the OpenLDAP or Tivoli Directory Server manual for a list of valid
only supported by the OpenLDAP libraries. ciphers. This option is not supported by Netscape-derived
libraries.
UUSSEE__SSAASSLL on/true/yes/off/false/no UUSSEE__SSAASSLL on/true/yes/off/false/no
Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication. Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication.
@ -747,4 +770,4 @@ DDIISSCCLLAAIIMMEERR
1.8.5 March 14, 2012 SUDOERS.LDAP(4) 1.8.6 June 29, 2012 SUDOERS.LDAP(4)

46
doc/sudoers.ldap.man.in
View File

@ -1,4 +1,4 @@
.\" Copyright (c) 2003-2011 .\" Copyright (c) 2003-2012
.\" Todd C. Miller <Todd.Miller@courtesan.com> .\" Todd C. Miller <Todd.Miller@courtesan.com>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
@ -140,7 +140,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDOERS.LDAP @mansectform@" .IX Title "SUDOERS.LDAP @mansectform@"
.TH SUDOERS.LDAP @mansectform@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS" .TH SUDOERS.LDAP @mansectform@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents. .\" way too many mistakes in technical documents.
.if n .ad l .if n .ad l
@ -405,8 +405,8 @@ section.
Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration. Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients. Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not \fBsudo\fR\-specific. Note that As such, most of the settings are not \fBsudo\fR\-specific. Note that
\&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options \&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options that
that differ from those described in the \fIldap.conf\fR\|(@mansectform@) manual. differ from those described in the system's \fIldap.conf\fR\|(@mansectform@) manual.
.PP .PP
Also note that on systems using the OpenLDAP libraries, default Also note that on systems using the OpenLDAP libraries, default
values specified in \fI/etc/openldap/ldap.conf\fR or the user's values specified in \fI/etc/openldap/ldap.conf\fR or the user's
@ -425,9 +425,9 @@ the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either
is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR
lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple
entries. Only systems using the OpenSSL libraries support the entries. Only systems using the OpenSSL libraries support the
mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. The Netscape-derived mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. Both the Netscape-derived
libraries used on most commercial versions of Unix are only capable and Tivoli \s-1LDAP\s0 libraries used on most commercial versions of Unix
of supporting one or the other. are only capable of supporting one or the other.
.IP "\fB\s-1HOST\s0\fR name[:port] ..." 4 .IP "\fB\s-1HOST\s0\fR name[:port] ..." 4
.IX Item "HOST name[:port] ..." .IX Item "HOST name[:port] ..."
If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a
@ -528,7 +528,8 @@ authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER
is disabled, no check is made. Note that disabling the check creates is disabled, no check is made. Note that disabling the check creates
an opportunity for man-in-the-middle attacks since the server's an opportunity for man-in-the-middle attacks since the server's
identity will not be authenticated. If possible, the \s-1CA\s0's certificate identity will not be authenticated. If possible, the \s-1CA\s0's certificate
should be installed locally so it can be verified. should be installed locally so it can be verified. This option is
not supported by the Tivoli Directory Server \s-1LDAP\s0 libraries.
.IP "\fB\s-1TLS_CACERT\s0\fR file name" 4 .IP "\fB\s-1TLS_CACERT\s0\fR file name" 4
.IX Item "TLS_CACERT file name" .IX Item "TLS_CACERT file name"
An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility. An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility.
@ -560,6 +561,10 @@ OpenLDAP:
Netscape-derived: Netscape-derived:
\f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR \f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR
.Sp .Sp
Tivoli Directory Server:
Unused, the key database specified by \fB\s-1TLS_KEY\s0\fR contains both
keys and certificates.
.Sp
When using Netscape-derived libraries, this file may also contain When using Netscape-derived libraries, this file may also contain
Certificate Authority certificates. Certificate Authority certificates.
.IP "\fB\s-1TLS_KEY\s0\fR file name" 4 .IP "\fB\s-1TLS_KEY\s0\fR file name" 4
@ -574,6 +579,23 @@ OpenLDAP:
.Sp .Sp
Netscape-derived: Netscape-derived:
\f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR \f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR
.Sp
Tivoli Directory Server:
\f(CW\*(C`tls_cert /usr/ldap/ldapkey.kdb\*(C'\fR
.Sp
When using Tivoli \s-1LDAP\s0 libraries, this file may also contain
Certificate Authority and client certificates and may be encrypted.
.IP "\fB\s-1TLS_KEYPW\s0\fR secret" 4
.IX Item "TLS_KEYPW secret"
The \fB\s-1TLS_KEYPW\s0\fR contains the password used to decrypt the key
database on clients using the Tivoli Directory Server \s-1LDAP\s0 library.
If no \fB\s-1TLS_KEYPW\s0\fR is specified, a \fIstash file\fR will be used if
it exists. The \fIstash file\fR must have the same path as the file
specified by \fB\s-1TLS_KEY\s0\fR, but use a \f(CW\*(C`.sth\*(C'\fR file extension instead
of \f(CW\*(C`.kdb\*(C'\fR, e.g. \f(CW\*(C`ldapkey.sth\*(C'\fR. The default \f(CW\*(C`ldapkey.kdb\*(C'\fR that
ships with Tivoli Directory Server is encrypted with the password
\&\f(CW\*(C`ssl_password\*(C'\fR. This option is only supported by the Tivoli \s-1LDAP\s0
libraries.
.IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4 .IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4
.IX Item "TLS_RANDFILE file name" .IX Item "TLS_RANDFILE file name"
The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy
@ -582,10 +604,10 @@ in conjunction with \fIprngd\fR or \fIegd\fR.
This option is only supported by the OpenLDAP libraries. This option is only supported by the OpenLDAP libraries.
.IP "\fB\s-1TLS_CIPHERS\s0\fR cipher list" 4 .IP "\fB\s-1TLS_CIPHERS\s0\fR cipher list" 4
.IX Item "TLS_CIPHERS cipher list" .IX Item "TLS_CIPHERS cipher list"
The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict which
which encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections. encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections. See
See the OpenSSL manual for a list of valid ciphers. the OpenLDAP or Tivoli Directory Server manual for a list of valid
This option is only supported by the OpenLDAP libraries. ciphers. This option is not supported by Netscape-derived libraries.
.IP "\fB\s-1USE_SASL\s0\fR on/true/yes/off/false/no" 4 .IP "\fB\s-1USE_SASL\s0\fR on/true/yes/off/false/no" 4
.IX Item "USE_SASL on/true/yes/off/false/no" .IX Item "USE_SASL on/true/yes/off/false/no"
Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication. Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication.

8
doc/sudoers.man.in
View File

@ -148,7 +148,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDOERS @mansectform@" .IX Title "SUDOERS @mansectform@"
.TH SUDOERS @mansectform@ "March 28, 2012" "1.8.5" "MAINTENANCE COMMANDS" .TH SUDOERS @mansectform@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents. .\" way too many mistakes in technical documents.
.if n .ad l .if n .ad l
@ -382,11 +382,11 @@ the underlying group provider plugin (see the \fIgroup_plugin\fR
description below). For instance, the \s-1QAS\s0 \s-1AD\s0 plugin supports the description below). For instance, the \s-1QAS\s0 \s-1AD\s0 plugin supports the
following formats: following formats:
.IP "\(bu" 4 .IP "\(bu" 4
Group in the same domain: \*(L"Group Name\*(R" Group in the same domain: \*(L"%:Group Name\*(R"
.IP "\(bu" 4 .IP "\(bu" 4
Group in any domain: \*(L"Group Name@FULLY.QUALIFIED.DOMAIN\*(R" Group in any domain: \*(L"%:Group Name@FULLY.QUALIFIED.DOMAIN\*(R"
.IP "\(bu" 4 .IP "\(bu" 4
Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R" Group \s-1SID:\s0 \*(L"%:S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
.PP .PP
Note that quotes around group names are optional. Unquoted strings Note that quotes around group names are optional. Unquoted strings
must use a backslash (\e) to escape spaces and special characters. must use a backslash (\e) to escape spaces and special characters.

2
doc/sudoreplay.cat
View File

@ -261,4 +261,4 @@ DDIISSCCLLAAIIMMEERR
1.8.5 April 16, 2012 SUDOREPLAY(1m) 1.8.6 June 29, 2012 SUDOREPLAY(1m)

2
doc/sudoreplay.man.in
View File

@ -139,7 +139,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDOREPLAY @mansectsu@" .IX Title "SUDOREPLAY @mansectsu@"
.TH SUDOREPLAY @mansectsu@ "April 16, 2012" "1.8.5" "MAINTENANCE COMMANDS" .TH SUDOREPLAY @mansectsu@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents. .\" way too many mistakes in technical documents.
.if n .ad l .if n .ad l

2
doc/visudo.cat
View File

@ -151,4 +151,4 @@ DDIISSCCLLAAIIMMEERR
1.8.5 March 14, 2012 VISUDO(1m) 1.8.6 June 29, 2012 VISUDO(1m)

2
doc/visudo.man.in
View File

@ -144,7 +144,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "VISUDO @mansectsu@" .IX Title "VISUDO @mansectsu@"
.TH VISUDO @mansectsu@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS" .TH VISUDO @mansectsu@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents. .\" way too many mistakes in technical documents.
.if n .ad l .if n .ad l