diff --git a/docs/cvtsudoers.man.in b/docs/cvtsudoers.man.in index b18a3c7ad..401996e1d 100644 --- a/docs/cvtsudoers.man.in +++ b/docs/cvtsudoers.man.in @@ -91,24 +91,24 @@ The supported types are: .PP .RS 8n .PD 0 -.TP 10n +.TP 9n all All Defaults entries. .PD -.TP 10n +.TP 9n global Global Defaults entries that are applied regardless of user, runas, host, or command. -.TP 10n +.TP 9n user Per-user Defaults entries. -.TP 10n +.TP 9n runas Per-runas user Defaults entries. -.TP 10n +.TP 9n host Per-host Defaults entries. -.TP 10n +.TP 9n command Per-command Defaults entries. .PP @@ -138,7 +138,7 @@ The following formats are supported: .PP .RS 8n .PD 0 -.TP 10n +.TP 9n CSV CSV (comma-separated value) files are often used by spreadsheets and report generators. @@ -146,7 +146,7 @@ See \fICSV output format\fR for more details. .PD -.TP 10n +.TP 9n JSON JSON (JavaScript Object Notation) files are usually easier for third-party applications to consume than the traditional @@ -159,7 +159,7 @@ format. See \fIJSON output format\fR for more details. -.TP 10n +.TP 9n LDIF LDIF (LDAP Data Interchange Format) files can be imported into an LDAP server for use with @@ -167,7 +167,7 @@ sudoers.ldap(@mansectform@). .sp Conversion to LDIF has the following limitations: .PP -.RS 10n +.RS 9n .PD 0 .TP 3n \fB\(bu\fR @@ -182,7 +182,7 @@ sudoers LDAP schema so they are expanded during the conversion. .PP .RE .PD -.TP 10n +.TP 9n sudoers Traditional sudoers format. A new sudoers file will be reconstructed from the parsed input file. @@ -209,7 +209,7 @@ The following formats are supported: .PP .RS 8n .PD 0 -.TP 10n +.TP 9n LDIF LDIF (LDAP Data Interchange Format) files can be exported from an LDAP server to convert security policies used by @@ -219,7 +219,7 @@ that match the base DN will be processed. Not all sudoOptions specified in a sudoRole can be translated from LDIF to sudoers format. .PD -.TP 10n +.TP 9n sudoers Traditional sudoers format. This is the default input format. @@ -899,30 +899,30 @@ The following names and values are supported: .PP .RS 6n .PD 0 -.TP 10n +.TP 9n command A string containing the command to run. The special value \fBALL\fR it will match any command. .PD -.TP 10n +.TP 9n negated A boolean value that, if true, will negate any comparison performed with the object. -.TP 10n +.TP 9n sha224 A string containing the SHA224 digest of the \fIcommand\fR. -.TP 10n +.TP 9n sha256 A string containing the SHA256 digest of the \fIcommand\fR. -.TP 10n +.TP 9n sha384 A string containing the SHA384 digest of the \fIcommand\fR. -.TP 10n +.TP 9n sha512 A string containing the SHA512 digest of the \fIcommand\fR. @@ -1072,7 +1072,7 @@ defaults_type,binding,name,operator,value .RS 6n .sp The fields are as follows: -.TP 10n +.TP 6n defaults_type The type of \fIDefaults\fR @@ -1083,7 +1083,7 @@ setting; one of \fIdefaults_runas\fR, or \fIdefaults_user\fR. -.TP 10n +.TP 6n binding For \fIdefaults_command\fR, @@ -1092,12 +1092,12 @@ For and \fIdefaults_user\fR this is the value that must match for the setting to be applied. -.TP 10n +.TP 6n name The name of the \fIDefaults\fR setting. -.TP 10n +.TP 6n operator The operator determines how the value is applied to the setting. It may be either @@ -1108,8 +1108,9 @@ It may be either or \(oq-=\(cq (remove). -.TP 10n +.TP 6n value +.br The setting's value, usually a string or, for settings used in a boolean context, \fItrue\fR @@ -1141,7 +1142,7 @@ alias_type,alias_name,members .RS 6n .sp The fields are as follows: -.TP 10n +.TP 6n alias_type The type of alias; one of \fICmnd_Alias\fR, @@ -1149,11 +1150,11 @@ The type of alias; one of \fIRunas_Alias\fR, or \fIUser_Alias\fR. -.TP 10n +.TP 6n alias_name The name of the alias; a string starting with an upper-case letter that consists of upper-case letters, digits, or underscores. -.TP 10n +.TP 6n members A comma-separated list of members belonging to the alias. Due to the use of commas, @@ -1181,13 +1182,13 @@ rule,user,host,runusers,rungroups,options,command .RS 6n .sp The fields are as follows: -.TP 10n +.TP 6n rule This field indicates a \fIsudoers\fR \fIrule\fR entry. -.TP 10n +.TP 6n user The user the rule applies to. This may also be a Unix group (preceded by a @@ -1202,7 +1203,7 @@ or a If set to the special value \fBALL\fR, it will match any user. -.TP 10n +.TP 6n host The host the rule applies to. This may also be a netgroup (preceded by a @@ -1213,7 +1214,7 @@ or a If set to the special value \fBALL\fR, it will match any host. -.TP 10n +.TP 6n runusers An optional comma-separated list of users (or \fIRunas_Alias\fRes) @@ -1224,9 +1225,8 @@ If set to the special value \fBALL\fR, it will match any user. If empty, the root user is assumed. -.TP 10n +.TP 6n rungroups -.br An optional comma-separated list of groups (or \fIRunas_Alias\fRes) the command may be run as. @@ -1238,7 +1238,7 @@ it will match any group. If empty, the \fIrunuser\fR's group is used. -.TP 10n +.TP 6n options An optional list of \fIDefaults\fR @@ -1249,7 +1249,7 @@ entries in \fIsudoers\fR are converted to \fIoptions\fR. -.TP 10n +.TP 6n commands A list of commands, with optional arguments, that the user is allowed to run. If set to the special value diff --git a/docs/cvtsudoers.mdoc.in b/docs/cvtsudoers.mdoc.in index 017311cd4..561837641 100644 --- a/docs/cvtsudoers.mdoc.in +++ b/docs/cvtsudoers.mdoc.in @@ -84,7 +84,7 @@ One or more types may be specified, separated by a comma .Pq Ql \&, . The supported types are: -.Bl -tag -width 8n +.Bl -tag -width "command" .It all All Defaults entries. .It global @@ -120,7 +120,7 @@ is JSON or sudoers. .It Fl f Ar output_format , Fl -output-format Ns = Ns Ar output_format Specify the output format (case-insensitive). The following formats are supported: -.Bl -tag -width 8n +.Bl -tag -width "sudoers" .It CSV CSV (comma-separated value) files are often used by spreadsheets and report generators. @@ -170,7 +170,7 @@ Display a short help message to the standard output and exit. .It Fl i Ar input_format , Fl -input-format Ns = Ns Ar input_format Specify the input format. The following formats are supported: -.Bl -tag -width 8n +.Bl -tag -width "sudoers" .It LDIF LDIF (LDAP Data Interchange Format) files can be exported from an LDAP server to convert security policies used by @@ -783,7 +783,7 @@ array consists of one or more objects containing .Dq name:value pair elements. The following names and values are supported: -.Bl -tag -width 8n +.Bl -tag -width "command" .It command A string containing the command to run. The special value @@ -941,7 +941,7 @@ defaults_type,binding,name,operator,value .Ed .Pp The fields are as follows: -.Bl -tag -width 8n +.Bl -tag -width 4n .It defaults_type The type of .Em Defaults @@ -998,7 +998,7 @@ alias_type,alias_name,members .Ed .Pp The fields are as follows: -.Bl -tag -width 8n +.Bl -tag -width 4n .It alias_type The type of alias; one of .Em Cmnd_Alias , @@ -1027,7 +1027,7 @@ rule,user,host,runusers,rungroups,options,command .Ed .Pp The fields are as follows: -.Bl -tag -width 8n +.Bl -tag -width 4n .It rule This field indicates a .Em sudoers diff --git a/docs/sudo.conf.man.in b/docs/sudo.conf.man.in index 2abfb8f02..2494b26af 100644 --- a/docs/sudo.conf.man.in +++ b/docs/sudo.conf.man.in @@ -2,7 +2,7 @@ .\" .\" SPDX-License-Identifier: ISC .\" -.\" Copyright (c) 2010-2022 Todd C. Miller +.\" Copyright (c) 2010-2023 Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -17,7 +17,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .nr SL @SEMAN@ -.TH "SUDO.CONF" "@mansectform@" "December 26, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDO.CONF" "@mansectform@" "January 16, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -35,19 +35,19 @@ debug flags, and other settings. The \fBsudo.conf\fR file supports the following directives, described in detail below. -.TP 10n +.TP 8n Plugin an approval, audit, I/O logging, or security policy plugin -.TP 10n +.TP 8n Path a plugin-agnostic path -.TP 10n +.TP 8n Set a front-end setting, such as \fIdisable_coredump\fR or \fIgroup_source\fR -.TP 10n +.TP 8n Debug debug flags to aid in debugging \fBsudo\fR, @@ -246,7 +246,7 @@ version 1.8.16 and higher. The following plugin-agnostic paths may be set in the \fI@sysconfdir@/sudo.conf\fR file: -.TP 10n +.TP 6n askpass The fully qualified path to a helper program used to read the user's password when no terminal is available. @@ -262,9 +262,8 @@ The value of may be overridden by the \fRSUDO_ASKPASS\fR environment variable. -.TP 10n +.TP 6n devsearch -.br An ordered, colon-separated search path of directories to look in for device nodes. This is used when mapping the process's tty device number to a device name @@ -286,9 +285,8 @@ or functions, for example BSD, macOS and Solaris. -.TP 10n +.TP 6n intercept -.br The fully-qualified path to a shared library containing a wrappers for the execve(2), execl(3), @@ -308,7 +306,7 @@ functionality on systems that support or its equivalent. The default value is \fI@intercept_file@\fR. -.TP 10n +.TP 6n noexec The fully-qualified path to a shared library containing wrappers for the @@ -337,14 +335,13 @@ functionality on systems that support or its equivalent. The default value is \fI@noexec_file@\fR. -.TP 10n +.TP 6n plugin_dir The default directory to use when searching for plugins that are specified without a fully qualified path name. The default value is \fI@plugindir@\fR. -.if \n(SL \{\ -.TP 10n +.TP 6n sesh The fully-qualified path to the \fBsesh\fR @@ -359,7 +356,7 @@ The default value is The \fBsudo.conf\fR file also supports the following front-end settings: -.TP 10n +.TP 6n disable_coredump Core dumps of \fBsudo\fR @@ -374,11 +371,11 @@ to false in as follows: .nf .sp -.RS 14n +.RS 10n Set disable_coredump false .RE .fi -.RS 10n +.RS 6n .sp All modern operating systems place restrictions on core dumps from set-user-ID processes like @@ -400,7 +397,7 @@ This setting is only available in \fBsudo\fR version 1.8.4 and higher. .RE -.TP 10n +.TP 6n group_source \fBsudo\fR passes the invoking user's group list to the policy and I/O plugins. @@ -410,10 +407,10 @@ with NFS). On systems with the getconf(1) utility, running: -.RS 16n +.RS 12n getconf NGROUPS_MAX .RE -.RS 10n +.RS 6n will return the maximum number of groups. .sp However, it is still possible to be a member of a larger number of @@ -434,7 +431,7 @@ setting allows the administrator to change this default behavior. Supported values for \fIgroup_source\fR are: -.TP 10n +.TP 6n static Use the static group list that the kernel returns. Retrieving the group list this way is very fast but it is subject @@ -446,7 +443,7 @@ after the user logs in. This was the default behavior prior to \fBsudo\fR 1.8.7. -.TP 10n +.TP 6n dynamic Always query the group database directly. It is @@ -466,7 +463,7 @@ HP-UX, Linux, macOS, and Solaris. This is the default behavior on macOS in \fBsudo\fR 1.9.6 and higher. -.TP 10n +.TP 6n adaptive Only query the group database if the static group list returned by the kernel has the maximum number of entries. @@ -479,7 +476,7 @@ For example, to cause to only use the kernel's static list of groups for the user: .nf .sp -.RS 14n +.RS 10n Set group_source static .RE .fi @@ -488,7 +485,7 @@ This setting is only available in \fBsudo\fR version 1.8.7 and higher. .RE -.TP 10n +.TP 6n max_groups The maximum number of user groups to retrieve from the group database. Values less than one or larger than 1024 will be ignored. @@ -506,7 +503,7 @@ version 1.8.7 and higher. It should not be required in \fBsudo\fR versions 1.8.24 and higher and may be removed in a later release. -.TP 10n +.TP 6n probe_interfaces By default, \fBsudo\fR @@ -520,11 +517,11 @@ If IP-based matching is not required, network interface probing can be disabled as follows: .nf .sp -.RS 14n +.RS 10n Set probe_interfaces false .RE .fi -.RS 10n +.RS 6n .sp This setting is only available in \fBsudo\fR diff --git a/docs/sudo.conf.mdoc.in b/docs/sudo.conf.mdoc.in index 7485c6d2a..05155e911 100644 --- a/docs/sudo.conf.mdoc.in +++ b/docs/sudo.conf.mdoc.in @@ -1,7 +1,7 @@ .\" .\" SPDX-License-Identifier: ISC .\" -.\" Copyright (c) 2010-2022 Todd C. Miller +.\" Copyright (c) 2010-2023 Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .nr SL @SEMAN@ -.Dd December 26, 2022 +.Dd January 16, 2023 .Dt SUDO.CONF @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -34,7 +34,7 @@ debug flags, and other settings. The .Nm file supports the following directives, described in detail below. -.Bl -tag -width 8n +.Bl -tag -width "Plugin" .It Plugin an approval, audit, I/O logging, or security policy plugin .It Path @@ -225,7 +225,7 @@ version 1.8.16 and higher. The following plugin-agnostic paths may be set in the .Pa @sysconfdir@/sudo.conf file: -.Bl -tag -width 8n +.Bl -tag -width 4n .It askpass The fully qualified path to a helper program used to read the user's password when no terminal is available. @@ -332,7 +332,7 @@ The default value is The .Nm file also supports the following front-end settings: -.Bl -tag -width 8n +.Bl -tag -width 4n .It disable_coredump Core dumps of .Nm sudo @@ -398,7 +398,7 @@ setting allows the administrator to change this default behavior. Supported values for .Em group_source are: -.Bl -tag -width 8n +.Bl -tag -width 4n .It static Use the static group list that the kernel returns. Retrieving the group list this way is very fast but it is subject diff --git a/docs/sudo_logsrvd.conf.man.in b/docs/sudo_logsrvd.conf.man.in index 7435544c8..2b5826adf 100644 --- a/docs/sudo_logsrvd.conf.man.in +++ b/docs/sudo_logsrvd.conf.man.in @@ -86,7 +86,7 @@ The \fIserver\fR section configures the address and port the server will listen on. The following keys are recognized: -.TP 10n +.TP 6n listen_address = host[:port][(tls)] The host name or IP address, optional port to listen on and an optional Transport Layer Security (TLS) flag in parentheses. @@ -115,19 +115,19 @@ connections and port 30344 will be used for TLS connections. .sp The default value is: .nf -.RS 16n +.RS 12n listen_address = *:30343 listen_address = *:30344(tls) .RE .fi -.RS 10n +.RS 6n which will listen on all configured network interfaces for both plaintext and TLS connections. Multiple \fIlisten_address\fR lines may be specified to listen on more than one port or interface. .RE -.TP 10n +.TP 6n server_log = string Where to log server warning and error messages. Supported values are @@ -144,7 +144,7 @@ is only effective when used in conjunction with the option. The default value is \fIsyslog\fR. -.TP 10n +.TP 6n pid_file = path The path to the file containing the process ID of the running \fBsudo_logsrvd\fR. @@ -160,7 +160,7 @@ If refers to a symbolic link, it will be ignored. The default value is \fI@rundir@/sudo_logsrvd.pid\fR. -.TP 10n +.TP 6n tcp_keepalive = boolean If true, \fBsudo_logsrvd\fR @@ -170,7 +170,7 @@ If the client does not respond to a message in time, the connection will be closed. Defaults to \fItrue\fR. -.TP 10n +.TP 6n timeout = number The amount of time, in seconds, \fBsudo_logsrvd\fR @@ -178,7 +178,7 @@ will wait for the client to respond. A value of 0 will disable the timeout. The default value is \fI30\fR. -.TP 10n +.TP 6n tls_cacert = path The path to a certificate authority bundle file, in PEM format, to use instead of the system's default certificate authority database @@ -187,12 +187,12 @@ The default is to use \fI/etc/ssl/sudo/cacert.pem\fR if it exists, otherwise the system's default certificate authority database is used. -.TP 10n +.TP 6n tls_cert = path The path to the server's certificate file, in PEM format. The default value is \fI/etc/ssl/sudo/certs/logsrvd_cert.pem\fR. -.TP 10n +.TP 6n tls_checkpeer = bool If true, client certificates will be validated by \fBsudo_logsrvd\fR; @@ -205,7 +205,7 @@ setting must be set to a CA bundle that contains the CA certificate used to generate the client certificate. The default value is \fIfalse\fR. -.TP 10n +.TP 6n tls_ciphers_v12 = string A list of ciphers to use for connections secured by TLS version 1.2 only, separated by a colon @@ -220,7 +220,7 @@ The default value is which consists of encryption cipher suites with key lengths larger than 128 bits, and some cipher suites with 128-bit keys. Cipher suites that offer no authentication are excluded. -.TP 10n +.TP 6n tls_ciphers_v13 = string A list of ciphers to use for connections secured by TLS version 1.3 only, separated by a colon @@ -228,47 +228,47 @@ separated by a colon Supported cipher suites depend on the version of OpenSSL used, but should include the following: .sp -.RS 16n +.RS 12n .PD 0 -.TP 10n +.TP 6n TLS_AES_128_GCM_SHA256 -.TP 10n +.TP 6n TLS_AES_256_GCM_SHA384 -.TP 10n +.TP 6n TLS_CHACHA20_POLY1305_SHA256 -.TP 10n +.TP 6n TLS_AES_128_CCM_SHA256 -.TP 10n +.TP 6n TLS_AES_128_CCM_8_SHA256 .RE -.RS 10n +.RS 6n .sp The default cipher suite is \(lqTLS_AES_256_GCM_SHA384\(rq. .RE .PD -.TP 10n +.TP 6n tls_dhparams = path The path to a file containing custom Diffie-Hellman parameters in PEM format. This file can be created with the following command: .nf .sp -.RS 10n +.RS 6n openssl dhparam -out /etc/sudo_logsrvd_dhparams.pem 2048 .RE .fi -.RS 10n +.RS 6n .sp By default, \fBsudo_logsrvd\fR will use the OpenSSL defaults for Diffie-Hellman key generation. .RE -.TP 10n +.TP 6n tls_key = path The path to the server's private key file, in PEM format. The default value is \fI/etc/ssl/sudo/private/logsrvd_key.pem\fR. -.TP 10n +.TP 6n tls_verify = bool If true, \fBsudo_logsrvd\fR @@ -292,7 +292,7 @@ They are only present in this section to make it possible for the relay connection to use a different set of TLS parameters from the client-facing server. The following keys are recognized: -.TP 10n +.TP 6n connect_timeout = number The amount of time, in seconds, \fBsudo_logsrvd\fR @@ -307,7 +307,7 @@ will wait for the relay to respond. A value of 0 will disable the timeout. The default value is \fI30\fR. -.TP 10n +.TP 6n relay_dir = path The directory in which log messages are temporarily stored before they are sent to the relay host. @@ -315,7 +315,7 @@ Messages are stored in the wire format specified by sudo_logsrv.proto(@mansectform@) The default value is \fI@relay_dir@\fR. -.TP 10n +.TP 6n relay_host = host[:port][(tls)] The relay host name or IP address, optional port to connect to and an optional Transport Layer Security (TLS) flag in parentheses. @@ -340,13 +340,13 @@ protocol. If multiple \fIrelay_host\fR lines are specified, the first available relay host will be used. -.TP 10n +.TP 6n retry_interval = number The number of seconds to wait after a connection error before making a new attempt to forward a message to a relay host. The default value is \fI30\fR. -.TP 10n +.TP 6n store_first = boolean If true, \fBsudo_logsrvd\fR @@ -356,7 +356,7 @@ and the log is relayed. If the network connection is interrupted before the log can be fully transferred, it will be retransmitted later. The default is to relay logs in real-time. -.TP 10n +.TP 6n tcp_keepalive = boolean If true, \fBsudo_logsrvd\fR @@ -365,7 +365,7 @@ This enables the periodic transmission of keepalive messages to the relay server. If the relay does not respond to a message in time, the connection will be closed. -.TP 10n +.TP 6n timeout = number The amount of time, in seconds, \fBsudo_logsrvd\fR @@ -373,7 +373,7 @@ will wait for the relay server to respond after a connection has succeeded. A value of 0 will disable the timeout. The default value is \fI30\fR. -.TP 10n +.TP 6n tls_cacert = path The path to a certificate authority bundle file, in PEM format, to use instead of the system's default certificate authority database @@ -382,13 +382,13 @@ The default is to use the value specified in the \fIserver\fR section, or the system's default certificate authority database if no value is set. -.TP 10n +.TP 6n tls_cert = path The path to the server's certificate file, in PEM format. The default is to use the value specified in the \fIserver\fR section. -.TP 10n +.TP 6n tls_checkpeer = bool If true, the relay host's certificate will be validated by \fBsudo_logsrvd\fR; @@ -402,7 +402,7 @@ used to generate the relay certificate. The default is to use the value specified in the \fIserver\fR section. -.TP 10n +.TP 6n tls_ciphers_v12 = string A list of ciphers to use for connections secured by TLS version 1.2 only, separated by a colon @@ -415,7 +415,7 @@ for full details. The default is to use the value specified in the \fIserver\fR section. -.TP 10n +.TP 6n tls_ciphers_v13 = string A list of ciphers to use for connections secured by TLS version 1.3 only, separated by a colon @@ -427,19 +427,19 @@ section for more information. The default is to use the value specified in the \fIserver\fR section. -.TP 10n +.TP 6n tls_dhparams = path The path to a file containing custom Diffie-Hellman parameters in PEM format. The default is to use the value specified in the \fIserver\fR section. -.TP 10n +.TP 6n tls_key = path The path to the server's private key file, in PEM format. The default is to use the value specified in the \fIserver\fR section. -.TP 10n +.TP 6n tls_verify = bool If true, the server's certificate used for relaying will be verified at startup. If false, no verification is performed of the server certificate. @@ -455,7 +455,7 @@ section configures I/O log parameters. These settings are identical to the I/O configuration in sudoers(@mansectform@). The following keys are recognized: -.TP 10n +.TP 6n iolog_compress = boolean If set, I/O logs will be compressed using \fBzlib\fR. @@ -463,7 +463,7 @@ Enabling compression can make it harder to view the logs in real-time as the program is executing due to buffering. The default value is \fIfalse\fR. -.TP 10n +.TP 6n iolog_dir = path The top-level directory to use when constructing the path name for the I/O log directory. @@ -475,7 +475,7 @@ The following percent (\(oq%\(cq) escape sequences are supported: .PP -.RS 10n +.RS 6n .PD 0 .TP 6n %{seq} @@ -514,7 +514,7 @@ character, the string \(oq%%\(cq should be used. .RE -.TP 10n +.TP 6n iolog_file = path The path name, relative to \fIiolog_dir\fR, @@ -550,7 +550,7 @@ overwritten unless ends in six or more \fIX\fRs. -.TP 10n +.TP 6n iolog_flush = boolean If set, I/O log data is flushed to disk after each write instead of buffering it. @@ -561,7 +561,7 @@ I/O logs are always flushed before sending a commit point to the client regardless of this setting. The default value is \fItrue\fR. -.TP 10n +.TP 6n iolog_group = name The group name to look up when setting the group-ID on new I/O log files and directories. @@ -575,7 +575,7 @@ If neither nor \fIiolog_user\fR are set, I/O log files and directories are created with group-ID 0. -.TP 10n +.TP 6n iolog_mode = mode The file mode to use when creating I/O log files. Mode bits for read and write permissions for owner, group, or other @@ -587,7 +587,7 @@ to match the read and write bits specified by \fIiolog_mode\fR. The default value is \fI0600\fR. -.TP 10n +.TP 6n iolog_user = name The user name to look up when setting the owner of new I/O log files and directories. @@ -596,7 +596,7 @@ If is set, it will be used instead of the user's primary group-ID. By default, I/O log files and directories are created with user and group-ID 0. -.TP 10n +.TP 6n log_passwords = bool Most programs that require a user's password will disable echo before reading the password to avoid displaying the plaintext password on @@ -625,7 +625,7 @@ option is set), only the first character of the password will be replaced in the I/O log. The default value is \fItrue\fR. -.TP 10n +.TP 6n maxseq = number The maximum sequence number that will be substituted for the \(lq%{seq}\(rq @@ -643,7 +643,7 @@ base 36 sequence number will be silently truncated to 2176782336. The default value is \fI2176782336\fR. -.TP 10n +.TP 6n passprompt_regex = string One or more POSIX extended regular expressions used to match password prompts in the terminal output when diff --git a/docs/sudo_logsrvd.conf.mdoc.in b/docs/sudo_logsrvd.conf.mdoc.in index 5a84f41cf..8fee88c34 100644 --- a/docs/sudo_logsrvd.conf.mdoc.in +++ b/docs/sudo_logsrvd.conf.mdoc.in @@ -77,7 +77,7 @@ The .Em server section configures the address and port the server will listen on. The following keys are recognized: -.Bl -tag -width 8n +.Bl -tag -width 4n .It listen_address = host Ns Oo : Ns port Oc Ns Op (tls) The host name or IP address, optional port to listen on and an optional Transport Layer Security (TLS) flag in parentheses. @@ -206,7 +206,7 @@ separated by a colon Supported cipher suites depend on the version of OpenSSL used, but should include the following: .Pp -.Bl -tag -compact -width 8n -offset indent +.Bl -tag -compact -width 4n -offset indent .It TLS_AES_128_GCM_SHA256 .It TLS_AES_256_GCM_SHA384 .It TLS_CHACHA20_POLY1305_SHA256 @@ -254,7 +254,7 @@ They are only present in this section to make it possible for the relay connection to use a different set of TLS parameters from the client-facing server. The following keys are recognized: -.Bl -tag -width 8n +.Bl -tag -width 4n .It connect_timeout = number The amount of time, in seconds, .Nm sudo_logsrvd @@ -404,7 +404,7 @@ section configures I/O log parameters. These settings are identical to the I/O configuration in .Xr sudoers @mansectform@ . The following keys are recognized: -.Bl -tag -width 8n +.Bl -tag -width 4n .It iolog_compress = boolean If set, I/O logs will be compressed using .Sy zlib . diff --git a/docs/sudoers.ldap.man.in b/docs/sudoers.ldap.man.in index 3fd34f3b0..3b6643363 100644 --- a/docs/sudoers.ldap.man.in +++ b/docs/sudoers.ldap.man.in @@ -2,7 +2,7 @@ .\" .\" SPDX-License-Identifier: ISC .\" -.\" Copyright (c) 2003-2022 Todd C. Miller +.\" Copyright (c) 2003-2023 Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.TH "SUDOERS.LDAP" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS.LDAP" "@mansectform@" "January 16, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -1197,19 +1197,21 @@ The following \fIlevel\fR values are supported: .RS 10n -.TP 10n +.TP 6n never +.br The server certificate will not be requested or checked. -.TP 10n +.TP 6n allow +.br The server certificate will be requested. A missing or invalid certificate is ignored and not considered an error. -.TP 10n +.TP 6n try The server certificate will be requested. A missing certificate is ignored but an invalid certificate will result in a connection error. -.TP 10n +.TP 6n demand | \fIhard\fR The server certificate will be requested. A missing or invalid certificate will result in a connection error. @@ -1305,11 +1307,11 @@ The following sources are recognized: .PP .RS 4n .PD 0 -.TP 10n +.TP 7n files read sudoers from \fI@sysconfdir@/sudoers\fR -.TP 10n +.TP 7n ldap read sudoers from LDAP .RE diff --git a/docs/sudoers.ldap.mdoc.in b/docs/sudoers.ldap.mdoc.in index 39230c243..a0edf3a3a 100644 --- a/docs/sudoers.ldap.mdoc.in +++ b/docs/sudoers.ldap.mdoc.in @@ -1,7 +1,7 @@ .\" .\" SPDX-License-Identifier: ISC .\" -.\" Copyright (c) 2003-2022 Todd C. Miller +.\" Copyright (c) 2003-2023 Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd September 13, 2022 +.Dd January 16, 2023 .Dt SUDOERS.LDAP @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -1102,7 +1102,7 @@ will be unable to connect to it. The following .Ar level values are supported: -.Bl -tag -width 8n -offset 4n +.Bl -tag -width 4n -offset 4n .It never The server certificate will not be requested or checked. .It allow @@ -1200,7 +1200,7 @@ precedence over earlier ones (unless is used, see below). The following sources are recognized: .Pp -.Bl -tag -width 8n -offset 4n -compact +.Bl -tag -width "files" -offset 4n -compact .It files read sudoers from .Pa @sysconfdir@/sudoers diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in index 520fb23b8..787591111 100644 --- a/docs/sudoers.man.in +++ b/docs/sudoers.man.in @@ -2,7 +2,7 @@ .\" .\" SPDX-License-Identifier: ISC .\" -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2022 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2023 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.TH "SUDOERS" "@mansectform@" "December 26, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "@mansectform@" "January 16, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -110,7 +110,7 @@ Plugin sudoers_audit @sudoers_plugin@ sudoers_mode=0400 error_recovery=false .fi .PP The following plugin arguments are supported: -.TP 10n +.TP 6n error_recovery=bool The \fIerror_recovery\fR @@ -129,40 +129,40 @@ A value of \fIfalse\fR will disable error recovery. Prior to version 1.9.3, no error recovery was performed. -.TP 10n +.TP 6n ldap_conf=pathname The \fIldap_conf\fR argument can be used to override the default path to the \fIldap.conf\fR file. -.TP 10n +.TP 6n ldap_secret=pathname The \fIldap_secret\fR argument can be used to override the default path to the \fIldap.secret\fR file. -.TP 10n +.TP 6n sudoers_file=pathname The \fIsudoers_file\fR argument can be used to override the default path to the \fIsudoers\fR file. -.TP 10n +.TP 6n sudoers_uid=user-ID The \fIsudoers_uid\fR argument can be used to override the default owner of the sudoers file. It should be specified as a numeric user-ID. -.TP 10n +.TP 6n sudoers_gid=group-ID The \fIsudoers_gid\fR argument can be used to override the default group of the sudoers file. It must be specified as a numeric group-ID (not a group name). -.TP 10n +.TP 6n sudoers_mode=mode The \fIsudoers_mode\fR @@ -1670,16 +1670,16 @@ $ ppriv -l In addition, there are several \(lqspecial\(rq privilege strings: -.TP 10n +.TP 7n none the empty set -.TP 10n +.TP 7n all the set of all privileges -.TP 10n +.TP 7n zone the set of all privileges available in the current zone -.TP 10n +.TP 7n basic the default set of privileges normal users are granted at login time .PP @@ -2113,21 +2113,21 @@ and fnmatch(3) functions as specified by IEEE Std 1003.1 (\(lqPOSIX.1\(rq). -.TP 10n +.TP 8n * Matches any set of zero or more characters (including white space). -.TP 10n +.TP 8n \&? Matches any single character (including white space). -.TP 10n +.TP 8n [...] Matches any character in the specified range. -.TP 10n +.TP 8n [!...] Matches any character \fInot\fR in the specified range. -.TP 10n +.TP 8n \ex For any character \(oqx\(cq, @@ -5216,7 +5216,7 @@ It has the following possible values: .PP .RS 14n .PD 0 -.TP 10n +.TP 6n all All the user's \fIsudoers\fR @@ -5225,12 +5225,12 @@ the \fRNOPASSWD\fR flag set to avoid entering a password. .PD -.TP 10n +.TP 6n always The user must always enter a password to use the \fB\-l\fR option. -.TP 10n +.TP 6n any At least one of the user's \fIsudoers\fR @@ -5238,8 +5238,9 @@ file entries for the current host must have the \fRNOPASSWD\fR flag set to avoid entering a password. -.TP 10n +.TP 6n never +.br The user need never enter a password to use the \fB\-l\fR option. @@ -5260,7 +5261,7 @@ Supported log formats are: .PP .RS 14n .PD 0 -.TP 10n +.TP 6n json Logs in JSON format. JSON log entries contain the full user details as well as the execution @@ -5269,7 +5270,7 @@ Due to limitations of the protocol, JSON events sent via \fIsyslog\fR may be truncated. .PD -.TP 10n +.TP 6n sudo Traditional sudo-style logs, see \fIEVENT LOGGING\fR @@ -5823,7 +5824,7 @@ If options are present, the string must be enclosed in double quotes (\&""). .PP The following group provider plugins are installed by default: -.TP 10n +.TP 6n group_file The \fIgroup_file\fR @@ -5836,11 +5837,11 @@ For example, if the group file to be used is \fI/etc/sudo-group\fR: .nf .sp -.RS 10n +.RS 6n Defaults group_plugin="group_file.so /etc/sudo-group" .RE .fi -.TP 10n +.TP 6n system_group The \fIsystem_group\fR @@ -5853,7 +5854,7 @@ groups not present in the user's supplemental group vector. This plugin takes no options: .nf .sp -.RS 10n +.RS 6n Defaults group_plugin=system_group.so .RE .fi @@ -6439,66 +6440,65 @@ The file may contain the following elements: .PP .RS 10n .PD 0 -.TP 10n +.TP 6n timestamp -.br A JSON object containing time the command was run. It consists of two values, \fIseconds\fR and \fInanoseconds\fR. .PD -.TP 10n +.TP 6n columns The number of columns of the terminal the command ran on, or zero if no terminal was present. -.TP 10n +.TP 6n command The fully-qualified path of the command that was run. -.TP 10n +.TP 6n lines +.br The number of lines of the terminal the command ran on, or zero if no terminal was present. -.TP 10n +.TP 6n runargv A JSON array representing the command's argument vector as passed to the execve(2) system call. -.TP 10n +.TP 6n runenv A JSON array representing the command's environment as passed to the execve(2) system call. -.TP 10n +.TP 6n rungid The group ID the command ran as. This element is only present when the user specifies a group on the command line. -.TP 10n +.TP 6n rungroup The name of the group the command ran as. This element is only present when the user specifies a group on the command line. -.TP 10n +.TP 6n runuid The user ID the command ran as. -.TP 10n +.TP 6n runuser The name of the user the command ran as. -.TP 10n +.TP 6n submitcwd -.br The current working directory at the time \fBsudo\fR was run. -.TP 10n +.TP 6n submithost The name of the host the command was run on. -.TP 10n +.TP 6n submituser The name of the user who ran the command via \fBsudo\fR. -.TP 10n +.TP 6n ttyname The path name of the terminal the user invoked \fBsudo\fR @@ -7277,7 +7277,7 @@ Common programs that permit shell escapes include shells (obviously), editors, paginators, mail, and terminal programs. .PP There are four basic approaches to this problem: -.TP 10n +.TP 11n restrict Avoid giving users access to commands that allow the user to run arbitrary commands. @@ -7290,9 +7290,8 @@ running editors via Due to the large number of programs that offer shell escapes, restricting users to the set of programs that do not is often unworkable. -.TP 10n +.TP 11n intercept -.br On most systems, \fBsudo\fR's \fIintercept\fR @@ -7392,11 +7391,11 @@ tag as documented in the User Specification section above. Here is that example again: .nf .sp -.RS 10n +.RS 11n chuck research = INTERCEPT: ALL .RE .fi -.RS 10n +.RS 11n .sp This allows user \fBchuck\fR @@ -7434,7 +7433,7 @@ See the description of the \fIintercept_verify\fR setting for more information. .RE -.TP 10n +.TP 11n log There are two separate but related ways to log additional commands. The first is to enable I/O logging using the @@ -7457,7 +7456,7 @@ The flag uses the same mechanism as \fIintercept\fR (see above) and has the same limitations. -.TP 10n +.TP 11n noexec \fBsudo\fR's \fInoexec\fR @@ -7509,11 +7508,11 @@ tag as documented in the User Specification section above. Here is that example again: .nf .sp -.RS 10n +.RS 11n aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi .RE .fi -.RS 10n +.RS 11n .sp This allows user \fBaaron\fR diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in index 30673949a..c72bc660d 100644 --- a/docs/sudoers.mdoc.in +++ b/docs/sudoers.mdoc.in @@ -1,7 +1,7 @@ .\" .\" SPDX-License-Identifier: ISC .\" -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2022 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2023 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.Dd December 26, 2022 +.Dd January 16, 2023 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -104,7 +104,7 @@ Plugin sudoers_audit @sudoers_plugin@ sudoers_mode=0400 error_recovery=false .Ed .Pp The following plugin arguments are supported: -.Bl -tag -width 8n +.Bl -tag -width 4n .It error_recovery=bool The .Em error_recovery @@ -1594,7 +1594,7 @@ $ ppriv -l In addition, there are several .Dq special privilege strings: -.Bl -tag -width 8n +.Bl -tag -width "basic" .It none the empty set .It all @@ -2008,7 +2008,7 @@ and .Xr fnmatch 3 functions as specified by .St -p1003.1 . -.Bl -tag -width 8n +.Bl -tag -width "[!...]" .It * Matches any set of zero or more characters (including white space). .It \&? @@ -2089,7 +2089,7 @@ For more information, see below. .Ss Exceptions to wildcard rules The following exceptions apply to the above rules: -.Bl -tag -width 8n +.Bl -tag -width "sudoedit" .It \&"" If the empty string .Ql \&"" @@ -4902,7 +4902,7 @@ with the .Fl l option. It has the following possible values: -.Bl -tag -width 8n +.Bl -tag -width 4n .It all All the user's .Em sudoers @@ -4938,7 +4938,7 @@ The default value is .It log_format The event log format. Supported log formats are: -.Bl -tag -width 8n +.Bl -tag -width 4n .It json Logs in JSON format. JSON log entries contain the full user details as well as the execution @@ -5456,7 +5456,7 @@ If options are present, the string must be enclosed in double quotes .Pq \&"" . .Pp The following group provider plugins are installed by default: -.Bl -tag -width 8n +.Bl -tag -width 4n .It group_file The .Em group_file @@ -5980,7 +5980,7 @@ that you expect. .Ss I/O log format For both local and remote I/O logs, each log is stored in a separate directory that contains the following files: -.Bl -tag -width 8n +.Bl -tag -width "log.json" .It Pa log A text file containing information about the command. The first line consists of the following colon-delimited fields: @@ -6007,7 +6007,7 @@ in preference to the .Pa log file if it exists. The file may contain the following elements: -.Bl -tag -width 8n +.Bl -tag -width 4n .It timestamp A JSON object containing time the command was run. It consists of two values, @@ -6727,7 +6727,7 @@ Common programs that permit shell escapes include shells (obviously), editors, paginators, mail, and terminal programs. .Pp There are four basic approaches to this problem: -.Bl -tag -width 8n +.Bl -tag -width "intercept" .It restrict Avoid giving users access to commands that allow the user to run arbitrary commands. @@ -7173,7 +7173,7 @@ and higher. The following subsystems are used by the .Nm plugin: -.Bl -tag -width 8n +.Bl -tag -width "defaults" .It Em alias .Em User_Alias , .Em Runas_Alias , diff --git a/docs/visudo.man.in b/docs/visudo.man.in index f4d36f8a3..386783874 100644 --- a/docs/visudo.man.in +++ b/docs/visudo.man.in @@ -84,7 +84,7 @@ There are two settings that determine which editor \fBvisudo\fR will run. -.TP 10n +.TP 12n editor A colon (\(oq:\&\(cq) @@ -116,7 +116,7 @@ The default editor path is which can be set at compile time via the \fR--with-editor\fR configure option. -.TP 10n +.TP 12n env_editor If set, \fBvisudo\fR @@ -334,26 +334,26 @@ Plugin sudoers_policy @sudoers_plugin@ sudoers_mode=0400 .fi .PP The following arguments are supported: -.TP 10n +.TP 6n sudoers_file=pathname The \fIsudoers_file\fR argument can be used to override the default path to the \fIsudoers\fR file. -.TP 10n +.TP 6n sudoers_uid=user-ID The \fIsudoers_uid\fR argument can be used to override the default owner of the sudoers file. It should be specified as a numeric user-ID. -.TP 10n +.TP 6n sudoers_gid=group-ID The \fIsudoers_gid\fR argument can be used to override the default group of the sudoers file. It must be specified as a numeric group-ID (not a group name). -.TP 10n +.TP 6n sudoers_mode=mode The \fIsudoers_mode\fR diff --git a/docs/visudo.mdoc.in b/docs/visudo.mdoc.in index 919b9fa81..99ceb9bd3 100644 --- a/docs/visudo.mdoc.in +++ b/docs/visudo.mdoc.in @@ -82,7 +82,7 @@ There are two settings that determine which editor .Nm visudo will run. -.Bl -tag -width 8n +.Bl -tag -width "env_editor" .It editor A colon .Pq Ql :\& @@ -322,7 +322,7 @@ Plugin sudoers_policy @sudoers_plugin@ sudoers_mode=0400 .Ed .Pp The following arguments are supported: -.Bl -tag -width 8n +.Bl -tag -width 4n .It sudoers_file=pathname The .Em sudoers_file